Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: SSL Configuration to make all browsers happy


This question is answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 5 - Last Post: May 11, 2017 2:36 PM Last Post By: Alexandre Machado
Michael Schumann

Posts: 28
Registered: 11/5/99
SSL Configuration to make all browsers happy  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 26, 2017 9:17 AM
I do not really understand which options are correct for all browsers. I had to experiment as some options made Safari refuse to open the page and others led to error messages in Firefor or IE. IE loaded parts of the page then stopped, so did Firefox. With the Settings below all work fine,

Could someone explain why which options should be chosen?

In my experiments I found out that these settings seem to fit for Safari, Chrome, IE, Edge and Firefox:

SSL Version TLSv12
SSL Versions [SSLv3,TLSv12]

But I must admit, I don't know why this works (and seems to break Sendfile, see my other question).
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: SSL Configuration to make all browsers happy
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 26, 2017 10:20 AM   in response to: Michael Schumann in response to: Michael Schumann
I set the SSLOptions.Password, the Port, and SSLVersion=SSLv23. I leave the other settings blank or at their default. I set my main form's ConnectionMode to cmSecure. I have used the following settings for many years, without any issues or complications.
Michael Schumann

Posts: 28
Registered: 11/5/99
Re: SSL Configuration to make all browsers happy  
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 11, 2017 3:14 AM   in response to: Daniel Fields in response to: Daniel Fields
After I changed to Let's Encrypt as provider for my certs, this setting also works well. Maybe the old certificates were not compatible with SSL23, because with this setting at least safari refsed toi load the page due to protocol errors.

As this is some time ago and new IW and browser versions have been released since then, it also may have been an other problem.
Aaron Padlesky

Posts: 7
Registered: 4/15/17
Re: SSL Configuration to make all browsers happy  
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 11, 2017 7:46 AM   in response to: Michael Schumann in response to: Michael Schumann
I usually only have TLSv1 TLSv11 and TLSv12 checked off for my SSLversions on the ServerController since SSLv23 and SSLv3 aren't very secure anymore. And then for SSLVersion I have it set to TLSv12. I also set the Port, CertificatePassword, and the cmSecure property. Another thing I added on the servercontroller is setting the NonSSLRequest to nsRedirect. The last one just redirects any http connection attempts to https.

This will get you an A on https://www.ssllabs.com/ssltest/index.html. If you want an A+ you have to add some code that greatly increases your webpages loading time and isn't really worth it. Here is the code if you are interested

Create function like so on the server controller:

procedure SetCustomHeaders(Request:THttpRequest;aReply:THttpReply);
type
TCustomHeader=
record
Key ,
Value : UnicodeString;
end;
const
CustomHeaders : array[1..6] of TCustomHeader =
(
(Key:'Strict-Transport-Security' ; Value:'max-age=31536000; includeSubDomains'),
(Key:'Pragma' ; Value:'no-cache'),
(Key:'Cache-Control' ; Value:'no-cache, no-store, must-revalidate, private'),
(Key:'X-Content-Type-Options' ; Value:'nosniff'),
(Key:'X-Frame-Options' ; Value:''),//'Deny','ALLOW-FROM'
(Key:'X-XSS-Protection' ; Value:'1; mode=block')
);
var
iHeaders : Integer;
AllowFrom : UnicodeString;
begin
aReply.Expires := -1; ///// EncodeDate(1000,1,1);//31/12/1899 00:00:00
aReply.AllowCaching := False;
aReply.CacheControlEnabled := False;
for iHeaders:=Low(CustomHeaders) to High(CustomHeaders) do
begin
if CustomHeaders[iHeaders].Value<>'' then
begin
aReply.Headers.Values[CustomHeaders[iHeaders].Key] := CustomHeaders[iHeaders].Value;
end;
end;
AllowFrom := Request.Referer; //////////// Check the Referer here //////////////
if AllowFrom='' then AllowFrom := 'Deny';
aReply.Headers.Values['X-Frame-Options'] := AllowFrom;
end;

Then in IWServerControllerBaseNewSession
You call that function using the ASession to get the request and response:

SetCustomHeaders(ASession.Request, ASession.Response);

This code is thanks to an old post from 2014.
https://forums.embarcadero.com/thread.jspa?messageID=676284

Edited by: Aaron Padlesky on May 11, 2017 7:48 AM

Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: SSL Configuration to make all browsers happy [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 11, 2017 11:59 AM   in response to: Aaron Padlesky in response to: Aaron Padlesky
Aaron wrote:

I usually only have TLSv1 TLSv11 and TLSv12 checked off for my
SSLversions on the ServerController since SSLv23 and SSLv3 aren't
very secure anymore.

You are thinking of SSLv2, not SSLv23. SSLv23 is not an actual protocol
version, it is a wildcard that performs version negotiation dynamically during
the SSL/TLS handshake.

--
Remy Lebeau (TeamB)
Alexandre Machado

Posts: 1,754
Registered: 8/10/13
Re: SSL Configuration to make all browsers happy  
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 11, 2017 2:36 PM   in response to: Michael Schumann in response to: Michael Schumann
Michael Schumann wrote:
I do not really understand which options are correct for all browsers. I had to experiment as some options made Safari refuse to open the page and others led to error messages in Firefor or IE. IE loaded parts of the page then stopped, so did Firefox. With the Settings below all work fine,

Could someone explain why which options should be chosen?

In my experiments I found out that these settings seem to fit for Safari, Chrome, IE, Edge and Firefox:

SSL Version TLSv12
SSL Versions [SSLv3,TLSv12]

But I must admit, I don't know why this works (and seems to break Sendfile, see my other question).

Hi Michael,

I believe - correct me if I'm wrong - that you have just posted a SO question about issues with IE 11 using HTTPS? Can you drop me an email? (alexandre at atozed dot com)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02