Recent

Author Topic: is it possible for indy10 https to work on port not 443?  (Read 831 times)

Michael Collier

  • Full Member
  • ***
  • Posts: 249
is it possible for indy10 https to work on port not 443?
« on: August 20, 2019, 10:42:57 am »
I'm using indylaz 10.6.2.549 , lazarus 2.0.0 , FPC 3.3.1

Using TIdHTTPServer to run a secure web server implementing letsencrypt/cerbot certificates.

When I bind to port 443, everything runs fine..

Code: Pascal  [Select]
  1.   b        := FHTTPServerObject.Bindings.Add();
  2.   b.IP     := f_ip_address ;
  3.   b.port   := f_port       ; // 443 is the only value that seems to work
  4.  

But when I try binding different port numbers my browser won't connect. I don't get any errors when running in the debugger..If I remove HTTPS and just use HTTP then my browser will connect so it seems that things are running under under the hood.

I'm not sure if I'm doing something wrong in my code or if I need to do something different when creating certificates?

Note: I remember doing this before a few months back on a windows7 laptop which I will dig out, recharge and fire up, I think it worked on that, it was a previous version of indy. Also I'm currently doing this on a rapsberryPI3 running raspbian..

Thanks..


korba812

  • Full Member
  • ***
  • Posts: 104
Re: is it possible for indy10 https to work on port not 443?
« Reply #1 on: August 20, 2019, 11:19:32 am »
You must have root privileges to start server with port below 1024
https://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #2 on: August 20, 2019, 11:30:29 am »
Hi korba812

I'm using sudo at the command line when I start Lazarus (to run my app through debugger), and also using sudo when I run the app outside the debugger.

(In fact I seemed to need this in order to access the SSL certificate but I don't mind)

Port 443 works ok, the port(s) I'm attempting to use are above 8000 so I guess should be ok?

Thaddy

  • Hero Member
  • *****
  • Posts: 8679
Re: is it possible for indy10 https to work on port not 443?
« Reply #3 on: August 20, 2019, 01:12:03 pm »
port 443 is as per RFC 1700  the https reserved port number.
But indeed, it is possible to use a high port number and still use https.
Most people that want to use threading should learn to patch their jeans first: use a needle.

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #4 on: August 20, 2019, 04:50:38 pm »
Hi Thaddy

Thanks,yep, I just tried a pre-compiled version of my app on a windows-10 PC and it does allow several high port numbers for https. This version was compiled using an earlier version of indy so I'll update indy and retry.

On the RPI3 device, I installed nmap and after opening my app to listen on 8443 executed this:

Code: Pascal  [Select]
  1. nmap -p 8443 192.168.1.90

..the output was:
Code: Pascal  [Select]
  1. 8443/tcp open  https-alt

So nmap seems to be saying that 8443 is being used ok.

I put break-point in my source code for requests..

When I try to connect using standard port 443 the debugger stops on my breakpoint, but when I attempt to connect from my browser using port 8443 the debugger does not stop.

So it seems there is something going wrong between the browser and the application?

There is no firewall installed on the RPI but I did a quick check:

Code: Pascal  [Select]
  1. sudo iptables -L
  2.  
  3. Chain INPUT (policy ACCEPT)
  4. target     prot opt source               destination        
  5.  
  6. Chain FORWARD (policy ACCEPT)
  7. target     prot opt source               destination        
  8.  
  9. Chain OUTPUT (policy ACCEPT)
  10. target     prot opt source               destination
  11.  

and in any event I'm opening the browser on the local RPI so I'm not having to go though routers and still not connecting, so this seems strange to me..??

Thaddy

  • Hero Member
  • *****
  • Posts: 8679
Re: is it possible for indy10 https to work on port not 443?
« Reply #5 on: August 20, 2019, 07:58:11 pm »
When I use localhost (instead of a qualified IP) the debugger stops. Tested on a RPi3 /trunk/trunk both from today.
Most people that want to use threading should learn to patch their jeans first: use a needle.

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #6 on: August 20, 2019, 10:03:53 pm »
Good to know it works, thanks :)

I just tried localhost but no luck..

I dug deeper into open ssl..

Executed this on RPI3
Code: Pascal  [Select]
  1. openssl s_client -connect localhost:9443 -msg

Got this output, note "wrong version number":
Code: Pascal  [Select]
  1. 1996326384:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
  2.  

