asyncserver https problems

keinn · 2024-12-23 23:11:54

After dozens of tests with mormot.lib.openssl11(libssl-1_1), i discovered some problems, need help

problem 1:
Tls.AllowDeprecatedTls :=true , takes NO effects , only tls1.2 works ,

problem 2:
mormot.lib.openssl11 line 10557,
force use TLS1_VERSION TLS1_1_VERSION TLS1_3_VERSION , also NO effects ,only tls1.2 works

tested such settings with Delphi IDE Tools "RESTDebugger" with Connection options。

only works with tls1.2 is roughly acceptable, but serious issue is that server will raise exceptions at TOpenSslNetTls.AfterAccept like

'SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter'
or 
'SSL routines:tls_post_process_client_hello:no shared cipher'
or
'SSL_ERROR_SYSCALL'

depending on the client send tls version

problem 3:
if any client send pure http request , server get 'TOpenSslNetTls.AfterAccept accept: OpenSSL SSL routines:ssl3_get_record:http request'
then finally raise a Fatal Error

all those 3 problems will be captured by logger as 'A EXC' or '@ EXC' info.
only works with tls1.2 is acceptable, but i dont know if problem3 is exactly how ssl works,
should i pay attention? will it cause serious problems?
or should we redirect http to https like most websites do?
i did not found a way to do redirect or serv both http and https

thanks .

keinn · 2024-12-23 23:27:09

those problems will cause IDE popup DEBUG notification every time, makes the project hard to debug if we dont click ignore them

ab · 2024-12-24 13:51:54

On which OS are you doing this?
What is the OpenSSL version on this OS?

About problem 3, HTTPS is supposed to be on its own port 443, separated from HTTP on port 80.
Anyway, a client should not try HTTP on a HTTPS port.

keinn · 2024-12-24 17:40:05

I am trying this with THttpAsyncServer on Windows 10 22H2, OpenSSL 1.1 x86 from https://wiki.overbyte.eu/arch/openssl-1.1.1w-win32.zip

further test:
1. I can get the server working either with a selfsigned cert by .WaitStartedHttps(), or a valid pem/key in production.
2. Both selfsigned server and real valid cert worked by curl https://url and curl -tlsv1.2（selfsigned test by 'curl -k --insecure ...' command）
3. Both NOT work with 'curl --tlsv1.3 https://url', it will report 'SEC_E_ALGORITHM_MISMATCH'

conclusion: tls1.3 not working. and seems TLS.AllowDeprecatedTls has no effect no matter what .
maybe this case not worth investigate any more , tls1.2 should be enough.

as problem3 , i am learning from mormot.net.acme.pas to do 301 redirection.
but OnHeaderParsed callback only shipped with THttpServer, still trying to figure out the proper way to do the same with THttpAsyncServer or THttpApiServer.

callbacks in THttpServer, THttpAsyncServer or THttpApiServer are a little different.

and the OnRequest OnBeforeBody OnBeforeRequest callbacks act different depends on the Route pattern exist or not .

so i need suggestion.

what i imaging is can we do something like nginx virtual hosing , or caddy by a single server instance：
1. Listening on Multiple Ports
2. Add or Delete Serv Host without stop restart the server
2. Set certfication pem/key by domain
3. Handle 301 404 etc http response code by configure or callbacks (More unified callback design)

it is more human understandable

i know we can put nginx\caddy in the front , but as such our mORMot abilities are Restricted,
eg: a saas service where users can hosting their own domain name with their own certification etc .

mormot is not only a ORM framework , but much much more.

Last edited by keinn (2024-12-24 17:53:41)

ab · 2024-12-24 17:42:57

Try with Openssl 3.1.

keinn · 2024-12-24 17:50:48

ab wrote:

Try with Openssl 3.1.

tested with https://wiki.overbyte.eu/arch/openssl-3.4.0-win32.zip,
curl -v --tlsv1.3 still not working, still report 'AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH'

keinn · 2024-12-24 18:08:23

ab wrote:

HTTPS is supposed to be on its own port 443, separated from HTTP on port 80.
Anyway, a client should not try HTTP on a HTTPS port

after more leaning on ssl/tls , i think you are right .
http/https should only do their supposed to do .

but we can NOT control what client sent, in such case , our logs will look very bad with lots of exceptions .

keinn · 2024-12-25 01:33:04

i think we can do ' Set certfication pem/key by domain' by TOnNetTlsAcceptServerName, like in mormot.net.acme example,
still trying.

so maybe mormot only need to provide 'More unified callback design' then we can achieve all goal

ab · 2024-12-25 07:40:43

Merry Christmas!

When you run the mORMot 2 regression tests, and provide an OpenSSL library, do you see the "TLS 1.3" indication in the console for the HTTPS tests?

mORMot Open Source

#1 2024-12-23 23:11:54

asyncserver https problems

#2 2024-12-23 23:27:09

Re: asyncserver https problems

#3 2024-12-24 13:51:54

Re: asyncserver https problems

#4 2024-12-24 17:40:05

Re: asyncserver https problems

#5 2024-12-24 17:42:57

Re: asyncserver https problems

#6 2024-12-24 17:50:48

Re: asyncserver https problems

#7 2024-12-24 18:08:23

Re: asyncserver https problems

#8 2024-12-25 01:33:04

Re: asyncserver https problems

#9 2024-12-25 07:40:43

Re: asyncserver https problems

Board footer