I wrote a small server to accept webhooks from Stripe. It is working fine with TLS/HTTPS … with that Xojo-type certificate with all three parts inside - though I get “downgraded” from SSL-Labs:
And even worse - if I use it with the port assigned to it, another tool asks for a “cipher order” … and names this missing order as the reason for the problems.
Stripe gives me back an error caused by TLS. I always knew that there has to be some order inside the internet - but I do not know how to talk to Xojo about getting some order into that
For now I am using a .CRT file named as the application, containing first the public key, then the Root-CA and then the private key - all without any empty lines in or so. Worked well up to now.
Is there anyone out there with similar problems? Did I do anything wrong with that? Is there anything configurable I have ignored? I’m completely lost.
You could try my app Lifeboat to deploy your web app. You can get a free SSL certificate issued by Let’s Encrypt or you can use a purchased SSL certificate if necessary by enabling the manual SSL tools. Lifeboat will also set up your server to use the standard ports 80 (HTTP) and 443 (HTTPS) so that Stripe can access your web app correctly.
Lifeboat can switch your SSL grade to get an A rating from SSL labs very easily.
thanks for the answer. Yes, I know, I could do it on a different way. And as you know I have your Lifeboat. Sadly it had a lot of tradeoffs for me - I’m using IONOS as a hoster and I’m using Plesk and Acronis - which both opened up a lot of conflicts with Lifeboat. Btw. my phaenomind.de domain has A-Grade, because Plesk cares about that. I have too many stuff running together on one server - each of the servers assigned to a customer. The customer will neither understand nor use Lifeboat after the server is ready and “taken over”.
So I would like to know what and how Xojo could handle that problem. A Xojo Web-App is a kind of package, which is wrapped by someone or something. So what is wrong with this wrapper?
Thanks again for your suggestion - I always have your Lifeboat in mind
Michael
Quite some time ago (as in, I don’t have a link to the post handy) the developer of Web 2.0 recommended letting external software like Apache or nginx handle the public facing aspects of SSL (whether you’re load balancing or not).
SSL Labs tells you how to improve your grade in really cryptic ways, but the gist of getting grade A is enabling TLSv1.3 and setting the ciphers correctly. You can use this tool to help configure your specific server software: https://ssl-config.mozilla.org/
To get your Xojo Web App running with an A grade you will need to use something like Apache or nginx to configure SSL correctly and reverse proxy requests upstream to your app. Without Lifeboat, you will have to do this configuration manually.
One other option to consider is using haproxy. It follows the same principle that Tim is recommending: it moves the SSL interaction out of Xojo and into another tool that may offer better SSL options.
The haproxy approach can be tricky to implement, but once it is place, it does simplify things and provides some excellent logging capabilities.