Also, from firefox browser, got this message: ssl_error_rx_record_too_long

Thaddy

  • Hero Member
  • *****
  • Posts: 8679
Re: is it possible for indy10 https to work on port not 443?
« Reply #7 on: August 20, 2019, 10:24:36 pm »
Why ssl 3? It is insecure and deprecated. Use tls 1.1 at a minimum! The browser is right. All modern browsers won't allow ssl 3/ tls 1.0.
Did you select ssl 3 yourself? Or does the fall-back inside the Pascal code did that?
« Last Edit: August 20, 2019, 10:28:27 pm by Thaddy »
Most people that want to use threading should learn to patch their jeans first: use a needle.

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #8 on: August 20, 2019, 10:44:14 pm »
I'm not sure why it refers to SSL3, here are the settings I use (I've tried loads of variations)

Code: Pascal  [Select]
  1.     HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1 , sslvTLSv1_2 ];
  2.     HTTPIOHandler.SSLOptions.Method := sslvTLSv1_2          ;  
  3.  

I'm not sure why openssl  said ss3_get_record? I noticed further down it says:
    Protocol  : TLSv1.2
Here is a more complete message:

Code: Pascal  [Select]
  1. 1995470320:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
  2. ---
  3. no peer certificate available
  4. ---
  5. No client certificate CA names sent
  6. ---
  7. SSL handshake has read 5 bytes and written 176 bytes
  8. Verification: OK
  9. ---
  10. New, (NONE), Cipher is (NONE)
  11. Secure Renegotiation IS NOT supported
  12. Compression: NONE
  13. Expansion: NONE
  14. No ALPN negotiated
  15. SSL-Session:
  16.     Protocol  : TLSv1.2
  17.     Cipher    : 0000
  18.     Session-ID:
  19.     Session-ID-ctx:
  20.     Master-Key:
  21.     PSK identity: None
  22.     PSK identity hint: None
  23.     SRP username: None
  24.     Start Time: 1566333269
  25.     Timeout   : 7200 (sec)
  26.     Verify return code: 0 (ok)
  27.     Extended master secret: no
  28.  

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 652
    • Lebeau Software
Re: is it possible for indy10 https to work on port not 443?
« Reply #9 on: August 22, 2019, 12:04:09 am »
But when I try binding different port numbers my browser won't connect.

Are you specifying the alternate port number in the URL you give the browser? Eg: "https://host:port/"

I don't get any errors when running in the debugger..If I remove HTTPS and just use HTTP then my browser will connect so it seems that things are running under under the hood.

Indy servers, and particularly TIdHTTPServer, handle non-standard ports just fine.  So if you are having a problem, especially when standard ports work fine, it is likely something outside of Indy.

I'm not sure if I'm doing something wrong in my code

What you have shown looks fine to me.

or if I need to do something different when creating certificates?

I wouldn't know.

I'm not sure why it refers to SSL3, here are the settings I use (I've tried loads of variations)

Code: Pascal  [Select]
  1.     HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1 , sslvTLSv1_2 ];
  2.     HTTPIOHandler.SSLOptions.Method := sslvTLSv1_2          ;  
  3.  

You should NOT be using the SSLVersions and Method properties together like that.  The two properties are mutually exclusive, setting one updates the other, so setting the Method property to sslvTLS1_2 discards sslvTLSv1 and sslvTLSv1_1 from the SSLVersions.  So, in the above case, your server will only talk with TLS1.2 and nothing else.

Use ONE OR THE OTHER, not BOTH.  In fact, it is best to just ignore the Method property altogether, pretend it does not exist.  It is an old property that needs to be deprecated and removed.  Just use the SSLVersions property only.

I'm not sure why openssl  said ss3_get_record?

Because TLS 1.x is an extension of SSL 3.0, and internally OpenSSL implements TLS using SSL3 APIs.
« Last Edit: August 22, 2019, 12:12:56 am by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #10 on: August 22, 2019, 11:12:51 am »
Hi Remy

Thanks for the updates, I am using "https://host:port" , and I removed the .method setting but still no luck.

I believe you are right about indy working ok, thaddy got it working pretty quickly, so maybe my raspberry pi3  is missing something.

I think I'll revert over to compiling/running on windows so I can get the application tested and demonstrated to my user, then try a clean install on another raspberry.

I was thinking about posting a sample project here for users to try, but they would need to be able to produce their own SSL certificate tied to their registered URL e.g. my_lazarus_test.co.uk 

hmm.. I just had a look at my own ISP for deals on registering a URL, and it seems they offer free registration of .co.uk for 1 year. I'll email them and confirm before posting a link.

Lazarus users could register a URL for free, then use a free Domain Name Server (I use a free one and it works ok) to point their URL to a device on their home network (just forward a port on the home router for it to connect). Finally, get a free SSL certificate via letsencrypt/certbot, again free.

I'd be happy to post something on the lazarus wiki if anyone thinks it would help, that way if anyone else has a problem in the future with HTTPS/SSL/DNS/certificates they have a working example to reference?

