NetTalk Central
NetTalk Web Server => Web Server - Share Knowledge => Topic started by: Bruce on June 12, 2009, 03:39:33 AM
-
Background
SSL (Secure Sockets Layer) is the general term for the encrypted method for the web. However there are various "versions" of the protocol which all fall under this umbrella. Not surprisingly they're not binary compatible. Typically the browser supports "a lot of them", the server supports "a lot of them" and hopefully there's some overlap.
NetTalk servers (and clients) can support all of them - SSL v2, SSL v3, TLSv1, TLSv1.1 and TLS v1.2. As long as the client can do one of these a connection is possible. (SSLv2 and SSLv3 are disabled by default though - read on below if you need them.)
Within each of these options are a huge number of encryption schemes that can be used. However that's outside the scope of this discussion. (see reply below.)
Default SSLMethod
Up to version 5.05 NetTalk supported a client connecting using SSL2 by default. (SSLv2, SSLv3 and TLS1 were all supported.)
Up to version 8.29 NetTalk supported a client connecting using SSLv3 by default (SSLv3, TLSv1, v1.1 or v1.2 were all supported.)
From build 8.30 to 8.44 the default connection was TLSv1 (only)
From build 8.45 the default is TLS v1, TLSv1.1 or TLSv1.2
As you can see, the web keeps moving and so keeping up to date is important.
Setting the SSL Method
You are able to override the default setting, and dictate to NetTalk which level to use. This is done with a line of code in the WebServer.Open method, before the parent call. (see attached pic).
Self.SSLMethod = NET:SSLMethodTLS
Your possible choices are
NET:SSLMethodSSLv23 ! Default (Version 5.30 and earlier) - TLSv1, SSLv2, SSLv3
NET:SSLMethodSSLv2
NET:SSLMethodSSLv3 ! Default from versions 5.31 and later
NET:SSLMethodTLSv1 ! Update: Default from versions 8.30 to 8.44
NET:SSLMethodTLSv1_1
NET:SSLMethodTLSv1_2
NET:SSLMethodTLS ! Update: Default from versions 8.45 and later ! new in 8.45 allows all TLS versions
[attachment deleted by admin]
-
You can test if your server is accepting SSLv2 connections, from the command line using the OpenSSL tool. OpenSSL is in your \clarion6\3rdparty\bin folder.
openssl s_client -no_tls1 -no_ssl3 -connect localhost:443
Where localhost is the server you are wanting to test, and 443 is the SSL port the server is listening on.
-
Encryption Schemes
The term SSL covers a number of encryption schemes which may be implemented by both the server and the client. If the server and client can agree on a scheme, then the conversation goes ahead.
You can test for the schemes supported by your server using the SSLScan tool.
You can download a Windows version of SSLScan from http://code.google.com/p/sslscan-win/ (http://code.google.com/p/sslscan-win/).
A good source for SSLScan documentation is here http://www.titania.co.uk/index.php?option=com_content&view=article&id=56&Itemid=68 (http://www.titania.co.uk/index.php?option=com_content&view=article&id=56&Itemid=68).
The two tests I recommend running are;
sslscan --no-failed localhost:443
Where localhost and 443 are the server, and port numbers respectively.
This test shows all the Ciphers supported by your server.
For a list of all the ciphers that SSLScan will test, along with the result, use
sslscan localhost:443
While it may be useful in some cases to support weak, or medium level ciphers, or in other cases to support SSLv2, from NetTalk version 5.06 (December 2010) the default cipher level will be SSLv3 or TLSv1 High level ciphers only. Specifically;
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Rather than make this an option, it makes sense from a security point of view to turn this on by default.
Should you encounter a situation where a weaker cipher is required, please contact CapeSoft.
-
** NetTalk 4 update **
NetTalk 4.55 (Jan 2011) the default cipher level will be SSLv3 or TLSv1 High level ciphers only.
-
** NetTalk 5.30 update **
As from build 5.30, it's possible to have complete control over the cipher list you support.
the ThisWebServer.SSLCertificateOptions.CiphersAllowed property is set to a Cipher List.
This property is set in the WebServer procedure, in the INIT method, around priority 3000. It should come just after the generated line that sets the
ThisWebServer.SSLCertificateOptions.PrivateKeyFile
property.
The Cipher List string is a colon-separated list, where + means include, and ! means exclude. The format of the cipher list is documented here;
http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT)
The default Cipher List looks like this;
ThisWebServer.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT'
As you can see this limits the cipher list to only HIGH level ciphers, and removes support for any SSLv2 ciphers. If, for example, you wanted to include MEDIUM level ciphers as well, then you might set;
ThisWebServer.SSLCertificateOptions.CiphersAllowed = 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT'