HTTPS with Indy HTTP Server?

Hello

I would like to know if there are any examples of building an HTTP server with HTTPS using TIdHTTPServer component

We currently implement our webserver and REST API server using TIdHTTPServer and some customers are requesting support for HTTPS which I don´t even know how to make it and I have no idea of how the certify works.

Thanks!
0
Eric
6/24/2013 9:55:16 PM
embarcadero.delphi.general 4258 articles. 0 followers. Follow

11 Replies
7844 Views

Similar Articles

[PageSpeed] 21

Eric wrote:

> We currently implement our webserver and REST API server using
> TIdHTTPServer and some customers are requesting support for HTTPS
> which I don´t even know how to make it

All you have to do is:

1) add 2 items to the TIdHTTPServer.Bindings collection, one for the HTTP 
port and one for the HTTPS port.

2) attach an SSL IOHandler to the server, such as TIdServerIOHandlerSSLOpenSSL.

3) assign a handler to the TIdHTTPServer.OnQuerySSLPort event, and have it 
set the VUseSSL parameter to True when the APort parameter is your HTTPS 
port.

> I have no idea of how the certify works.

Certificates are not a requirement.  They merely help each party validate 
that they are talking to who they think they are talking to, but that is 
not necessary for encryption.  It is possible to use SSL without using certificates.

--
Remy Lebeau (TeamB)
0
Remy
6/24/2013 11:22:46 PM
Thank you Remy

I´m trying to make it work, but at this moment I´m getting a lot of errors when connecting like no cipher and other stuff. I think it might be related to OpenSSL libraries, I´m trying to figure out

But I would like to ask you if OpenSSL only works for Win32 or will it work with Win64?
0
Eric
6/26/2013 1:44:52 PM
Remy

I´m getting some errors when connecting with my browser to my web server with SSL:

Error accepting connection with SSL: SSL3_GET_CLIENT_HELLO:no shared cipher
Error accepting connection with SSL: SSL3_GET_CLIENT_HELLO:wrong version number
EOF was observed that violates the protocol

I´m connecting with HTTPS but... what could cause these issues?
0
Eric
6/26/2013 1:51:31 PM
Eric wrote:

> But I would like to ask you if OpenSSL only works for Win32 or will it
> work with Win64?

If you compile your app for 32-bit, you need the 32-bit version of the OpenSSL 
DLLs.

If you compile your app for 64-bit, you need the 64-bit version of the OpenSSL 
DLLs.

--
Remy Lebeau (TeamB)
0
Remy
6/26/2013 4:52:53 PM
Eric wrote:

> I´m getting some errors when connecting with my browser to my web
> server with SSL:
> 
> Error accepting connection with SSL: SSL3_GET_CLIENT_HELLO:no shared
> cipher

That means OpenSSL and the web browser could not negotiate a common encryption 
cipher to use for the session.  Chances are, you may be using a version of 
the OpenSSL DLLs that has a limited amount of ciphers enabled, or you used 
the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property to disable 
ciphers that the web browser uses.

> Error accepting connection with SSL:
> SSL3_GET_CLIENT_HELLO:wrong version number EOF was observed that
> violates the protocol

That means the web browser is trying to connect using an SSL/TLS version 
that your server is not configured to accept.  The TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions 
property controls which SSL/TLS versions are allowed.  It defaults to TLS 
v1.0, which means that clients would only be able to connect using TLS v1.0 
specifically.  If you want to allow other versions (SSL v2, SSL v3, TLS v1.1, 
TLS v1.2), you will have to update the SSLVersions properrty as needed.  
Stay away from SSL v2, it is old and no longer secure, but you can try enabling 
SSL v3 and TLS v1.1, at least.

--
Remy Lebeau (TeamB)
-1
Remy
6/26/2013 5:00:56 PM
> That means OpenSSL and the web browser could not negotiate a common encryption 
> cipher to use for the session.  Chances are, you may be using a version of 
> the OpenSSL DLLs that has a limited amount of ciphers enabled, or you used 
> the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property to disable 
> ciphers that the web browser uses.