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #11 on: September 02, 2019, 06:56:08 pm »
I've download indy10 demos from here:

https://indy.fulgan.com/ZIP/Indy10demo.zip

But not sure if this is the most recent set of demos available, is this the best link or is there a better one?

I had a look at HTTP/SSL Server/ project (it does state "SSL only" and thus expectedly there are no settings for any TLS related items that I can see). Here is snippet

Code: Pascal  [Select]
  1. function TfrmMain.InternalServerBeforeStart: Boolean;
  2. begin
  3.   // Preform your startup code here.  If you do not wish the server to start
  4.   // then simply return false from this function and report back the proper
  5.   // error by calling Log(YourMessage, clRed);
  6.   result := true;
  7.   try
  8.     with OpenSSL.SSLOptions do
  9.       begin
  10.         CertFile     := edCertFile.Text;
  11.         CipherList   := edCipherList.Text;
  12.         KeyFile      := edKeyFile.Text;
  13.         RootCertFile := edRootCertFile.Text;
  14.       end;
  15.   except
  16.     result := false;
  17.   end;
  18. end;
  19.  

If there is a more recent link available for TLS I will download and try, otherwise I'll modify what I have and try on debain10 later tonight, then RapsberryPi3.

Cheers,
Mike

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 652
    • Lebeau Software
Re: is it possible for indy10 https to work on port not 443?
« Reply #12 on: September 03, 2019, 12:03:47 am »
I had a look at HTTP/SSL Server/ project (it does state "SSL only" and thus expectedly there are no settings for any TLS related items that I can see).

Because the API used is "Open<SSL>", not "Open<TLS>", and OpenSSL predates the existence of TLS, so the properties and classes tend to have "SSL" in their names for historic reasons.  But Indy does support TLS 1.0 - 1.2 (TLS 1.3 will be supported once Indy has been updated to support OpenSSL 1.1.x, which is currently in progress).  You can enable TLS 1.0 - 1.2 in the TIdIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property.
« Last Edit: September 04, 2019, 01:22:12 am by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

Michael Collier

  • Full Member
  • ***
  • Posts: 249
Re: is it possible for indy10 https to work on port not 443?
« Reply #13 on: September 03, 2019, 05:16:40 pm »
OK thanks,

Non secure HTTP:
I've updated the non secure httpserver indy10  demo project to run on linux (removed references to windows and included cthreads) it should be possible to connect via this link

http://a1b2.ddns.net:9010/

(I modified the response so it simply outputs a list of helpful properties.)

Secure HTTP:
I made similar changes to run indy10 demo on linux ( remove windows add cthreads)
I get error "cannot load SSL library" so installed openssl
sudo apt-get install libssl-dev
So I have
OpenSSL 1.1.1c  28 May 2019
Still get same error message?

here is the modified code snippet
Code: Pascal  [Select]
  1. function TfrmMain.InternalServerBeforeStart: Boolean;
  2. begin
  3.   //m.c. tried both true/false here..
  4.   IdSSLOpenSSLHeaders.IdOpenSSLSetLoadSymLinksFirst(False);
  5.  
  6.   // Preform your startup code here.  If you do not wish the server to start
  7.   // then simply return false from this function and report back the proper
  8.   // error by calling Log(YourMessage, clRed);
  9.   result := true;
  10.   try
  11.     with OpenSSL.SSLOptions do
  12.       begin
  13.         CertFile     := edCertFile.Text;
  14.         CipherList   := edCipherList.Text;
  15.         KeyFile      := edKeyFile.Text;
  16.         RootCertFile := edRootCertFile.Text;
  17.         //m.c.
  18.         SSLVersions := [sslvTLSv1, sslvTLSv1_1 , sslvTLSv1_2 ];
  19.       end;
  20.   except
  21.     result := false;
  22.   end;
  23. end;
  24.  

I'm running under root, so I know I can access the certificates, I'm leaving the CipherList and RootCertFile blank since I didn't use these on my version that works on windows/RaspberryPi - are they needed for TLS to work?

Thanks

 

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 652
    • Lebeau Software
Re: is it possible for indy10 https to work on port not 443?
« Reply #14 on: September 04, 2019, 01:25:42 am »
Secure HTTP:
I made similar changes to run indy10 demo on linux ( remove windows add cthreads)
I get error "cannot load SSL library" so installed openssl
sudo apt-get install libssl-dev
So I have
OpenSSL 1.1.1c  28 May 2019
Still get same error message?

As I stated in my previous reply, Indy does not support OpenSSL 1.1.x yet, so you can't use that version you downloaded from APT.  You need to find and download older OpenSSL 1.0.2 dylibs to use instead for the time being.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)