SSL Security and Xojo Cloud

Hey everyone. I wanted to bring up a topic that some of you have asked us from time to time about security on Xojo Cloud.

Yesterday we applied patches to all of your servers to take care of many of the warnings and errors reported by the SSL Certificate verifiers that are used around the web. The one that we did not fix yesterday has to do with the SSLv3 protocol. The reason is that we haven’t done this yet is that the ConnectionType property of SSLSocket and all of its derivatives (HTTPSecureSocket, SMTPSecureSocket, POP3SecureSocket) in Xojo framework prior to 2014r3 defaulted to using SSLv3. Flipping this switch without notice could silently break your sites.

So here’s what we’re going to do. We’ve decided that SSLv3 support is deprecated for Xojo Cloud as of now and the servers will be updated on August 1st, 2017 such that they will stop accepting SSLv3 connections altogether. If you have any client applications which interface with your web apps on Xojo Cloud, please update them so that they use at least TLSv1.

good move

Excellent Greg. very timely and good.

Regards,
Tony Barry

Is there a way to go ahead and force this on one of our Xojocloud servers so we can test third party software that will be accessing our server?

Going along with what Steve is asking, is there a property that gets the connection type that the client is using so we would know an application that is hitting an app needs to be upgraded?

Self.security.connectiontype is a property to set on the application, but I have not found anything in WebRequest or WebSession that provides the information I’m looking for.

Ok, so here’s what we’ve done…

First of all, we tested both the Classic Framework HTTPSecureSocket with a ConnectionType of TLSv1, 1.1 and 1.2 and a Xojo.Net.HTTPSocket against a Xojo Cloud server which has been set up with the new security protocols. All of these scenarios worked just fine.

If you want to test this yourself. you can access that same Xojo Cloud server using the following URL:

https://ssltest.xojo.com/ssltest.txt

If you get a good connection, you’ll get the string “Yea, it worked!”

[quote=323243:@Jeff Hamby]Going along with what Steve is asking, is there a property that gets the connection type that the client is using so we would know an application that is hitting an app needs to be upgraded?

Self.security.connectiontype is a property to set on the application, but I have not found anything in WebRequest or WebSession that provides the information I’m looking for.[/quote]
No, you can’t tell how the client connected from within the web app.

Thanks Greg. Much appreciated.

Regards,
Tony Barry
Sydney

Spotted this post - incredibly helpful! I was having a time of it trying to send a user account update email from a compiled app via SMTP and couldn’t figure out why the same app on a different hosting account worked but did not work on Xojo Cloud.

Count this as today’s “Now I Get It” moment (so far).