Search the Community

Dears, You can download it here : http://forums.unigui.com/index.php?/topic/18951-help-with-ssl-intranet/&do=findComment&comment=136067

Dears, I was finally able to do something: If one day, you will have to develop an Unigui app: - Under local network, - Without Internet, - Which requires an SSL (example Scann Camera) Then read the following: I thought, wrongly to create "Self Signed Certificate". Today, most of browsers reject them. So, after 3 days search, I understood that it was necessary to use another technic : Create a localhost Certificate by mkcert This is inspired by (thx to the Author) : https://technixleo.com/create-locally-trusted-ssl-certificates-with-mkcert-on-windows OK...Step by Step : 1. Installing mkcert on Windows 1.1 mkcert can be installed by Chocolatey To install Chocolatey, you must first ensure the Policy AllSigned Open PowerShell as Admin Get-ExecutionPolicy if Restricted then : Set-ExecutionPolicy AllSigned 1.2 To install Chocolatey see https://chocolatey.org/install In PowerSehlle type (in a single line): Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) 1.3 install mkcert In PowerSehlle type: choco install mkcert The mkCert Directory (by default) is: C:\Users\...\AppData\Local\mkcert 2. Generate my 2 pem files In PowerSehlle type: mkcert -install This will generate 2 files in C:\Users\...\AppData\Local\mkcert: rootCA.pem rootCA-key.pem 3. Generate a localhost.p12 Certificate In PowerSehlle type: mkcert -pkcs12 localhost This will generate localhost.p12 certificate which will be in the PowerShell directory, ie: ..\System32 4. Import the localhost Certificate Touche Win + R key: mmc File > Add > Certificates > Add Computer account local computer OK Right click / on WEB Hosting Certificates > All Tasks Machine Room Select localhost.p12 Certificate Next specify the password (default): changeit Check: Key Exportable Place of the Certificate on : Web Hosting (dépend on your windows langage : example for french : Hébergement Web) This will create 2 Certificates (in Web Hosting): - localhost - mkcert myDESKTOP-xxx 5. Project Unigui Requires 3 files: cert.pem key.pem root.pem Do not use root.pem = rootCA.pem ( C:\Users\...\AppData\Local\mkcert ) key.pem = rootCA-key.pem ( C:\Users\...\AppData\Local\mkcert ) wich are generated by mkcert. Use instead the new 3 files, obtained online (by converting the p12 file in a new global pem file) 5.1 Split localhost.p12 into 3 Files You can obtain the 3 files via a conversion of the Certificate: localhost.p12 Use Online: https://www.sslshopper.com/ssl-converter.html - Upload the Certificate File: localhost.p12 - indicate the type: PFX/PCKC#12 - Convert To: Standard PEM - Password: changeit You will get global File, containing 3 blocks : start ...end Separate them with Notebook, and save them into 3 files: The first = cert.pem The second = root.pem The third = key.pem 5.2 Compile your project and run it : https://localhost:8077/ is Secure Have fun... ___________________ PS: if you are interesting by an easy way to scan BareCode via your Android device (wich requires an SSL url) you can use Falcon Store - Components Delphi from our Friend Marlon. Very fast and light ! http://forums.unigui.com/index.php?/topic/11359-falcon-store-components-delphi-httpsstorefalconsistemascombr/#comment-60260

In a previous topic, we saw how to create a Self Signed Certificate with mkCert and trusted it with mmc. That works fine but havy method ! Here we will see an other method much easier : OK, Step by Step : 1. install the latest OPENSSL 2. Prepare a conf file (NotePad) : [req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = XX stateOrProvinceName = N/A localityName = N/A organizationName = Self-signed certificate commonName = 120.0.0.1: Self-signed certificate [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 192.168.1.11 2. Save it as C:\Program Files\OpenSSL-Win64\bin\san.cnf - Replace IP.1 variable by your IP adress (local machine) - if you want DNS instead of IP, replace the Section [alt_names] by : [alt_names] DNS.1 = mywebsite1.dev DNS.2 = mywebsite2.dev On a local network, without internet, mywebsite1.dev should be defined on C:\Windows\System32\drivers\etc\hosts file : 192.168.1.11 mywebsite1.dev 3. Create your 3 .pem files (like Unigui doc) but with this conf : 3.1. cmd as admin cd C:\Program Files\OpenSSL-Win64\bin openssl genrsa -out root.key 2048 openssl req -x509 -days 3650 -new -nodes -key root.key -out root.pem -config san.cnf openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout key.pem -out cert.pem -config san.cnf 4. Copy the 3 .pem files C:\Program Files\OpenSSL-Win64\bin : root.pem cert.pem Key.pem near your Unigui Project.exe 5. Add the cert.pem on the Windows Trusted Root Certificates (in case of a windows server). The most important step here, wich is not indicated on the Unigui doc : (FmSoft Team, could you please add it ) Copy your cert.pem on a temporary location, example C:\cert.pem Open PowerShell as admin Type these commands : $certPath = "C:\cert.pem" $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath) $cert.Import($certPath) $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "Root", "LocalMachine" $certStore.Open("ReadWrite") $certStore.Add($cert) $certStore.Close() This will automatically add the certificat cert.pem on the trusted root certificats zone. If you want to do it in a single ligne (1 command ), just add ; between commands line1; line2; line3;....;line7 You can verify the new certificat, by openin win + R : mmc and go to the trusted root certificates zone 6. Run your Unigui SSL Project, and you will see the black padlock protected site. Have fun