Hum, I thought about that and I have downloaded latest version of OpenSSL for windows, I copied the DLL files into my application folder and still I´m getting that message
CiperList is default (blank) and I checked your code that if it is blank you setup some ciphers... I also tried "ALL" and some other strings that I found on the internet with no luck

> That means the web browser is trying to connect using an SSL/TLS version 
> that your server is not configured to accept.  The TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions 
> property controls which SSL/TLS versions are allowed.  It defaults to TLS 
> v1.0, which means that clients would only be able to connect using TLS v1.0 
> specifically.  If you want to allow other versions (SSL v2, SSL v3, TLS v1.1, 
> TLS v1.2), you will have to update the SSLVersions properrty as needed.  
> Stay away from SSL v2, it is old and no longer secure, but you can try enabling 
> SSL v3 and TLS v1.1, at least.

Humm I figured that after I posted. I selected support for SSL and now I´m just getting the message of ciphers
0
Eric
6/26/2013 6:06:57 PM
Remy

I got it working

But I had to create a PEM certify file

I don´t understand anything about certifies... I need to implement SSL for my customer, so, how does it work? Do I have to purchase some certification or something in order to have a valid certification?
0
Eric
6/26/2013 6:37:14 PM
Eric wrote:

> CiperList is default (blank) and I checked your code that if it is
> blank you setup some ciphers... I also tried "ALL" and some other
> strings that I found on the internet with no luck

Then I suggest using a packet sniffer, such as Wireshark, to look at what 
ciphers the browser is actually requesting, and make sure your version of 
OpenSSL supports them.

--
Remy Lebeau (TeamB)
0
Remy
6/26/2013 6:37:59 PM
Remy

I got it working

But I had to create a PEM certify file

I don´t understand anything about certifies... I need to implement SSL for my customer, so, how does it work? Do I have to purchase some certification or something in order to have a valid certification?
0
Eric
6/26/2013 6:43:59 PM
> But I had to create a PEM certify file
> I don´t understand anything about certifies... I need to implement SSL for my customer, so, how does it work? Do I have to purchase some certification or something in order to have a valid certification?

How did you create the PEM certificate file exactly? 

You basically have 2 options - use openssl to be your own certificate authority (CA) and issue your own certificates (if you google there is tons of info on using openssl for self-signed certificates - and you likely did just that). The only downside is that by default it would not be trusted and clients using your REST service would have handle the untrusted certificate issue (or add your CA cert to their local certificate store).

Easier option likely would be to just buy a SSL certificate from a well known CA  - Comodo sells them for $15 per year per host and even has a 90-day free trial you can get first to make sure it works. 

Raul
0
Raul
6/26/2013 8:06:33 PM
Eric wrote:

> I got it working
> 
> But I had to create a PEM certify file
> 
> I don´t understand anything about certifies... I need to implement SSL
> for my customer, so, how does it work? Do I have to purchase some
> certification or something in order to have a valid certification?

If real security is an issue for your customers, you should purchase a real 
certificate from a reputable source, like Verisign or similar.  However, 
you can also create "self-signed certificates", which are useful for testing, 
etc.  A self-signed certificate on one side of the connection cannot be verifiable 
by the peer on the other side of the connection, which is less desirable, 
but certainly not a deal breaker.  The certificates are used so peers can 
validate they are talking to who they think they are talking to, to avoid 
"man in the middle" attacks.  They are not required for the encryption portion.

--
Remy Lebeau (TeamB)
0
Remy
6/26/2013 11:04:41 PM
Reply:

Similar Artilces:

Delphi 2007 client and WCF web server: OK if http, but fails https!
Hi, I have a web service client written in D2007 which has worked great hitting against our web service server, hosted under IIS. Worked great when hitting the http: and https: server, the latter using SSL, of course. Now, we've updated the server to use WCF (Windows Comm. Foundation) and a strange dichotomy has emerged. When we call the remote function on the WCF-based server, in non-encrypted mode, the calls go through fine. We get the returned results just fine, etc. However, we can't seem to get the encrypted (SSL) version going at all. There is NO difference at ...

