Jump to content

UniGUI SSL Implementation Security Concerns


Darth Florus

Recommended Posts

Hi Pals:

My Customers work in conjuntion with Banks. They (the Banks) make security auditory occasionally.

This time They find some "Severe Security Issues" with My project maded with UniGUI and implemented with SSL and as Windows Service.

Attached are the audit issues They found, if You want to see about.

Basically They say that My way to do the SSL implementation is not secure.

Based on contents of the report I realize that They want to I migrate My project from Windows Service to IIS because this security concerns are already solved.

Are They right? The OpenSSL implementation of UniGUI is that bad?

Is there a way to configure UniGUI to avoid this attacks of Birthday, Beast, Poodle, and so on? (funny and fatal names)

Please Pals! I want to know Your experiences with SSL implementations about security concerns.

Thanks to All and

Best Regards

UniGui SSL Vulnerability.pdf

  • Like 1
Link to comment
Share on other sites

,

2 hours ago, Farshad Mohajeri said:

 you want an up to date SSL solution you need to deploy your app as ISAPI Module to Microsoft IIS or Apache for Windows.

 

Hello Farshad,

IMHO  it's an important information. You should add it on SSL Deployment section (on line documentation).

Thx.

  • Like 1
Link to comment
Share on other sites

3 hours ago, Farshad Mohajeri said:

Hi Oscar,

uniGUI internal SSL implementation is based on OpenSSL and Indy. It may not be up to date and it may have some flaws.

If you want an up to date SSL solution you need to deploy your app as ISAPI Module to Microsoft IIS or Apache for Windows.

Thank You very Much Mr. Farshad. This answer points me to the right path from today to the future.

The hyperserver is not available on IIS, I assume IIS have other alternative way to do something like that.

Thanks Again and

Best Regards

Link to comment
Share on other sites

29 minutes ago, oflor said:

The hyperserver is not available on IIS, I assume IIS have other alternative way to do something like that.

Hyperserver works fine on IIS.

You mean, SSL ?

Yes, after buying an SSL from a company (goddady, NameCheap, ...) and sending them your Certificate (cert.pem) you should choose the destination (iis or other) and activating it on your server iis panel.

  • Like 2
Link to comment
Share on other sites

17 hours ago, Abaksoft said:

Hyperserver works fine on IIS.

You mean, SSL ?

Yes, after buying an SSL from a company (goddady, NameCheap, ...) and sending them your Certificate (cert.pem) you should choose the destination (iis or other) and activating it on your server iis panel.

Thank You very much Pal!

I did not know that about Hyperserver!

After severals years I will be use IIS again, just for one feature that don't work as espected on service mode everything else work excent for Me.

I hope that soon the Linux implementation with UniGUI and apache module work well to use it (including good SSL support). I really don't like to use IIS.

Best Regards

Link to comment
Share on other sites

1 hour ago, oflor said:

Thank You very much Pal!

I did not know that about Hyperserver!

After severals years I will be use IIS again, just for one feature that don't work as espected on service mode everything else work excent for Me.

I hope that soon the Linux implementation with UniGUI and apache module work well to use it (including good SSL support). I really don't like to use IIS.

Best Regards

http://www.unigui.com/doc/online_help/hyperserver-isapi-module-mode.htm

Best Regards

Link to comment
Share on other sites

21 hours ago, Abaksoft said:

Thank You very much for Your help Pal!!!

I breathe with relief that I don't need to change from .exe to .dll My project. It have some customizations that I know doesn't work very well when is used inside a IIS.

Best Regards

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...