SSL support for http

[Zdeno Bielik]

Hi Roger,

if you will have little free time, please, can you look at it?

TIA & Regards
Zdeno

[bborzic]

please, how is it possible do „secure“ version of example below?

httpEndPoint supports SSL but it does not yet support certificates (according to Steffen Pirsig).
Until it does, you will need to use STUNNEL as a workaround.
I am using this on 2 different servers.

Even Xb2.Net SSL requires STUNNEL.

I wrote a detailed document on how to do this.
Look at \expd20\stunnel.

Just came across the above misleading post that needs to be corrected.

Xb2.NET SSL does *NOT* require STUNNEL or any other tools or utilities to run!

The entire subject of PKI, SSL, encription, certificates, public and private keys is quite complex and not to be taken lightly. I will be presenting a session on this subject at the European DevCon hosted by the XXP Nov 18-20.

By the way, below is an SSL Report for my website https://xb2.net - naturally this website is running an Xb2.NET webserver. I have also taken the liberty of running the test on donnay-software.com (running Apache/2.2.22 (Win32) PHP/5.3.13 mod_fcgid/2.3.6). The results speak for themselves.

I would also like to add that Xb2.NET now fully supports WebSockets (client and server sides) including SSL secure connections over the standard HTTPS (443) port. Here is an example (note that the WebSocket connection is using SSL):

https://xb2.net/wsecho.htm

In addition, WebSockets will be supported in the older versions of Xbase++ all the way back to Xbase++ 1.82!

[Zdeno Bielik]

Hi Boris,

I downloaded your Xb2Net demo before few weeks again and except few little things I have already converted all my source code from HttpEndPoint version(before CXP version) to your Xb2Net version – there are some little differencies in work-flow, philosophy, code - some thing are intertesting in CXP, some in HttpEndpoint and some in your product...

In next one or two weeks I will start againg testing re-coded new version at customer’s site.

What I can say - this is my point of view!:
- CXP is terrible to debug and maintance(and plus install and support IIS or Apache) and all source code must be at customer or hosting web-server
- HttpEndpoint looks very good and hopefully, but there are lots of items on To-Do-List or WishList-List(in last weeks I more times contacted Alaska’s guys), e.g. POST method doesn’t work in FORM, language support for non-english characters doesn’t exist(I made work-around, but it little slow-down refreshing of pages and also it need some more extra-work from cpu) – only LATIN-1 is supported now, session management works only in CXP version(but with some limitations) – hmm, it is interesting, before I moved to Xb2Net, I made similar session management like you use in your library, anyway, I will later ask you about some parameters for fine-tunning my current settings…, no SSL support…

hmmm, it is funny - now I have 3 versions of the same web-site… Cxp, HttpEndpoint, Xb2Net

Now it comes interesting question: why I didn’t direct do it all in Xb2Net?
answer is “simply“: I more times(and it looks not only I myself - what I see in post in your web-forum) in last years downloaded your demo, but I was lost… totally other new world for me, state-less work-flow, and mainly: examples in demo was and still are VERY complitated for BEGINNERS! This little changes Alaska in its help and ESPECIALLY Roger in his simple/primitive examples posted on this forum! Also, I started learn html and googled many things, how do it, but it will be super, if you also do any easy simple examples into your demo for some typical tasks, e.g. formatting text, creating tables, validating forms – included examples are very good, but very complex for beginners… and I am sure, it will grow up your customer base… Roger’s examples posted in this forum are FANTASTIC!!! Also, his examples in XDemo.exe are fantastic not only for new eXpress++ users!

By the way, below is an SSL Report for my website https://xb2.net - naturally this website is running an Xb2.NET webserver. I have also taken the liberty of running the test on donnay-software.com (running Apache/2.2.22 (Win32) PHP/5.3.13 mod_fcgid/2.3.6). The results speak for themselves.
yes, I already tested your web-site before few days when I found post about this in your forum

just one question: what must be done from your side or from mine for give result A+?

I would also like to add that Xb2.NET now fully supports WebSockets (client and server sides) including SSL secure connections over the standard HTTPS (443) port. Here is an example (note that the WebSocket connection is using SSL):

https://xb2.net/wsecho.htm

is this your independent implementation of websockets or is it based on Alaska’s classes from Professional subscription?

Regards
Zdeno

[Zdeno Bielik]

just little correction of quotes:

By the way, below is an SSL Report for my website https://xb2.net - naturally this website is running an Xb2.NET webserver. I have also taken the liberty of running the test on donnay-software.com (running Apache/2.2.22 (Win32) PHP/5.3.13 mod_fcgid/2.3.6). The results speak for themselves.

yes, I already tested your web-site before few days when I found post about this in your forum
just one question: what must be done from your side or from mine for give result A+?

[bborzic]

By the way, below is an SSL Report for my website https://xb2.net - naturally this website is running an Xb2.NET webserver. I have also taken the liberty of running the test on donnay-software.com (running Apache/2.2.22 (Win32) PHP/5.3.13 mod_fcgid/2.3.6). The results speak for themselves.

just one question: what must be done from your side or from mine for give result A+?

Everything you need is included in the sample WEBSERVE.PRG. If you use this as your base, you should get an 'A' rating (assuming your certificate is OK).

I will be giving a presentation on this subject at the European DevCon in November: http://devcon.xxp.nl (hope to see you there).

I would also like to add that Xb2.NET now fully supports WebSockets (client and server sides) including SSL secure connections over the standard HTTPS (443) port. Here is an example (note that the WebSocket connection is using SSL): https://xb2.net/wsecho.htm

is this your independent implementation of websockets or is it based on Alaska’s classes from Professional subscription?

This is an independent implementation. As I mentioned in my previous post: "WebSockets will be supported in the older versions of Xbase++ all the way back to Xbase++ 1.82!" . In addition, all of this stuff will work with the standard version of Xbase++ (you do not need the professional version, ActiveX or any other libraries). I hope this is clear enough.

[Zdeno Bielik]

Hi Boris,

thanks for that informations. Yes, webserve.prg is my base just with some little modifications, e.g. adding some system setting, added/configured parameters of dbfcdx engine, some modified params of soSServer, deleted pre-filled CipherList.txt for loading „default“ settings – hmmm, what is better option? use your pre-defined or default configuration if list is emtpy/file is missing? I googled some info about this I found that in some situations is more better solution use MAXimum SECURITY and in some situations is more better has it set for MAXimumum COMPATIBILITY. What do you recommended? Or whats are your experiencies from real live live/scenarios?
Also, what are your recommendations about security settings? What must be set or enabled/disabled in hardware firewall, in OS, or what all else do you
do for maximum security of whole OS MS Windows system and not only for Xb2Net webserver?

Many thanks for tips and recommendations.

Regards
Zdeno