Problems with "cipher order" using WebApp with Stripe

Here a nice little problem with my Xojo Web -App:

I wrote a small server to accept webhooks from Stripe. It is working fine with TLS/HTTPS … with that Xojo-type certificate with all three parts inside - though I get “downgraded” from SSL-Labs:

And even worse - if I use it with the port assigned to it, another tool asks for a “cipher order” … and names this missing order as the reason for the problems.

Stripe gives me back an error caused by TLS. I always knew that there has to be some order inside the internet - but I do not know how to talk to Xojo about getting some order into that :crazy_face:

For now I am using a .CRT file named as the application, containing first the public key, then the Root-CA and then the private key - all without any empty lines in or so. Worked well up to now.

Is there anyone out there with similar problems? Did I do anything wrong with that? Is there anything configurable I have ignored? I’m completely lost.

You could try my app Lifeboat to deploy your web app. You can get a free SSL certificate issued by Let’s Encrypt or you can use a purchased SSL certificate if necessary by enabling the manual SSL tools. Lifeboat will also set up your server to use the standard ports 80 (HTTP) and 443 (HTTPS) so that Stripe can access your web app correctly.

Lifeboat can switch your SSL grade to get an A rating from SSL labs very easily.

There currently is no way to set your SSL grade in the framework. You will need to use a layer on top of the Xojo Web App like Apache or nginx.

1 Like

Hi Tim,

thanks for the answer. Yes, I know, I could do it on a different way. And as you know I have your Lifeboat. Sadly it had a lot of tradeoffs for me - I’m using IONOS as a hoster and I’m using Plesk and Acronis - which both opened up a lot of conflicts with Lifeboat. Btw. my domain has A-Grade, because Plesk cares about that. I have too many stuff running together on one server - each of the servers assigned to a customer. The customer will neither understand nor use Lifeboat after the server is ready and “taken over”.

So I would like to know what and how Xojo could handle that problem. A Xojo Web-App is a kind of package, which is wrapped by someone or something. So what is wrong with this wrapper?

Thanks again for your suggestion - I always have your Lifeboat in mind :grinning:

Xojo Web Apps are themselves web servers. When you use the SSL features of Xojo Web, the handshake settings are handled by Xojo Web. You can configure the SSL version by the command line parameter, but TLSv1.3 is not supported.

Quite some time ago (as in, I don’t have a link to the post handy) the developer of Web 2.0 recommended letting external software like Apache or nginx handle the public facing aspects of SSL (whether you’re load balancing or not).

SSL Labs tells you how to improve your grade in really cryptic ways, but the gist of getting grade A is enabling TLSv1.3 and setting the ciphers correctly. You can use this tool to help configure your specific server software:

To get your Xojo Web App running with an A grade you will need to use something like Apache or nginx to configure SSL correctly and reverse proxy requests upstream to your app. Without Lifeboat, you will have to do this configuration manually.


I’m not sure if this is the post, or something similar posted after 2020:

One other option to consider is using haproxy. It follows the same principle that Tim is recommending: it moves the SSL interaction out of Xojo and into another tool that may offer better SSL options.

The haproxy approach can be tricky to implement, but once it is place, it does simplify things and provides some excellent logging capabilities.

Thanks, I had a look at that. Hardcore :flushed:. I am using Xojo to keep me away from things like this.

This one is closed - with no results:

Does this mean: There is NO WAY to get an Xojo App “Grade A” level for SSL? I am using Xojo Apps because there is no need to use Apache or NginX …

Anyone from Xojo reading this? There are Issues listed 6-8 years ago about that … ?

Thanks again for any help or idea about that!

For web? I guess those were web1 not sure if they apply for web2.

You should open an Issue to make sure Xojo read your problem.

OK, I opened an issue for that - hope that helps! :flushed:

It does mean that. A Xojo web app exposed to the internet should always be behind Apache, nginx, or another proxy/load balancer.

The advantage is that you get web server updates out-of-band from Xojo updates.

Currently, no. There isn’t.

But requests for TL1.3 are set on the table for ages. And I heard that they were working on it.


Edit: Seems no one is working on it (zero assignees). :rofl:

Just the milestone is set to 2024r2


1 Like