Pages: 1

#1 2025-05-31 09:19:24

testgary
Member
Registered: 2025-02-06
Posts: 9

tls/ssl tmvcapplication

Question 1:

// Exception class "ESChannel" at $0000000100352960 with message "<>: HandshakeStep returned 80090327 [SEC_E_CERT_UNKNOWN], System Error 87 [ERROR_INVALID_PARAMETER]"
Server := TRestHttpServer.Create([RestServer], '8888', 16, secTLSSelfSigned);

According to the instructions here:
https/blog.synopse.info/?post/2022/07/09/Included-TLS-Support-for-mORMot-REST-or-WebSockets

Even after following these, the error persists.
I looked into the code, and during runtime it calls InitNetTlsContextSelfSignedServer → InitNetTlsContext.
I’m not sure if this is due to my setup or some other reason.

Question 2:

Server := TRestHttpServer.Create([RestServer], '8888', 16, secTLSSelfSigned, HTTPSERVER_DEFAULT_OPTIONS, 'CertificateFile', 'PrivateKeyFile', 'PrivateKeyPassword', 'CACertificatesFile');

Is it necessary to reference a self-signed certificate file?

Question 3:

If I set secTLS, do I only need to configure the key files in the Windows system, or do I also need to specify certificate files within mORMot?

Offline

#2 2025-05-31 10:34:40

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 15,034
Website

Re: tls/ssl tmvcapplication

Question 1:
I guess the ESChannel is on client side.
You need to disable the TLS errors on client side.

Question 2:
The self-signed certificate is embedded or generated by the framework,  if you use secTlsSelfSigned, no need to set the other parmeters (it does not make sense).
If you need your own certificate which is self-signed, do not use secTlsSelfSigned but secTls.

Question 3:
It is better to specify the certificate file within mORMot, if you can: it won't pollute the registry, and avoid any security breach, since the certificate will be private to the application.

Answer 4:
Consider not SChannel but OpenSSL for any serious TLS work, even on modern Windows.

Offline

#3 2025-05-31 15:05:42

testgary
Member
Registered: 2025-02-06
Posts: 9

Re: tls/ssl tmvcapplication

Question 1:
I am accessing HTTPS://127.0.0.1:443 with a browser, and the server is also running on the same machine. When debugging the program, the compilation shows the following error message. Is it correct that I must use a client with IgnoreCertificateErrors := True; set, otherwise it will report an error? Is my understanding correct?

Exception class "ESChannel" at $0000000100352960 with message "<>: HandshakeStep returned 80090327 [SEC_E_CERT_UNKNOWN], System Error 87 [ERROR_INVALID_PARAMETER]"

Question 2:
If I set secTLS, whether using OpenSSL or Let’s Encrypt, I only need to specify the certificate inside mORMot, and there is no need to specify the certificate inside Windows. Is my understanding correct?

Or, in other words, can I choose to set the certificate either in Windows or in mORMot, and either one will work?

Offline

#4 2025-05-31 17:58:13

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 15,034
Website

Re: tls/ssl tmvcapplication

Question 1:
You may be able to force the browser to look into this address, but adding an exception for this IP.
Note that using HTTP on the loopback (127.0.0.1) has almost no security benefit.

Question 2:
The certificate and private key specified with secTLS are local to mORMot and don't need to be added to Windows.
The certificate (and not the private key) could be added to Windows anyway, for the local clients on this computer to recognize this server authentication. If you don't use any client on this computer, you can leave the Windows registry.

Offline

#5 2025-06-03 17:06:13

testgary
Member
Registered: 2025-02-06
Posts: 9

Re: tls/ssl tmvcapplication

  // This is fine; HTTP://127.0.0.1 can be accessed.
  HttpServer := TRestHttpServer.Create('80', RestServerDB, '+',   
    HTTP_DEFAULT_MODE, nil, 32, secNone, '', '', HTTPSERVER_DEFAULT_OPTIONS); 

  // This has a problem; HTTPS://127.0.0.1 cannot be accessed
  HttpServer := TRestHttpServer.Create([RestServerDB], '443', 32, secTLS, HTTPSERVER_DEFAULT_OPTIONS,
    'C:\Users\FBI\Desktop\BOOK\1\ssl\mycert.pfx',   // openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out mycert.pfx
    'C:\Users\FBI\Desktop\BOOK\1\ssl\privkey.pem', // openssl genpkey -algorithm RSA -out privkey.pem -pkeyopt rsa_keygen_bits:2048 -aes256
    '|&VwVx;2S',                                      
    'C:\Users\FBI\Desktop\BOOK\1\ssl\cert.pem'       // openssl req -new -x509 -key privkey.pem -out cert.pem -days 3650
    ); 
  FRestHttpServer.DomainHostRedirect('127.0.0.1', 'root');

Question 1: Does HTTPS require a public IP address to be effective?
https://127.0.0.1
The following error still occurs
Exception class "ESChannel" at $0000000100357C80 with message "<>: HandshakeStep returned 80090327 [SEC_E_CERT_UNKNOWN], System Error 87 [ERROR_INVALID_PARAMETER]"

Question 2: Is there any problem with the self-signed certificate I generated?

Question 3: Are there any issues with the fields filled in the OpenSSL command, aside from the Common Name? I left all other fields empty.

openssl req -new -x509 -key privkey.pem -out cert.pem -days 3650

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1
Email Address []:

Last edited by testgary (2025-06-03 17:26:50)

Offline

#6 2025-06-04 05:39:57

Chaa
Member
Registered: 2011-03-26
Posts: 254

Re: tls/ssl tmvcapplication

Let's start from MVC Blog example (in ex\mvc-blog folder).
Change lines 57-60 of MVCServer.dpr to:

        aHTTPServer := TRestHttpServer.Create([aServer], '443', 32,
          secTLS, HTTPSERVER_DEBUG_OPTIONS, 'mycert.pfx');
        try
          aHTTPServer.RootRedirectToURI('blog/default', true, true); // redirect / to blog/default

Now generate simple certificate. Set Common Name to 127.0.0.1.

openssl genpkey -algorithm RSA -out privkey.pem
openssl req -new -x509 -key privkey.pem -out cert.pem -days 3650
openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out mycert.pfx

Copy mycert.pfx next to MVCServer.exe.
Now you can run MVCServer.exe and navigate to https://127.0.0.1/ to see blog.
Browser warn you about insecure connection.

Offline

#7 2025-06-04 08:26:12

testgary
Member
Registered: 2025-02-06
Posts: 9

Re: tls/ssl tmvcapplication

Thank you very much.

The problem lies in the code below

aHTTPServer.RootRedirectToURI('blog/default', true, true)

Offline

Pages: 1

Board footer

Powered by FluxBB