I want a client/server C++ application that can use TLS for secure communication, including client certificates, and potential to select and validate certificates myself.
I have used Schannel to do this before, but the key InitializeSecurityContext is marked [desktop apps only].
Have Microsoft provided a new equivalent API?
Although in theory I could replace the whole thing (since in the end, I can still have a normal plaintext TCP socket) I would rather stick to OS components if possible.
Related
I'm a bit confused about using OpenSSL in my Delphi webservice in relation to the available ciphers for a HTTPS connection.
Setup:
My webservice runs on a client's server. OpenSSL is installed there. The webservice uses Indy (a TIdHTTPWebBrokerBridge) and the OpenSSL DLLs (with TIdServerIOHandlerSSLOpenSSL) to load the client's certificate
Our Android/iOS apps connect to this webservice over HTTPS
The client has configured a domain and IP that the app users can connect to and reach my webservice. If we test that domain using e.g. the SSLLabs server test we get an overview of the supported ciphers and protocols (SSLLabs even mimics handshakes from devices and browsers and shows what ciphers were negotiated).
Question: Is there anything my webservice (in combination with OpenSSL) has to do/can do to influence the available ciphers for the TLS handshake between app and webservice? Is there anything additional that needs to be setup with OpenSSL?
I thought the answer is 'no', i.e. that it is just the server setup that (in the handshake with the app through Android/iOS) determines which cipher to use from the available server ones. Is this a correct assumption? Or do I miss something?
(As a matter of fact, I am not actually interested in limiting or expanding the available ciphers, but the client insists that something "should be done" in/with the webservice/OpenSSL to have it communicate "safely" with the apps. The SSLLabs test shows that their domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so e.g. no Perfect Forward Secrecy. To me, that looks like something that needs to be fixed anyway).
Notes:
This SO question suggests I may have to do something, but it has no answers.
I posted an earlier somewhat related question, but that has no answers.
This SO post states OpenSSL honors the client's cipher preference, not the server's, during the SSL handshake, which again suggest there are things I can do?
I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.
You can specify available ciphers via TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL/TLS versions via TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).
If you want Perfect Forward Secrecy, you has to create DHParam keys using openssl.exe (fill TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by result file name). If you want not only DHE, but ECDHE ciphers you need to call some additional openssl api, see a Support for Perfect Forward Secrecy in SSL with indy 10 for example.
I have a web service which i need to access through https. We have a workbout pro 4 with win ce 6.0 running on it. When we were developing our app we had tested it through http. wihtout any problem. When we went live and needed access to https based server we have received the error stated on subject field under VS 2008 Smart Device Project. On the device we receive an error "could not display..." . We have tried to import the standard certificate issued by global si. We still have no success accessing the web service. We can acces the web service on phone, tablet, pc but not with Pro 4:). It would be kind if anyone can share his/her experience with https based web service access or can guide us to over come our problem.
Secure connection is not implemented on CE fully. Something to do with cert management. Here is what i am considering for my project and it gives a little more info what the issue is. http://labs.rebex.net/HTTPS
Here is some quotes from the site in case its down or something.
.NET Compact Framework does not support TLS 1.2, 1.1, SNI or SHA-2
based certificates.
.NET CF's HttpWebRequest is outdated. It does not support TLS 1.2 or
1.1, it doesn't support Server Name Identification (SNI), and it does not support SHA-2 in X509 certificates. It also suffers from several
authentication-related bugs with no known workaround. This makes it
unusable in a growing number of scenarios, and Microsoft will never
fix this because it no longer cares about these legacy platforms.
Fortunately, it's now possible to work around these shortcomings using
a beta version of Rebex HTTPS library. It features a HttpWebRequest
replacement object for .NET Compact Framework that plugs into the
existing .NET CF WebRequest API and provides the features the default
HTTP/HTTPS provider lacks. Most importantly, it adds support for TLS
1.2, TLS 1.1, SNI and SHA-2, it works even on old devices based on Windows CE 5.0 and it makes it simple to add TLS 1.2 support to
existing SOAP web service clients.
