#1 2024-12-23 23:11:54

keinn
Member
Registered: 2014-10-20
Posts: 111

asyncserver https problems

After dozens of tests with mormot.lib.openssl11(libssl-1_1), i discovered some problems, need help

problem 1:
  Tls.AllowDeprecatedTls :=true , takes NO effects  , only tls1.2 works ,
 
problem 2:
  mormot.lib.openssl11 line 10557,
  force use TLS1_VERSION  TLS1_1_VERSION TLS1_3_VERSION , also NO effects ,only tls1.2 works

tested such settings with Delphi IDE Tools "RESTDebugger" with Connection options。

only works with tls1.2 is roughly acceptable, but serious issue is that server will raise exceptions at TOpenSslNetTls.AfterAccept like

'SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter'
or 
'SSL routines:tls_post_process_client_hello:no shared cipher'
or
'SSL_ERROR_SYSCALL'

depending on the client send tls version

problem 3:
  if any client send pure http request , server get 'TOpenSslNetTls.AfterAccept accept: OpenSSL SSL routines:ssl3_get_record:http request'
  then finally raise a Fatal Error

all those 3 problems will be captured by logger as 'A EXC' or '@ EXC' info.
only works with tls1.2 is acceptable, but i dont know if problem3 is exactly how ssl works,
should i pay attention? will it cause serious problems?
or should we redirect http to https like most websites do?
i did not found a way to do redirect or serv both http and https

thanks .

Offline

#2 2024-12-23 23:27:09

keinn
Member
Registered: 2014-10-20
Posts: 111

Re: asyncserver https problems

those problems will cause IDE popup DEBUG notification every time,  makes the project hard to debug if we dont click ignore them

Offline

#3 2024-12-24 13:51:54

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

Re: asyncserver https problems

On which OS are you doing this?
What is the OpenSSL version on this OS?

About problem 3, HTTPS is supposed to be on its own port 443, separated from HTTP on port 80.
Anyway, a client should not try HTTP on a HTTPS port.

Offline

#4 2024-12-24 17:40:05

keinn
Member
Registered: 2014-10-20
Posts: 111

Re: asyncserver https problems

I am trying this with THttpAsyncServer on Windows 10 22H2,  OpenSSL 1.1 x86 from https://wiki.overbyte.eu/arch/openssl-1.1.1w-win32.zip

further test:
1.  I can get the server working either with a selfsigned cert by .WaitStartedHttps(), or a valid pem/key in production.
2.  Both selfsigned server and real valid cert worked by curl https://url  and curl -tlsv1.2(selfsigned test by 'curl -k --insecure ...' command)
3.  Both  NOT work with 'curl --tlsv1.3 https://url', it will report 'SEC_E_ALGORITHM_MISMATCH'

conclusion: tls1.3 not working. and seems TLS.AllowDeprecatedTls has no effect no matter what .
maybe this case not worth investigate any more , tls1.2 should be enough.

as problem3 , i am learning from mormot.net.acme.pas to do 301 redirection.
but OnHeaderParsed callback only shipped with THttpServer, still trying to figure out the proper way to do the same with THttpAsyncServer or THttpApiServer.

callbacks in THttpServer, THttpAsyncServer or THttpApiServer are a little different.

and the OnRequest  OnBeforeBody OnBeforeRequest callbacks act different depends on the Route pattern exist or not .

so i need suggestion.

what i imaging is can we do something like nginx virtual hosing , or  caddy by a single server instance:
1. Listening on Multiple Ports
2. Add or Delete Serv Host without stop restart the server
2. Set certfication pem/key by domain
3. Handle 301 404 etc http response code by configure or callbacks (More unified callback design)


it is more human understandable

i know we can put nginx\caddy in the front , but as such our mORMot abilities are Restricted,
eg: a saas service where users can hosting their own domain name  with their own certification etc .

mormot is not only a ORM framework , but much much more.

Last edited by keinn (2024-12-24 17:53:41)

Offline

#5 2024-12-24 17:42:57

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

Re: asyncserver https problems

Try with Openssl 3.1.

Offline

#6 2024-12-24 17:50:48

keinn
Member
Registered: 2014-10-20
Posts: 111

Re: asyncserver https problems

ab wrote:

Try with Openssl 3.1.

tested with https://wiki.overbyte.eu/arch/openssl-3.4.0-win32.zip,
curl -v --tlsv1.3 still not working, still report 'AcquireCredentialsHandle failed: SEC_E_ALGORITHM_MISMATCH'

Offline

#7 2024-12-24 18:08:23

keinn
Member
Registered: 2014-10-20
Posts: 111

Re: asyncserver https problems

ab wrote:

HTTPS is supposed to be on its own port 443, separated from HTTP on port 80.
Anyway, a client should not try HTTP on a HTTPS port

after more leaning on ssl/tls , i think you are right .
http/https should only do their supposed  to do .

but we can NOT control what client sent, in such case , our logs will look very bad with lots of exceptions .

Offline

#8 2024-12-25 01:33:04

keinn
Member
Registered: 2014-10-20
Posts: 111

Re: asyncserver https problems

i think we can do ' Set certfication pem/key by domain' by TOnNetTlsAcceptServerName, like in mormot.net.acme example,
still trying.

so maybe mormot only need to provide 'More unified callback design' then we can achieve all goal

Offline

#9 2024-12-25 07:40:43

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,745
Website

Re: asyncserver https problems

Merry Christmas!

When you run the mORMot 2 regression tests, and provide an OpenSSL library, do you see the "TLS 1.3" indication in the console for the HTTPS tests?

Offline

Board footer

Powered by FluxBB