SSL question

[astahl]

Hi All,

What is causing this to display on Firefox when trying to connect, "The connection to the server was reset while the page was loading."

I am trying to use SSL by redirecting to my secure port 443. I also am binding to a specific IP address on our fire wall which was assigned by our ISP.

Ashley

[peterH]

Hi Ashley,

That error is caused by a SSL problem. I get it if I try to start a webserver using SSL but no cert is present. Sure it finds the certificate?
You may alse get it if you forget the 's' in the url (as in https://..)

Peter

[astahl]

Hi Peter,

Thanks for the info. I checked my certificates folder and my crt is there along with the key

for testing I am using https://127.0.0.1:445 and it does not connect there.

Anything else I can give you that may help just ask.

***Amended***

I tried port 444 and that worked except that was prompted for an exception. Is that normal when using localhost?


Ashley

[peterH]

Something is already listening on port 443 (Skype?)
I'm using 444 for testing for that same reason but I don't get any errors. Local FW maybe?

Peter

[astahl]

I am starting to think it may be the Comodo certs I purchased. I have seen a few posts that some people switched to other companies for their certificates, and then it worked.

We do not have Skype on our server, so that can be ruled out. I am not getting an error locally on 444, but Firefox wanted to know if I still wanted to turn the exception on for my program.


Ashley

[Vinnie]

'' Firefox wanted to know if I still wanted to turn the exception on for my program.

This is normal.  If you have purchased a SSL Cert then this would normally be for https://www.

If you test https://127???  then the cert is only for the https://www. so Browser will ask for exception.

If browser is asking for exception then SSL is working.

Hope I am understanding your problem correctly.

Cheers

Vince

[astahl]

Hi Vinnie,

I think you are, because I could login and view data. So it just may be the port number that I was having problems with.


Ashley

[astahl]

This may be of interest for anyone wanting to use SSL and trying to pick a port.

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


Ashley

[astahl]

Since I have to create the CSR on the server I will be running on, where does the private key live when using IIS's CSR to request for a certificate.

This is way to difficult and time consuming! More like I just do not understand why IIS makes it so hard.

Ashley

[Vinnie]

Hi Ashley.

Not sure why you are using  IIS's I think this is a much harder way of creating a certificate.

You can create a certificate using the NetTalk options

Instructions here
http://capesoft.com/docs/NetTalk8/NetTalkWebSecure.htm#CreatingACertificate

Which port NetTalk uses can then be set in your app.  The Certificate does not need to know the port. Or which machine is is being run on.

After you have your certificate working on your machine then you need to have the certificate authenticated.

Bruce did a Webinar on this a couple of weeks ago.   www.capesoft.com/ftp/public/webinars/UG_NT037_20140925_NetTalkUserGroupMeeting37.wmv
This will help
.

Hope I am helping but you may of course already done this process.

Any way

Cheers

Vinnie

[broche]

So does this mean that only one program at a time can use port 443?

Brian.

[kevin plummer]

yes if you are *not* using the multihost.exe that ships with NT or you only have 1 ext IP address so you can't bind your app to one IP address\port. BTW you would need a wildcard certificate for the later solution above or 2 certificates for the DNS.

[Wolfgang Orth]

>> So does this mean that only one program at a time can use port 443?

Brian, yes.

The base rule is: 1 server = 1 port.

Howecer, you can "trick" to run several webserver on the same port 80. This is done by te MultiHost-program, which receives all input on port 80 (being a proxy) and then sort out, which data-packet was meant for which server behind the MultiHost. It reaches the data-packet to the intenden server now. For the remote user it look completely transparent, as if there is only one server running.
The MultiHost uses the names given to the servers, to decide, what the hand where.

An alternative is using the Apache as a reverse proxy for the same purpose. The Nettalk MultoHost is much more comfortable and convenient, its the first choice for this purpose. However, it requires the webserver to be DLLs and compiled with the same version - at least I recall to have read that.
If you have a mix of webservers from different Nettalk versions, you then could'nt combine them under the MultiHost. (always under the assumption that I recall correctly)
If this scenario occurs, you may use the Apache solution, utilizing its "vhost" ability.
See Apache As A Reverse Proxy For Clarion Web Servers http://archive.clarionmag.com/cmag/v9/v9n02proxy.html

Anyway, this reverse proxying does not work that easily for SSL-secured websites.

This has to do with the sequence, how client and server communicate. Usually the client sends a request, the server picks it and processes it accordingly. Either it responds directly (if the server was approached directly and has the port on its own), or (in case of the revery proxy) its hands the data packets further to the actually meant server, which then responds through the proxy.

When a clients tries to connect to a secured website, it first asks for the certificate, before it decides to connect to the server. This certificate is somehow tied to the server, which occupies the secured port. Thus, only one webserver per IP can use SSL.

Again however, there is another trick, at least for the Apache, to overcome that. Unfortunately I did not completely understand, how they do that trick and I am also not sure, whether those servers have to be under the label of Apache or if this expands to Nettalk Webserver also, just llike none-secured NTWS can be vhosts under Apache.
See https://wiki.apache.org/httpd/NameBasedSSLVHosts

[astahl]

Vinnie and All,

I tried the NetTalk bat file to produce a certificate request(CSR) and yes it worked on my machine using SSL. But you do have to create the CSR on the machine you are gonna run the exe on if I understand correctly. Since the box we are using is hosted by our ISP they only allow Window OS stuff on there. So I had to create the CSR using IIS. I think all I need is the private key to make this work correctly.

I also exported the crt from IIS and have a pks file, which from my little understanding can be used to create a private key using OpenSSL.

Ashley

[astahl]

Must pages be set as "Only serve if Secure SSL" for them to be displayed when using SSL?

Ashley