We had a similar issue on CE 7.0.
HTTPS connections using SHA1 certificates would work, however ones with SHA2 certificates would return the error
Could not establish trust relationship with remote server
If possible, try testing your code against a host that uses a SHA1 certificate to see if the issue might be related to missing SHA2 support in CE 6.0.
I should mention that we never formally approached Microsoft to get confirmation on whether SHA2 was supported or not in CE 6.0/7.0, it was just our conclusion after numerous tests that it wasn't.
I need to connect to a server with SSL in C++Builder XE7. I can find stuff for HTTPS and SMTP but nothing for custom connections. In BCB5 it was a lot easier, I would do it with custom code but now with Android and iOS, things need to be done a little differently as we now need to support these products too.
I've looked at TIdSocketSSL but with the very few examples I could find, it seems to need an owner which ultimate comes from SMTP or HTTPS.
C++Builder ships with Indy, which has a TIdTCPClient component that you can use for implementing custom protocols. There are plenty of examples on Embarcadero's forum, Indy's forum, StackOverflow, and various blogs demonstrating how to send/receive custom data with Indy.
For SSL/TLS, simply assign a TIdSSLIOHandlerSocketOpenSSL component to the TIdTCPClient::IOHandler property before calling Connect(), and configure its properties as needed (certificates, SSL/TLS version(s), etc). When you want to perform the SSL handshake, set the TIdSSLIOHandlerOpenSSL::PassThrough property to false. You can set it before calling Connect() so the handshake is immediate before any data is exchanged (aka implicit SSL/TLS), or you can set it after exchanging unencrypted data first (aka explicit SSL/TLS), depending on your protocol needs.
I'm using wininet library in my aplication, after it turned out that sslv3 loooves poodle, some websites turn it off, and my aplication does not working on some PC's unless user set in Internet settings in windows to use TLS 1.X. Does anyone know way to force wininet to use tls 1.x connection ?
Wininet uses schannel.dll for the SSL/TLS communication and will automatically negotiate TLS if the server side offers TLS. There is nothing for you to do.
I should add that TLS support varies based on Windows version. For up to date TLS support, the minimum Windows versions are Win 7 and Win 2008 R2.
Detail: https://learn.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows
I have two computer systems each having an apache server. One machine is a client machine and the other is a server machine. I want both the client request and the server response to be encrypted thus making the data transfer safe.
Could someone please give pointers/steps on how I could make progress in this front.
The communication doesn't involve any GUI components meaning the communication is purely a backend one.
Both the client and the server are coded in java. I am using Axis2 and jaxws for the communication.
Currently I am able to send the client request and receive the server response without SSL enabled. Now If I enable SSL does it mean that I should also modify the existing code according to the SSL or the current working code still holds good.
You have many options here. Since you mention SSL...
On each server generate an asymmetric key-pair (RSA 2048 is a safe choice). Then create a self signed certificate on each server. Then copy each certificate to the other machine and mark it as trusted by the Java environment that apache is using and that NONE OTHER are trusted. Configure SSL/TLS on each of the apaches to use a good symmetric cypher (3DES is a safe choice, but there are other newer ciphers if you want leading edge). Next ensure that all access between Tomcat servers is via https URLs and you should be in decent shape.
An alternative is to use IPSEC to establish a static tunnel between the two servers using certificates or other trust bases.
One fairly simple option is to use stunnel, which is available via the standard package-manager on most *NIX systems. You configure an stunnel as a client (and server if you with) on one server and then another as the server (and client if you wish) and then configure your Tomcat instance(s) to connect to localhost:XYZ where XYZ is the port where stunnel is listening.
The nice part about using stunnel is that you can use it to tunnel any protocol: it is neither a Tomcat-specific nor a Java-specific technique, so you can use it for other applications in the same environment if you want.