website not secure

Despite having an SSL cert and using https and using httpsecuresocket with TLS v1.2, browsers still say that my website is not secure. Chrome says this about the site:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA with P-256, and AES_128_CBC with HMAC-SHA1.
TLS 1.0 is obsolete. Enable TLS 1.2 or later.
AES_128_CBC is obsolete. Enable an AES-GCM-based cipher suite.

Any suggestions on how this might be resolved?

Which host? Where did you get the cert?

That means the webserver is not up to date or is configured poorly. That shouldn’t have anything to do with your xojo web app unless you are running standalone and allowing users to connect directly to the app without going through a load balancer or web server of some sort.

Can you post an example of url your using to access it?

The page that I’m working with is:

That error isn’t coming from the web app. Are you sure there’s an SSL certificate and that it’s configured correctly?

500 server errors are usually one of two things.

Either a permissions problem or a .htaccess error. has no valid certificate is may have something to do with yours if it’s a shared certificate.

That domain seems to be offline

Your not accessing the page with your domain that is embedded in your certificate. You must contruct your url using the domain of your certificate that is installed on the server.

This has nothing to do with your Xojo CGI App. It is as Kevin mentioned a misconfigured server with its cert, tls protocols and ciphers. use as starting point or Everything below A is security nightmare. You may cross-check your server results with my Webserver I am proud of my A+ ratings :wink:

The cert is legal/valid but has nothing to do with the 500. As @Rod Pascoe pointed out you need to make sure you CHMOD 755 the folder using your SFTP client. Otherwise the server does not have permissions to launch the binary executable.

@Kevin Clark I’ll email you. We can set it to be TLS 1.2 as default so Chrome won’t be annoyed.

Unless he has serverwarp[dot]com embedded in his certificate Chrome will continue to bark at him. The domain in the url you are using must match what is embedded in the certificate used to secure it.

When you access that site at it has a fully valid certificate accepted by Chrome.

There are historical reasons why we haven’t forced TLS 1.2 and latest ciphers. Mostly revolving around HTTPSecureSocket not being very good and it upsetting users who use Kaju and other tools to hit their server from desktop apps. I have a “don’t fix it if it isn’t broken” mantra.

That being said making Chrome happy is super easy in this case. I reached out to Kevin.

The issues of the 500 had nothing to do with the cert but fortunately also easily solved.

Uhmm… I do not see an error 500 page. My problem is more this:

It uses a huge amount of 3rd party ressources without prior info or consent.

But with or without valid cert. it counts nothing if the server is misconfigured. Use SSL Labs report as starting point to improve server security. And keep in mind that all browsers will soon prevent loading websites from such servers at all. Come on it still uses TLS 1.0, we are already at TLS 1.3 now.

@Tomas Jakobs read higher in the thread: there was a 500.

Not every server requires the same defaults. I’ve been down that road and blown up desktop apps because Xojo couldn’t handle it at the time. There is no single right answer. It is an easy fix. Thanks for helping out!

Of course there is an answer to such security nightmares. Fix it! But we leave our dispute as it is .
In the next months all major browsers won’t display anything from this server.