I have a desktop client/server application. Both client and server are developed using Delphi 10.2. Application server has been deployed as a Windows service.
My requirement is to implement TLS/SSL to secure the communication between client and server. For this I have used Indy with TIdServerIOHandlerSSLOpenSSL on the server side and TIdSSLIOHandlerSocketOpenSSL on the client side.
For testing purposes, I have used self-signed certificates.
During testing of this setup , I had to setup OpenSSL on each client workstation. Also, I copied libeay32.dll and ssleay32.dll to the system32 folder.
So part of the problem is:
Could this configuration of client workstations be avoided? My understanding with TLS/SSL is that it is server which needs to be configured to enable TLS/SSL.
Since my testing is based on self signed-certificates, I did not install any certificate on client machine. What is the role of certificates for the client machine?
Related
Okay, I feel I'm pretty good at problem solving but I'm stumped! I can't get connectivity to the SQL Server via the Hybrid Connector or directly.
System Overview:
1x Linux PHP Based WebApp with all the correct SQLSRV libraries working (using a azure sql server I can get the webapp working fine, but need to use our onsite server for the time being)
1x Onsite SQL Server (win2012, sql version 11.0.7), which has an external static IP (and FQDN) and exposed to the internet on port 1433 (I can use SMSS from an external IP to connect and manage the server - with that IP added to the firewall that is..)
So firstly - trying to connect via PHP / SQLSRV directly to the server doesn't work (even if I allow all internet traffic to connect to the server via the firewall) - which is odd as SMSS works. The server is Win2012 and TLS 1.2 is enabled - but I get Error code 0x2746. Investigating this, I think its something to do with openssl 1.1.1 and SQL Server still only using SHA1 - I modified the openssl.cnf file to SECLEVEL=1 - still not dice.
So I've proceeded to setup the Hybrid connections using port 1433 using internal machine name say 'SERVER01' for the endpoint - everything says connected on both the azure hybrid screen and also on the connection manager on the server. I can telnet from SERVER01 to the service endpoint bus and from SSH on the WebApp I can ping the hybrid end point 'SERVER01:443'
But trying to connect to the database from PHP using SQLSRV it timeouts.
Anyone got any pointers? I'm thinking its due to the old onsite server being too old (Win2012) and the SSL SHA1 issues.
After upgrading a service written in F# from 4.6.1 to 4.7.2 i startet getting a classic SSL/TLS error "The request was aborted: Could not create SSL/TLS secure channel".
TLS 1.2 is enabled on all servers.
I verified with Fiddler that the old version and the new version of the application both uses TLS 1.2 as they should and have done for a long time.
The requests appears to be identical.
The service runs as a Network Service, however i get the same error if i run it as admin.
The certificate is selfsigned and placed in Trusted Root Certification Auth.
The certificate is only used to internal https between our services.
If I add the certificate to Personal certificates in certmgr the error disappears and the service works!
From my view it is as if after upgrading to 4.7.2 the Trusted Ca certificates are "ignored".
Adding the certificate to Personal when its placed in Trusted Certificates is not a solution.
I havent been able to identify the change which somehow must have been introduced in 4.7.2.
What am i missing?
How hard is it to enable TFS to start using secure connections, if its not already? Does doing so affect SQL configuration also? How can we force SSL to be required?
Im looking over this reference material
https://msdn.microsoft.com/en-us/library/aa833872%28v=vs.120%29.aspx#DisAd
Reading the above, I get the impression that MS is trying to discourage someone from using SSL for TFS over the internet?
Then I stumbled on to this blocg post
http://www.jwsecure.com/2009/01/29/using-tfs-via-the-internet/
Summary = just get a ssl cert and force ssl and port-forward a high port to 443
thoughts?
Firstly, the MSDN article you posted above shows you the detailed steps on how to set up HTTPS with SSL for TFS. To summarize main steps include:
Install a certification authority, obtain and install a server certificate for servers.
Request, install and configure websites with a certificate for Team Foundation Server using Internet Information Services (IIS) Manager.
Configure Team Foundation Server to require HTTPS and SSL.
Install the certificate on client computers.
You can also check this walkthrough: https://msdn.microsoft.com/en-us/library/aa833873.aspx
Secondly, you don't need to configure SQL Server. But if you have SQL Reporting Service, you need to configure it to support HTTPS with SSL.
Thirdly, to enable TFS to be available with external connections, you need to configure it with HTTPS with SSL. Also with it, web connections to TFS are more secure. However, these process needs more administrator's configuration & maintenance work. So you need to determine whether to use it based on your requirement.
I have a standalone (EXE) DataSnap server written in Delphi XE6 which I've secured with an SSL certificate using the OpenSSL DLLs. When I test the connection to the server I can see that it supports TLS v1.0. I now need to ensure the server can support TLS v1.2 (e.g. to support connections from iOS9 apps). However I can't see how to enable this. I've made the Windows registry changes to the (Windows 2008R2) server to enable TLS v1.2 but I guess this only affects IIS apps.
Can anybody show me how to enable TLS v1.2 within the Windows OpenSSL DLLs? I'm using version 1.0.2d of the DLLs. Or is there something within the DataSnap server component properties that needs to be changed?
I set using in my asp.net mvc application SSL Enabled = true (so now is https://localhost:63892/ and http://localhost:12555/, but when I run application via Debug, it said "Secure Connection Failed". What I'm doing wrong?
Make sure the self-signed certificate that Visual Studio generated is trusted. The certificate is called IIS Express Development Certificate
http://blogs.msdn.com/b/robert_mcmurray/archive/2013/11/15/how-to-trust-the-iis-express-self-signed-certificate.aspx
Adding this in case if helps anyone: Using VisualStudio 2015, Windows 10, and IIS10 Express, even though I added the certificate I still wasnt able to access localhost over HTTPS. I resolved by uninstalling IIS10 Express and install IIS8 Express. I was then able to access localhost over HTTPS.