Standalone Web SSL...

Greg_O_Lone · January 14, 2014, 6:12pm

I know a lot of you have been asking for Standalone SSL for a long time, and I’m pleased to say that there has been a breakthrough…

At Long Last… Web Standalone SSL

If you have any questions, please let me know!

Albin_Kiland · January 14, 2014, 6:44pm

And…Yhaiii it should work on 13r3

Frederick_Roller · January 14, 2014, 11:03pm

Thanks Greg!

What’s the best approach to using certificates with commercial Web Apps that are distributed/licensed? Customers that are hosting and running the Web Apps they’ve licensed from us would like to have secure connections but we certainly don’t want to distribute our certificate with our Web App. Shouldn’t each customer have their own certificate?

While considering possible solutions, please keep in mind that installation and configuration of our Web Apps should be as simple as possible for our customers. Many have technical skills but certainly not all.

Dan_Harding · January 14, 2014, 11:30pm

How can I confirm that the standalone app is using SSL? I compiled a standalone app with Xojo 2013r3.3 and used the command line option --secureport=8085 and without putting anything in place (namely certificates) was able to connect using 8085 on my browser. How will I know when I have it right or when there is a configuration issue and something isn’t right?

Thanks,
Dan Harding

Greg_O_Lone · January 15, 2014, 12:07am

Same way you would confirm any secure website. if you don’t have a lock icon or https or something in the URL bar, then it’s not secure.

In Xojo code, you can check the Session.Secure property.

It’s important to note that if you don’t supply a certificate, the sockets are not set up to be secure, so they will respond to a normal http connection.

Greg_O_Lone · January 15, 2014, 12:09am

Yes. Each app should have its own certificate. Remember that certificates are tied to the domain name though.

As far as getting your users’ certificates, you could create a tool to help users get things in the right order, but whatever you do, the file will still need to be named with the same name as the app (as outlined in the blog post) with the pieces in the right order.

Whatever you do, don’t send these certificates in-the-clear or over an unsecured connection (like normal FTP). The certificate will have the public AND private key in it.

scott_boss · January 15, 2014, 1:10am

[quote=59015:@Greg O’Lone]
If you have any questions, please let me know![/quote]

Is there a way to disable non-SSL ports if the SSL port is defined? That way the app will only talk SSL. Granted I could test this out myself but I am sitting at the ATL Xojo meeting.

Thanks!

Frederick_Roller · January 15, 2014, 1:39am

[quote=59085:@Greg O’Lone]Yes. Each app should have its own certificate. Remember that certificates are tied to the domain name though.

As far as getting your users’ certificates, you could create a tool to help users get things in the right order, but whatever you do, the file will still need to be named with the same name as the app (as outlined in the blog post) with the pieces in the right order.

Whatever you do, don’t send these certificates in-the-clear or over an unsecured connection (like normal FTP). The certificate will have the public AND private key in it.[/quote]
Thanks again Greg! That’s just what I needed.

Brad_Hutchings · January 15, 2014, 1:49am

[quote=59094:@scott boss]Is there a way to disable non-SSL ports if the SSL port is defined? That way the app will only talk SSL. Granted I could test this out myself but I am sitting at the ATL Xojo meeting.
Thanks![/quote]

Setting --maxPorts=0 when you launch will do it.

scott_boss · January 15, 2014, 1:51am

Awesome!!

Thanks!!!
sb

Antonis_Vakondios · January 15, 2014, 8:01am

Great news Greg …

Do you have any other parameter on web app startup, to define the network that the web server will listen ?

Brad_Hutchings · January 15, 2014, 8:56am

Greg, is it possible to debug in SSL mode and perhaps even have the browser use https to hit the local server? This would be extremely handy. I could never get it to work.

Greg_O_Lone · January 15, 2014, 1:55pm

Not yet. Once we get the feature integrated into the IDE, it’ll be easier to make this happen.

Unless… You could Run Paused and then launch it manually with the command line parameters.

Dan_Harding · January 15, 2014, 5:54pm

Still not getting the Standalone and SSL to work.

Greg, could you (or someone else) post a skeleton of a working MyApp.crt (removing enough actual certificate to make is useless) so that I am sure that I am doing that right.
Specifically, I’m assuming the “markers” at the beginning and ending of the certificates remain. Does it matter if there are new lines after these? Does it matter if certificate itself has new lines at regular intervals.

One other question, does it matter where on the server the standalone runs? I would assume no, but want to make sure anyway.

I’m compiling on 2013r3.3 to port 8082 and using --secureport=8085 which one should I be using on the browser?
“www.mysite.com:8082” ?

If someone knows of a “be sure to…” I’d appreciate that as well.

Thanks,

Lee_Page · January 15, 2014, 6:15pm

Dummy SSL Cert

DerkJ · January 15, 2014, 10:22pm

I prefer a windows server, where the Server handles the SLL and not the web app. This helps keep the speed up a little more than having it in Xojo directly. As it doesn’t seem to be fast (on IIS, Stand Alone - included SSL in Xojo App).

Brad_Hutchings · January 15, 2014, 11:13pm

I haven’t got great measurements on the overhead of SSL built into WE, but it has consistently been less than 5% for me. I’ve actually been using it for more than a year, but was warned when it was yanked from an RS 2012 beta to be cautious. In the meantime, Greg has fixed some far bigger memory and performance issues, including the compression leak.

Greg_O_Lone · January 16, 2014, 12:10am

[quote=59221:@Dan Harding]I’m compiling on 2013r3.3 to port 8082 and using --secureport=8085 which one should I be using on the browser?
“www.mysite.com:8082” ?[/quote]
You should be using: https://www.mysite.com:8085/

Greg_O_Lone · January 16, 2014, 12:11am

Yes. There must be new lines after the markers. As far as the certificate data goes, most of the ones I’ve worked with are broken into 64 character lines.

For Example

[code]-----BEGIN CERTIFICATE-----
ZG8uY29tL0NQUzBJBgNVHR8EQjBAMD6gPKA6hjhodHRwOi8vY3JsLmNvbW9kb2Nh
LmNvbS9DT01PRE9DZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBsBggrBgEFBQcB
AQRgMF4wNgYIKwYBBQUHMAKGKmh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NvbW9k
…Public Key Data Here…
-----END CERTIFICATE-----

DerkJ · January 16, 2014, 8:42pm

Wich end of line must be used in the file?