Secure Webserver: is TLS depending on the OS?

[Wolfgang Orth]

Hello Bruce and all!

A while ago I wrote a secure webserver, using Clarion 10  and Nettalk 10. It worked fine (LE-wise in updating the certificate) both on my development machine (Win 10 pro) and later on the remote server (W12K) in the data-center. All I had to do was copying the entire directory, adjusting the remote firewall and all were perfect! The used ports are 80 and 443.

Now that this one was so easy, I wanted more!

For internal use I run several webserver on my local LAN. By now all were insecure, all reachable from the outside via port 80. To achieve this, I have the Apache Webserver running, being used as a Reverse Proxy. That means, a domain like blabla.no-ip-com was directed to my LAN. Here that Apache gets the request, looks up, which computer is in charge for this address and passes the request to that internal IP-address:Port. The Apache 2 is running on a Raspberry pi machine, using the ports 80 and 443 for himself. Works fine also!

What I now wanted was to get this new secure webserver being reachable via that Raspberry. So I added the required information to the Apache, opened the secure port for this new webserver in my routers firewall for my development machine. Lets Encrypt find it, send my a certificate. now I have a secure NT-webserver on my LAN, too!

However, thats on my development machine. Its not meant forever, so I copied the entire stuff from here to my local 24/7-server, adjusted the Apache settings on the Raspberry, the firewall settings on my router, ran the server on its new location and .... nothing!

All I get are responses in the webbrowsers like "no cipher overlap" and stuff like that. Each browser has another error message.

Reverting the settings, all is fine now again. The difference between my development machine and the 24/7-server is the OS. My development machine has Wind 10 pro, while the 24/7-server is still W2008K.

My question now: Is the encryption in use depending on the operation system?

Thanks for your patience in reading this long story.

bye
Wolfgang

[Sibuya]

HI Wolfgang,

Windows depends on Cryptographic API to use cyphers.

You should check if Server 2008 is updated.

Another check is if you are running the application with correct rights because Server is more strict in this matter.

Best regards,

Marcos Sibuya

[Bruce]

Hi Marcos,

>> Windows depends on Cryptographic API to use cyphers.

yes, but NetTalk (and I suspect) Apache do not. But I think you might be on the right track.
NetTalk uses OpenSSL for encrypting and decrypting TLS traffic. With the current OpenSSL this also requires that the SV 2017 redistributable be installed (see docs for more on that).

Unfortunately I do not know Apache well enough to comment on the setup there. I do not know if it supports TLS 1.3 yet or if the version Wolfgang is using has been sufficiently updated to use "any" modern ciphers. Perhaps the starting point is to make sure that is correct - although it talks to the dev machine which suggests it is likely ok.

Cheers
Bruce

[Wolfgang Orth]

>> Windows depends on Cryptographic API to use cyphers.

>> You should check if Server 2008 is updated.


Thank you, Marcos.

My main concern is, that there might be reasons that my webserver will not work on some OS.

Here is the background, why I ask: I send out my program to customers, usually hospitals. I am not involved in the installation process. The installation is completely up to the IT-department, I have no influence on the how and where. So for me it is important to know, that there might be Windows versions out there, which are not compatible with my software. And because I am not involved with the installation, I have hardly any chance to fix it. It-departments are sturdy to obstinate, when it comes to their systems. I will simply have to tell them that this this and this Windows-version will not be capable to host our software.


>> You should check if Server 2008 is updated.

How would I do this?

On http://www.capesoft.com/docs/NetTalk11/NetTalkWebSecure.htm I found links to two links to the tool SSLScan. "Unfortunately" its only source code and seens to run under Linux, now Windows anymore.

thanks
Wolfgang

[Wolfgang Orth]

>>>> Windows depends on Cryptographic API to use cyphers.

>> yes, but NetTalk (and I suspect) Apache do not. But I think you might be on the right track.
NetTalk uses OpenSSL for encrypting and decrypting TLS traffic. With the current OpenSSL this also requires that the SV 2017 redistributable be installed (see docs for more on that).

I have had installed that "Microsoft Visual c++ redistributable 2017" on this machine. I used the one which you did d/l for the Windows 10 pro machine. But apparently it does not work or I missed some voodoo.

During the last weeks webinar (re: my question about that WebSocket-server) you made a remark about d/l that "redistributable", which I not fully understood. Did you mean that there are different versions of this "redistributable", depending on the OS? That would mean I could not use that same install file for different machines? Instead I have to d/l for each machine individually from the machine itself?



>> Unfortunately I do not know Apache well enough to comment on the setup there. I do not know if it supports TLS 1.3 yet or if the version Wolfgang is using has been sufficiently updated to use "any" modern ciphers. Perhaps the starting point is to make sure that is correct - although it talks to the dev machine which suggests it is likely ok.

Yes, the Apache2 reverse proxy is responsible for all machines on this LAN. I simply modify a configuration file and restart the Apache. Now all requests are sent to the server, which got copied to the other machine. If its not working (like in my case), then its because the OS is not compatible anymore or I made a configuration error.

But Server 2008 will be in extended support by Microsoft for exact the next 12 months from today! I will just put that one on the no-no list.

However, that Websockets problem on Server 2012 is still lingering. I will report to you separately.

[Wolfgang Orth]

Got it going!

Don't ask me, how I fixed it, I do not know.

What I did was a sort of restart, especially under the aspect of Marcos mentioning the rights. Although I doubt that I violated any rights (would it have ran then at all?) I simply deleted the entire subdirectory on the Server 2008 and also the Redistributable. Re-installed that Redistrubutable.

Back to my dev-machine, I did some bogus changes to the APP, to force a recompile. Applied for a LE-certificate in test-mode. Tested okay. Stopped this server, zipped the directory, copied over to the Server 2008, unzipped to a new directory. I also modified the gateway server bak to the Server 2008.

Here I started the NTWS, adjusted all paths for LE, finally exited and started the program again. Applied for the new LE-certificate successfully (like all day yesterday too).

Called that website..... got the old page from the browser cache, but hit F5 so hard, that the browser finally gave in and DISPLAYED MY FRIGGING SECURE SERVER!

I don't know what made the difference, but now I know, it can be done.

Thanks to all for your patience.

[Bruce]

>> Don't ask me, how I fixed it, I do not know.

this;
>> Re-installed that Redistributable.

like I predicted.

>> I have had installed that "Microsoft Visual c++ redistributable 2017" on this machine. I used the one which you did d/l for the Windows 10 pro machine.

That was for Windows 10 Pro - not Server 2008.

>> During the last weeks webinar (re: my question about that WebSocket-server) you made a remark about d/l that "redistributable", which I not fully understood. Did you mean that there are different versions of this "redistributable", depending on the OS?

You should always assume that, yes. With MicroSoft, in some cases there may be different versions, in other cases there is just one install. But I always download on the machine I intend to run it on.

>>  That would mean I could not use that same install file for different machines? Instead I have to d/l for each machine individually from the machine itself?

Ideally yes. You could I suppose download on multiple machines and compare the binaries you get to see if they are the same.
But Windows 2008 is 10 years old, so it's likely going to need a different set of files to say Windows Vista.

cheers
Bruce




Cheers
Bruce