Dears, I am developping an intranet Unigui application for SuperMarket : The purpose is to Scan BarCode from manager Smartphone Camera, in real time for Inventory. As the camera requires SSL, the URL will be a classical local Server IP adress like : https://192.168.1.5:8077 ( Customer server = 192.168.1.5 ) OK, we can buy Certificate from authority or get a free one, but in this case, supermarket customers have no internet. So, it's not possible to attribute a Domaine Name in intranet https://www.mysupermarket.com So, I give up ... The solution will be a Self Signed Certificate (with IPAdress). But all browsers reject this certificate. I googled and found how to export / import for accepting Certificate, but not work with the Unigui Farshad DEMO SSL. Any idea ? Thx.

I tested your code and works fine with .exe + SSL (Self signed Certificate). I did'nt try it as IIS +SSL. ________ How are you adding your SSL in IIS ?

I compiled all above in program wich create a Self Signed Certificate in 3 secondes. Best Regards... See the updated program here : http://forums.unigui.com/index.php?/topic/18951-help-with-ssl-intranet/&do=findComment&comment=141667 Prg.7z

maybe this will help to You: I use trusted certificate. I had set up in the URL='https://X.X.X.X:8070/...'and the problem was it. After I set it up in the URL='https://myaddres:8070/...' the problem solved in MsgSrv. http://forums.unigui.com/index.php?/search/&q="Self Signed certificate"&quick=1 or this:

Dear Friends, I have been developing with unigui in C++builder Alexandria 11.1 in 64 bit mode using standalone server and when enable SSL it is giving me this exception Exception class EIdOSSLLoadingRootCertError with message First chance exception at $00007FFAC43D4F69. Exception class EIdOSSLLoadingRootCertError with message 'Could not load root certificate. error:00000000:lib(0):func(0):reason(0)'. Process xxxxxx.exe (6852) It won't happen if i compile in 32 bits. I am a registered UNIGUI user and the version that i am using is the 1.90.0.1560. it is happening in both debug and release configuratons. For testing i am using the self signed certificate following UNIGUI documentaton instructions. Also i am using the SSL dll that comes with the 1560 version. SSL config on ServerModule is SSL.Enabled = True SSL.SSLOptions.RootCertFile = 'root.pem' SSL.SSLOptions.CertFile = 'fl.cert.pem' SSL.SSLOptions.KeyFile = 'fl.key.pem' SSL.SSLOptions.Method = sslvTLSv1_2 SSL.SSLOptions.SSLVersions = [sslvTLSv1_2] SSL.SSLOptions.Mode = sslmUnassigned SSL.SSLOptions.VerifyMode = [] SSL.SSLOptions.VerifyDepth = 0 SSL.SSLPassword = 'fmsoft' SSL.SSLPort = 8080 I also tried SSL.Enabled = True SSL.SSLOptions.RootCertFile = 'root.pem' SSL.SSLOptions.CertFile = 'fl.cert.pem' SSL.SSLOptions.KeyFile = 'fl.key.pem' SSL.SSLOptions.Method = sslvSSLv3 SSL.SSLOptions.SSLVersions = [sslvSSLv3] SSL.SSLOptions.Mode = sslmUnassigned SSL.SSLOptions.VerifyMode = [] SSL.SSLOptions.VerifyDepth = 0 SSL.SSLPassword = 'fmsoft' SSL.SSLPort = 8080 The result is identical So i hope that someone can give me some light on this. Thanks in advance

FYI, this one works 'from your example code': cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; (Stupid) question, I'm using a Self Signed certificate, could this be the issue?

Turns out that perhaps you could make a self signed certificate to avoid the pop-up message: Will try tomorrow. Lost a lot of time looking for a solution. Such information is not very clear in their website. Not even clear if self-signed certificates works or just trusted by a secure entities to a website only . https://qz.io/wiki/signing-messages Not verfy clear and even the presenter make some mistakes. Best source is this link below: https://ijustlearnedsomethingnewtoday.blogspot.com/2017/04/using-self-signed-certificates-with-qz.html I will keep you guys posted if it worked.

Hi I have exactly the same problem. With HyperServer.exe (64bit) , SSL starts fine with the 32bit nodes. I'm using a self signed certificate for testing, as per the instructions in the uniGUI Developer Manual. However when I start the HyperService service, I get the same error message as sertacb, above. I'm using uni-1.90.0.1523 (Professional). I'm using the same content in the hyper_service.cfg as the hyper_server.cfg, with the same same details in the hyper_service.ssl.cfg as in the hyper_server.ssl.cfg. Also when setting SSL.Enabled = False in hyper_service.ssl.cfg all works fine too (except not running on SSL). It is as if when running as service, the .pem files are not found? Will it help if I add the absolute paths to the .pem files in the hyper_service.ssl.cfg? Thanks, Alex.

Now I have tested SSL and it works. But Chrome and Firefox show "(certificate) not secure" because of self signed certificate. IE and Edge have no problem after adding the root certificate.

Do you use a self signed certificate or a trusted?