NetTalk Central

Author Topic: Nettalk 7.41 / Clarion 8 and ssl not functioning  (Read 4861 times)

Edwin Hannan

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
    • Email
Nettalk 7.41 / Clarion 8 and ssl not functioning
« on: June 10, 2015, 01:10:14 PM »
Hi

I am trying to build my first ssl app locally on my dev pc (followed all the steps in help and Bruxe's book (V2)

I understand that sslv3 is broken (and my browsers - Firefox  / Chrome) state this is a vulnerability.

Can I use Netalk 7.41 to connect via ssl? if so how? (I reckon all fixed in latest Nettalk 8.xx)

Please advise

Many thanks

Ed

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Nettalk 7.41 / Clarion 8 and ssl not functioning
« Reply #1 on: June 10, 2015, 10:33:06 PM »
Hi Ed,

short answer is yes, as long as you are on the latest NT 7 you will be able to create a "secure" site ok.

First let's clear up some terms. "SSL" is often used as a blanket term for "Secure web". Specifically it covers a rang of protocols including SSL v2, SSL v3, TLS v1 (*), TLS v1.1 and TLS 1.2.

(*) TLS _is_ SSL just with a different name. The reasons for the change are political, not technical. So "TLS = SSL" is a valid way to think of it - TLS 1 is really SSL 3.1 and so on. That said with the recent deprecation of SSL v3 it's possible that we should now start referring to all of this as "TLS" and not "SSL".

SSL v2 was declared "broken" many years ago. SSL v3 was declared broken in November 2014. So these days you're mostly just using TLS 1.0, 1.1 and 1.2. (1.2 is better, but many devices only go up to TLS 1.0 and it's still ok to use TLS 1.0)

NetTalk 8 allows you to put the server into "Any TLS" mode, and this means it handles old devices with TLS 1.0, but also gives maximum security to newer devices and browses that can handle TLS 1.2. This is of course recommended.

NetTalk 7 allows you to choose which TLS to use - TLS 1.0 is the default (I think) - but you can set it explicitly (and in NT7 probably should set it explicitly).

So, if it's not in the docs, all you really need to do is force your app to use TLS 1.0. See here for details on that;
http://www.nettalkcentral.com/index.php?option=com_smf&Itemid=36&topic=1023.0

PS - as tempting as it is to save a few $ every couple years by skipping a NetTalk version, if you are doing "Secure" things then I'm not sure this is a habit I would recommend. Security isn't a problem, until it _is_ a problem, and usually by then things have gone really, really bad...

cheers
Bruce




Edwin Hannan

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
    • Email
Re: Nettalk 7.41 / Clarion 8 and ssl not functioning
« Reply #2 on: June 10, 2015, 11:34:34 PM »
HI Bruce

Thanks for your detailed reply

I will look again at the docs and your suggestion and test again

I am only testing this at present on my local server so fully intend to update Nettalk to v8 soon:-)

Thanks again

Ed

Edwin Hannan

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
    • Email
Re: Nettalk 7.41 / Clarion 8 and ssl not functioning
« Reply #3 on: June 11, 2015, 06:21:17 AM »
HI Bruce

Yep ok got it working with TLSv1 on my local dev pc with all the browser warnings

Eventually this will be deployed (when I update to v8.x +) to a clients LAN and allow external partners to view 'Modified' Read only details of their own clients (TPS Files).

just looking at how to use a partners login credentials to only allow that specific login to display only their own clients..I have give each partner a unique reference which is linked to the main clientID..so a lookup into the partner table will retrieve this unique reference, I understand that I need to pass this to the BrowseClients proc to limit the list, any pointers on how to do this would be much appreciated

so some questions:-)

1) would it be better to have my client purchase a security certificate and install / configure this on the Nettalk Webserver within his LAN (as external partners - Introducers would probably NOT want to have any security warnings.

2) is it acceptable to port forward secure web requests to the internal Nettalk server, is there any issue in doing this that affects security certificates?

3) is it better to have the Nettalk Webserver in the Router DMZ on its own public IP address?

Any advice on the above is all very welcome :-)

Many thanks

Ed






Edwin Hannan

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
    • Email
Re: Nettalk 7.41 / Clarion 8 and ssl not functioning
« Reply #4 on: June 12, 2015, 01:19:14 AM »
Hi

ok, I have managed to create a session variable to store the user id upon login and use this in the filter of the browse list clients and all works.

Just had to get my head around this web stuff and that session variables are baiscally global variables for that user session.

onwards and upwards :-)

Many thanks

Ed

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Nettalk 7.41 / Clarion 8 and ssl not functioning
« Reply #5 on: June 16, 2015, 02:09:09 AM »
Hi Edwin,

>> 1) would it be better to have my client purchase a security certificate and install / configure this on the Nettalk Webserver within his LAN (as external partners - Introducers would probably NOT want to have any security warnings.

yes, to get rid of the various security warning you (or they) would need to buy a certificate.

>> 2) is it acceptable to port forward secure web requests to the internal Nettalk server, is there any issue in doing this that affects security certificates?

it doesn't affect the certificate no. And it's a fairly common approach.

>> 3) is it better to have the Nettalk Webserver in the Router DMZ on its own public IP address?

It can be in the DMZ, but I would still put the DMZ behind the firewall (ie only opening the specific ports the app uses) and as a "best practice" that is better because it isolates the machine from the LAN. However it still has to be able to acess the data files so sometimes this is not really practical. In most cases we end up deploying directly on the LAN not on the DMZ.

Cheers
Bruce