Indy Http Server
I have produced an app using the indy component. Am I right in presuming that each time there is a request that there is a new thread produced and other requests can happen at the same time. Within the app one of the requests is to print documents from mobile devices. The print can take a couple of minutes to produced. When I send another (simple) request ie update a table I do not get a response while the print job is running. Any help appreciated. Cheers SteveW Is it better to add another http component on a different port number and have that do the heavy duty printing ...

Change from https://server:5443 to https://server:443
Hi, I got a server installed with iManager together with Identity Manager 2.0.1. Currently, the portal service web page has the following url: https://servername:5443/nps Is there any document or TID I can follow in order to change the TCP port 5443 to a regular SSL port 443 like https://servername? I also got the old Netware Enterprise Server running in the same server as http://servername/netbasic............ I hope the change of nps won't affect the Netware Enterprise Server. Thanks a lot. Percy wrote: >https://servername:5443/nps > >Is there a...

http to https to http
HiI'm workin on a site to showcase my work using localhost, all pages http. After a user confirms their shopping cart items, i want user to be redirected to a https page for credit card details, then redirected to a http page checkout finishedCan i do this using localhost??? what do i have to do in IIS??  Do i have to issue myself a certificate for testing purposes?? Is there a quick and dirty way to hardcode this??Cheers!!! hito use https even in localhost you have to set up the IIS to use the certificate...you can use even the microsoft windows certificate manager or use an...

HTTP to HTTPS server.Transfer
Hi, I have two pages using vb.net and asp.net. Page A is http and I would like to do a server.trasnfer to page 2 with https. I have installed the ssl in the web server. Can  you please guide me on this? Thanks....

http://server/ipp on https ?
Just setting up secure printing on OES2 (linux) and wondered why the web install page located at http://server/ipp is not on https ? Is this a security issue considering the page can prompt "auth failed, would you like to try again" and accepts nds authentication ? If indeed this is a security flaw how would I rectify the issue ? Thanks in anticipation, -- trevorwright ------------------------------------------------------------------------ trevorwright, It appears that in the past few days you have not received a response to your posting. That concerns...

Indy HTTP Server and Sessions
Hi My Indy http server dispatchs all requests to different classes depending on the page I want to display. Now some pages need session values, others don't. How do I have to proceed to create the session object (TIdHTTPSession) only on demand? Should I call GetSessionFromCookie myself if necessary? Or should I run similar code in my OnCommandGet method myself? Then another question: Since it is possible that I get different request from the same user, is it correct, that I have to Lock / Unlock the session, before I access the Content property? Or is it not necessary...

Can not log to: https://server:8009 or https://server/2200
NW6.5SP5. From the Xp_proof_SP2+lates updates from the IE i do: 1. 1.1. https://server:8009 1.2. write: .admin.my / password 1.3. and in the IE see error: HTTP 500 - Internal Error server Internet Explorer 2. 2.1 https://server:2200 2.2 Request Entity Too Large The requested resource /welcome/LoginPage does not allow request data with GET requests, or the amount of data provided in the request exceeds the capacity limit. Apache/2.0.54 (NETWARE) mod_jk/1.2.14 PHP/5.0.5 Server at srv.ami.ua Port 2200 What can i do for resolver this problem ? Serg Serg, ...

Indy Client Server General Precautions
Hello: Can somebody summarize the precautions to be taken while designing and developing a (TCP) Client-Server application using Indy? IdTCPServer is used in a Service application. Thanks, Sudesh ...

Delphi 7 Indy 9 HTTPS
We have been using Indy 9 HTTP for quite a few years. We suddenly need to also do HTTPS requests. The receiving end will not be doing authentication (we have no idea why), it is just they require HTTPS instead of HTTP. Can we do HTTPS with Indy 9? Our code for HTTP is pretty simple: we build a REST command and pass it via {code} Response := HTTP.Get(REST_Command); {/code} Thanks for any help you can provide. Jack wrote: > Can we do HTTPS with Indy 9? Yes. Attach a TIdSSLIOHandlerSocket component to the TIdHTTP.IOHandler property and configure the TIdSSLIOHandlerSoc...

