website not secure

  1. 3 months ago

    Despite having an SSL cert and using https and using httpsecuresocket with TLS v1.2, browsers still say that my website is not secure. Chrome says this about the site:

    Connection - obsolete connection settings
    The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA with P-256, and AES_128_CBC with HMAC-SHA1.
    TLS 1.0 is obsolete. Enable TLS 1.2 or later.
    AES_128_CBC is obsolete. Enable an AES-GCM-based cipher suite.

    Any suggestions on how this might be resolved?

  2. Rod P

    Apr 9 Testers Truro, Cornwall, UK.

    Which host? Where did you get the cert?

  3. That means the webserver is not up to date or is configured poorly. That shouldn't have anything to do with your xojo web app unless you are running standalone and allowing users to connect directly to the app without going through a load balancer or web server of some sort.

  4. Steve K

    Apr 9 Testers, Xojo Pro, XDC Speakers The land of Oz

    Can you post an example of url your using to access it?

  5. The page that I'm working with is: https://ms001592indfw0001.serverwarp.com/cgi-bin/fhmatest/fhma.cgi

  6. Greg O

    Apr 13 Xojo Inc scout.galaxy.barn

    @Kevin C The page that I'm working with is: https://ms001592indfw0001.serverwarp.com/cgi-bin/fhmatest/fhma.cgi

    That error isn't coming from the web app. Are you sure there's an SSL certificate and that it's configured correctly?

  7. Rod P

    Apr 13 Testers Truro, Cornwall, UK.

    500 server errors are usually one of two things.

    Either a permissions problem or a .htaccess error.

  8. Derk J

    Apr 13 Testers, Xojo Pro
    Edited 3 months ago

    http://litespeedtech.com has no valid certificate is may have something to do with yours if it's a shared certificate.

    That domain seems to be offline

  9. Steve K

    Apr 13 Testers, Xojo Pro, XDC Speakers The land of Oz

    @Kevin C The page that I'm working with is: https://ms001592indfw0001.serverwarp.com/cgi-bin/fhmatest/fhma.cgi

    Your not accessing the page with your domain that is embedded in your certificate. You must contruct your url using the domain of your certificate that is installed on the server.

  10. Tomas J

    Apr 13 Testers, Xojo Pro Europe (Germany)
    Edited 3 months ago

    This has nothing to do with your Xojo CGI App. It is as Kevin mentioned a misconfigured server with its cert, tls protocols and ciphers. use as starting point https://observatory.mozilla.org or https://www.ssllabs.com/ssltest . Everything below A is security nightmare. You may cross-check your server results with my Webserver https://jakobssystems.net. I am proud of my A+ ratings ;-)

    -image-

  11. Phillip Z

    Apr 13 Testers, Xojo Pro Florence, SC

    The cert is legal/valid but has nothing to do with the 500. As @Rod P pointed out you need to make sure you CHMOD 755 the folder using your SFTP client. Otherwise the server does not have permissions to launch the binary executable.

  12. Phillip Z

    Apr 13 Testers, Xojo Pro Florence, SC

    @Kevin C I'll email you. We can set it to be TLS 1.2 as default so Chrome won't be annoyed.

  13. Steve K

    Apr 13 Testers, Xojo Pro, XDC Speakers The land of Oz
    Edited 3 months ago

    Unless he has serverwarp[dot]com embedded in his certificate Chrome will continue to bark at him. The domain in the url you are using must match what is embedded in the certificate used to secure it.

  14. Phillip Z

    Apr 13 Testers, Xojo Pro Florence, SC

    When you access that site at https://ms001592indfw0001.serverwarp.com it has a fully valid certificate accepted by Chrome.

    There are historical reasons why we haven't forced TLS 1.2 and latest ciphers. Mostly revolving around HTTPSecureSocket not being very good and it upsetting users who use Kaju and other tools to hit their server from desktop apps. I have a "don't fix it if it isn't broken" mantra.

    That being said making Chrome happy is super easy in this case. I reached out to Kevin.

    The issues of the 500 had nothing to do with the cert but fortunately also easily solved.

  15. Tomas J

    Apr 13 Testers, Xojo Pro Europe (Germany)
    Edited 3 months ago

    @Phillip Z The cert is legal/valid but has nothing to do with the 500. As @Rod P pointed out you need to make sure you CHMOD 755 the folder using your SFTP client. Otherwise the server does not have permissions to launch the binary executable.

    Uhmm... I do not see an error 500 page. My problem is more this:

    -image-

    It uses a huge amount of 3rd party ressources without prior info or consent.

    But with or without valid cert. it counts nothing if the server is misconfigured. Use SSL Labs report as starting point to improve server security. And keep in mind that all browsers will soon prevent loading websites from such servers at all. Come on it still uses TLS 1.0, we are already at TLS 1.3 now.

  16. Phillip Z

    Apr 13 Testers, Xojo Pro Florence, SC

    @Tomas J read higher in the thread: there was a 500.

    Not every server requires the same defaults. I've been down that road and blown up desktop apps because Xojo couldn't handle it at the time. There is no single right answer. It is an easy fix. Thanks for helping out!

  17. Tomas J

    Apr 13 Testers, Xojo Pro Europe (Germany)
    Edited 3 months ago

    Of course there is an answer to such security nightmares. Fix it! But we leave our dispute as it is .
    In the next months all major browsers won't display anything from this server.

    https://security.googleblog.com/2018/10/modernizing-transport-security.html

or Sign Up to reply!