SSL and Delphi server

JeremyK · February 2, 2023, 10:40am

I’m trying to get an SSL connection working. I’ve read the various other topics here but am still not there.

My main aim is getting my JavaScript (React) client to connect using https because the app will run like this, and so my JS client has to chat with the server similarly.

I initially just let the server create a self-generating certificate, but this fails as the certificate doesn’t have the correct name in it, so I created a certificate with the right info in it, and tried to load that. Not quite sure if I’ve set the right files mind you (I’ve tried the TROHttpServer - setting the CertFile property and the TROIndyHttpServer - adding the TIdServerIOHandlerSSLOpenSSL and setting the CertFile and Keyfile properties).

I’ve now tested the MegaDemo sample, and have come across the same issue.

Using the self-generating certificate, if I use the Http Server, RO Socket with SSL and connect to the server with a browser to http://localhost:8099/bin (which works fine none SSL), then I get :

This page isn’t working
**localhost** didn’t send any data.
ERR_EMPTY_RESPONSE

When I try with the Indy Server (note I’ve dropped a TIdServerIOHandlerSSLOpenSSL on the form and changed the code in bActivateHTTPClick to this:

  if RbIndyHttp.Checked then begin
    HTTPZeroConfRegistration.Server := ROIndyHTTPServer;
    ROJavaScriptHttpDispatcher.Server := ROIndyHTTPServer;
    ROIndyHTTPServer.Port := seHTTPPort.Value;
    ROIndyHTTPServer.BindV4 := True;
    ROIndyHTTPServer.BindV6 := True;
    if cbSSL.Checked then
      ROIndyHTTPServer.IndyServer.IOHandler:=IdServerIOHandlerSSLOpenSSL1
    else ROIndyHTTPServer.IndyServer.IOHandler:=nil;
    ROIndyHTTPServer.Active := True;
  end

)
when I connect with the browser, the server stops with this error:

Project MegaDemoServer.exe raised exception class EIdOSSLUnderlyingCryptoError with message 'Error accepting connection with SSL.
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request'.

I get the same response at the browser.

If I now add my certificate to the ROHttp Server (I have a certificate.pem file - I’ve also tried a file with the combined certificate and private key files as per SSL/TLS (Delphi)), I get the following error when trying to activate it:
Project MegaDemoServer.exe raised exception class EROOpenSSLApi with message 'error:0A080009:SSL routines::PEM lib

Any suggestions welcome!
Using lastest version, 10.0.0.1555.

EvgenyK · February 2, 2023, 1:16pm

Hi,

JeremyK:

Using the self-generating certificate, if I use the Http Server, RO Socket with SSL and connect to the server with a browser to http://localhost:8099/bin (which works fine none SSL), then I get :
This page isn’t working
**localhost** didn’t send any data.
ERR_EMPTY_RESPONSE

have you opened https? i.e. https://localhost:8099/bin
it was opened in MS Edge w/o any issues:

I’ve used this combined certificate (server.crt) for TROHttpServer and ca.cert.pem , localhost.cert.pem, localhost.key.pem for TROIndyHttpServer.
certificate password is 1234
Everything works with MS Edge.
cert.zip (8.5 KB)

Note: I’ve tried only MS Edge as it is standard Windows 10 browser.

JeremyK · February 2, 2023, 1:47pm

When I activate, when setting CertFile (on TROHttpServer) with your file, I get an error:

Project MegaDemoServer.exe raised exception class EROOpenSSLApi with message 'error:0A080009:SSL routines::PEM lib

Is there a password on it? What did you use to create those?

I’m actually testing it with Chrome (on a Mac), as we can’t tell people to use Edge, it needs to work on all common browsers. I did try with the self-generated one, and it said certificate error (not secure). In fact, your screen shot shows similar though with the results as it’s got it without the https.

EvgenyK · February 2, 2023, 1:49pm

Hi,

sorry, forgot to specify password: 1234

it dislikes self-signed certificate:

as a result, SSL feature on HTTP servers works as expected that means that it should work with valid certificate w/o any issues.

JeremyK · February 2, 2023, 2:12pm

OK, so it works as long as I override the “don’t visit this site” warnings, so the question is how did you produce those files, as they are different to mine. I assume I need one for the IP address of my development server, and separate one for the production one.

EvgenyK · February 2, 2023, 2:19pm

Hi,

you can use .cmd file from GitHub - rlove/OpenSSL-WinCmd-Snippets: Windows Command Line Snippets for OpenSSL

JeremyK · February 2, 2023, 3:34pm

Thanks, that’s pretty much identical to what I did (side note, that was a blast from the past - I knew Robert Love from the early Delphi days!). It’s just that I got stuck at the browser, due to the warnings.

Anyway, whilst that works, I’m still getting an error when trying to connect with JS:

So, some more work required. Could really do with a way to do this with let’s encrypt or other company to issue valid certificates.

mh · February 2, 2023, 3:39pm

That part is normal/expected, with a self-signed certificate. See also Handling Self-Signed Certificates for how to avid this in client apps (but really, a proper “trusted” certificate is the best option; you can get these for free these days from LetsEncrypt.

JeremyK · February 2, 2023, 3:50pm

Handling Self-Signed Certificates in JavaScript is not supported.

Thanks, yes I’m now looking to see how I can do this. I hate certificates, as it’s so infrequent that I need to create one. Could do with an RO ACME client for let’s encrypt to make this easy.

mh · February 2, 2023, 4:10pm

Ah sorry, I was missing the context that you were writing a JavaScript-based client. Yes, in that case you will need a trusteed certificate, either by getting it from a trusted authority (such as LetsEncrypt), or by registering your own root certificate as trusted on your system (really only a feasible option for local testing).

You and me both. I use the winacme client on our (IIS-based) web server.

Funny. I just brought this idea up with the team, where we could/should build in support for ACME/LetsEncrypt certificate registration/validation into the RO server infrastructure. That said, I have no clue of the scope that would be involved for this, so no promises…

JeremyK · February 2, 2023, 4:23pm

I just came across this one, which may help with part of it…GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

Anyway, I just had a cunning plan about a workaround - I took the LetsEncrypt certificate from our website, as it is a wildcard one. One quick addition to add my devbox into the domain DNS and it’s now working with my JavaScript client

Thanks both of you.

mh · February 2, 2023, 5:18pm

Thats what I do own our web server too. my service just loads the named certificate from the store that IIS uses too. in .NET thats fairly easy (lemme dig that code up), im not sure in Delphi exposes those APIs…

        var lServer := new RemObjects.SDK.Server.ApplicationServer("UC2Server", nil, nil, "RemObjects UC2 Server");

        var lStore := new X509Store("WebHosting", StoreLocation.LocalMachine);
        lStore.Open(OpenFlags.ReadOnly);
        var lCertificates := lStore.Certificates.Find(X509FindType.FindBySubjectName, "website.remobjects.com", false);
        writeLn(lCertificates.Count+" certs");
        if lCertificates.Count > 0 then begin
          lStore.Close();
          lServer.NetworkServer.UseTLS := true;
          var lList := new System.Collections.Generic.List<X509Certificate2>;
          for each c in lCertificates do begin
            lList.Add(c);
            //writeLn($"{c.GetName}: {DateTime.Parse(c.GetExpirationDateString)}");
          end;
          //writeLn("got cert");
          lServer.NetworkServer.Certificate := lList.OrderByDescending(c -> DateTime.Parse(c.GetExpirationDateString)).First;
          if DateTime.Parse(lServer.NetworkServer.Certificate.GetExpirationDateString) < DateTime.UtcNow then
            raise new Exception("Certificate has expired");
        end;