Indy Http Server
Hi, I run a http server with Indy components. Normally I assign the response at the end of my execute method. Is it possible to "flush" a partial response to send already existing results back to the webbrowser? I have a check routine that takes up to 30 seconds and I would like to post back some progress result. The user in the browser would see it like a simple command line log (line by line): Element names checked... Values checked... .... Christian wrote: > Is it possible to "flush" a partial response to send already existing > results ...

Indy Http Server Android XE5
Hi all, can anybody tell me why I cannot start a http server on Android? It quits with "could not bind socket" regardless the port I use. Permission INTERNET is also granted. Just drag idHttpServer componend on an form and try this {code} IdHTTPServer1.DefaultPort:=81; IdHTTPServer1.Active:=true {code} Please help Edgar On 25/09/13 07:47, edgar klein wrote: > > It quits with "could not bind socket" regardless the port I use. Permission INTERNET is also granted. > Just drag idHttpServer componend on an form and try this At least under Linux ...

Indy http server
Hi, I'm trying to create a local proxy that uses Indy httpserver to serve content to browsers. It works perfectly for http but I cant work out how to get it working with ssl, and cant find an explanation anywhere. Any help would be greatly appreciated. I've only put here what I think is applicable, if you think you need to see more please let me know. Also I'm very new to working with indy so if you could explain anything simply that would be great!! Thanks so much..... Here is my code: ////////main class///////////////// type Tnetfilter = class(Tobject) published ...

Indy Http Server and Apache ProxyPass
Hi, I wrote a Delphi app with TIdHttpServer, that runs on MYAPPSERVER on port 9999. On my webserver with Apache I added a VirtualHost: <VirtualHost *:80> ServerName app.mydomain.ch ProxyPass / http://MYAPPSERVER:9999/ </VirtualHost> I have two questions: 1) My Delphi application now always get's the IP address of the webserver in TIdHttpRequestInfo.RemoteIP. Is there a way to get the external IP from the client request. 2) If I add another VirtualHost, let's say on app2.mydomain.ch, is there a way to know in the Delphi application, if the reque...

Web resources about - HTTPS with Indy HTTP Server? - embarcadero.delphi.general

X.Org Server - Wikipedia, the free encyclopedia
X.Org Server refers to the X server release packages stewarded by the X.Org Foundation , which is hosted by freedesktop.org , and grants public ...

Turkey internet servers under sustained cyber attack: internet body
Turkish internet servers have suffered one of the most intense cyberattacks ever seen in the country over the past week, raising fears Ankara ...

Cock.li e-mail server seized by German authorities, admin announces
(credit: Vincent Canfield ) In a new video statement posted on Monday, the administrator of novelty e-mail provider cock.li announced that one ...

Intel: Deutsche Bank Models Altera Contribution to Server Biz
Shares of Intel ( INTC ) are down 35 cents, or 1%, at $34.63, after the company this morning announced the formal closing of its $17 billion ...

Amazon deal: Save $85 on this Sony portable wireless server
Smartphones' memory storage gets filled so quickly these days thanks to photos, videos and more, so get yourself a handy portable wireless server ...

Windows 10 automatically uploads encryption keys to Microsoft servers - Business Insider Deutschland
Securing your data is tough. Jan Kaláb/Flickr (CC) Microsoft backs up users' encryption keys to its servers, The Intercept's Micah Lee reports ...

8 quirky emails from Hillary Clinton's private server
The latest State Department release includes emails on limo ride flow charts, jury duty advice, and the "Texts from Hillary" viral photo

Applebee’s Server Returns $32,000 In Cash Family Accidentally Left On The Table
... and scored a huge tip from some abnormally generous person, and you figure the money is yours to keep. Or, if you’re like one Applebee’s server ...

Former Intelligence Chief Calls ‘Top Secret’ Info on Hillary’s Server ‘Unreal’
Former Intelligence Chief Calls ‘Top Secret’ Info on Hillary’s Server ‘Unreal’

Internet service providers slowing down on taking in server orders
Worldwide Internet service providers such as Google, Amazon, Microsoft and Facebook have recently started slowing down on pulling in their server ...

Resources last updated: 1/3/2016 6:34:28 PM