2015r4 Web app SSL issue with older browsers

We run a XOJO standalone web app, 32bit, hosted on a VPSprovided by FutureHosting.com running Centos 6.4.
as an alternative, we also host a CGI version on the same server.
https://genesearch.com.au:8443
http://genesearch.com.au:8008
https://genesearch.com.au/scgi-bin/webstore.cgi

A week ago my developer updated Xojo to the latest version 2015r4, and now some older browsers cannot run the HTTPS version of the web app, which is the default linked from our mainwebsite.
Internet Explorer instantly responds with :Cannot display the webpage - because 'the website is temporarily unavailable" and a host of other reasons, none of which are true.

However the same browser can open the web app, using the HTTP link, or the alternative CGI app with HTTPS
So how is that even possible? If the browser has a problem, it is logical that it shouldnt be able to open any version of the web app.
Also, why does it fail instantly, browsers tend to time out after a period when this kind of error occurs.

Our customer base include a lot of govt and health institutions and as such work on controlled pc environments, its not as simple as telling them to upgrade their browsers.

Browsers that I have repeated this issue on are:
Internet Explorer 8, 9, and 10 on Windows 7 (fresh OS install using VM from Microsoft)
Safari 6 on OSX 10.8

Browsers that work fine include:
IE 11 on Windows 7
Safari 9 on OSX 10.10
Firefox and Chrome latest versions on any OS

The Web app is not creating any logs on the host, so the server is not giving me any info for the error, and neither is Developer Options in the browser.

I am not sure if there is a solution other than upgrade browsers, but posting this to see if anyone else is experiencing it. and if possible, why?

Isn’t this a problem with SSL? See https://support.microsoft.com/en-us/kb/2851628 .

I think not.
because the issue only started when we recompiled the app with the latest Xojo update, and I think that info is a few years old and has never affected us.

and the browsers that have the issue I described, can open normally the app using the Cgi version
https://genesearch.com.au/scgi-bin/webstore.cgi

[quote=242090:@Mark Blake]Browsers that I have repeated this issue on are:
Internet Explorer 8, 9, and 10 on Windows 7 (fresh OS install using VM from Microsoft)
Safari 6 on OSX 10.8[/quote]

Internet Explorer 8 is not supported by 2015R4 according to http://developer.xojo.com/system-requirements

The others should be fine.

Maybe it is a bug specific to Standalone, worth reporting.

Yes, if it is a bug, it should be repeatable for others that host standalone apps with SSL. But I don’t know of any test on.

I found another Xojo standalone app, hosted by another forum user as a demo and it exhibits exactly the same issue as described here.

If it works in the CGI version but not in the standalone version then thats definitely a bug, make sure to make a feedback report with that info.

Secure standalone web apps now use TLS v1.2 by default, as per current best practices. All current vendor-supported versions of modern browsers also support it- but older (and now unsupported) versions of IE and Safari do not (by default).

This is a good thing. The browsers that cannot connect are not capable of using viable security standards. They are insecure. They should not be used.

Build with the older version and check your site with https://www.ssllabs.com/ssltest/ to see exactly the issues and recommendations. Then update to the latest build and check again. You’ll see exactly what has changed. The site also includes links explaining why these changes are necessary.

This isn’t just “screw those older browsers” - their security is broken.

The issue that I have here, is that browsers supported by Xojo demonstrate the fault. You can test this yourself on the links I have provided.

Then Xojo needs to update the supported browser list.

I’m no expert on this, but these two sites seem to imply you can enable TLSv12 for some older versions of IE in the Advanced Options:

BINGO! Xojo owes you a reward - lets split it.

I enabled TLS 1.2 in IE 9 and it now works on the Standalone App.
So I assume this will be the same for IE8 and IE10 - the matrix on that Wiki page you linked to me confirms that these browsers support it, but disabled by default.

IMO this is still a bug, because it means the Standalone App requires TLS 1.2 but the CGI App doesn’t. Thats not logical, and lots of corporates do not upgrade to the latest, plenty still using Win 7 and IE less than 11.

CGI applications (not just Xojo apps) don’t have anything to do with SSL/TLS. In that scenario it is up to the server configuration to select what is allowed as the server manages the connections- secure or otherwise.

It is logical. As Travis said, SSL/TLS is managed by the web server.

With a standalone web app, the server is embedded in the app. So it has to deal with this.

With a CGI web app, the server is a separate thing, such as Apache. So Apache has to deal with it, not the Xojo CGI app.

What’s your proposed solution though? Just because corporate environments don’t want to upgrade, doesn’t make that Xojo’s problem. This isn’t a subjective issue like “platform x is easier to support” or something like that. Allowing Xojo apps to use broken security isn’t a solution. Aside from documentation changes, Xojo has done what is really the only thing they can do.

If it works under CGI on your webserver, that is because (as Travis said) the server software handles the secure connection. This also means your web server allows insecure ciphers, and needs to be updated.

The reality is that somewhere between 40-50% of our site visitors are using browsers that DONT work, but these browsers are on Xojo’s compatibility list. That means a lot of clients getting annoyed and we could not figure out why.

I think they should have informed us, and then updated the compatibility list.

[quote=242572:@Mark Blake]The reality is that somewhere between 40-50% of our site visitors are using browsers that DONT work, but these browsers are on Xojo’s compatibility list. That means a lot of clients getting annoyed and we could not figure out why.

I think they should have informed us, and then updated the compatibility list.[/quote]
Like I said, documentation updates. The compatibility list is either wrong or needs further clarification. I believe it is correct for plaintext connections, so it’s only secure connections that have a higher requirement.

I’ve added notes to the System Requirements browser section regarding SSL compatibility.

I also added a note about TSLv12 being required to the Standalone SSL page.