Jump to content

UniGUI SSL Implementation Security Concerns


Darth Florus
 Share

Recommended Posts

Hi Pals:

My Customers work in conjuntion with Banks. They (the Banks) make security auditory occasionally.

This time They find some "Severe Security Issues" with My project maded with UniGUI and implemented with SSL and as Windows Service.

Attached are the audit issues They found, if You want to see about.

Basically They say that My way to do the SSL implementation is not secure.

Based on contents of the report I realize that They want to I migrate My project from Windows Service to IIS because this security concerns are already solved.

Are They right? The OpenSSL implementation of UniGUI is that bad?

Is there a way to configure UniGUI to avoid this attacks of Birthday, Beast, Poodle, and so on? (funny and fatal names)

Please Pals! I want to know Your experiences with SSL implementations about security concerns.

Thanks to All and

Best Regards

UniGui SSL Vulnerability.pdf

  • Like 1
Link to comment
Share on other sites

  • Administrators

Hi Oscar,

uniGUI internal SSL implementation is based on OpenSSL and Indy. It may not be up to date and it may have some flaws.

If you want an up to date SSL solution you need to deploy your app as ISAPI Module to Microsoft IIS or Apache for Windows.

  • Like 3
Link to comment
Share on other sites

,

2 hours ago, Farshad Mohajeri said:

 you want an up to date SSL solution you need to deploy your app as ISAPI Module to Microsoft IIS or Apache for Windows.

 

Hello Farshad,

IMHO  it's an important information. You should add it on SSL Deployment section (on line documentation).

Thx.

  • Like 1
Link to comment
Share on other sites

3 hours ago, Farshad Mohajeri said:

Hi Oscar,

uniGUI internal SSL implementation is based on OpenSSL and Indy. It may not be up to date and it may have some flaws.

If you want an up to date SSL solution you need to deploy your app as ISAPI Module to Microsoft IIS or Apache for Windows.

Thank You very Much Mr. Farshad. This answer points me to the right path from today to the future.

The hyperserver is not available on IIS, I assume IIS have other alternative way to do something like that.

Thanks Again and

Best Regards

Link to comment
Share on other sites

29 minutes ago, oflor said:

The hyperserver is not available on IIS, I assume IIS have other alternative way to do something like that.

Hyperserver works fine on IIS.

You mean, SSL ?

Yes, after buying an SSL from a company (goddady, NameCheap, ...) and sending them your Certificate (cert.pem) you should choose the destination (iis or other) and activating it on your server iis panel.

  • Like 2
Link to comment
Share on other sites

17 hours ago, Abaksoft said:

Hyperserver works fine on IIS.

You mean, SSL ?

Yes, after buying an SSL from a company (goddady, NameCheap, ...) and sending them your Certificate (cert.pem) you should choose the destination (iis or other) and activating it on your server iis panel.

Thank You very much Pal!

I did not know that about Hyperserver!

After severals years I will be use IIS again, just for one feature that don't work as espected on service mode everything else work excent for Me.

I hope that soon the Linux implementation with UniGUI and apache module work well to use it (including good SSL support). I really don't like to use IIS.

Best Regards

Link to comment
Share on other sites

1 hour ago, oflor said:

Thank You very much Pal!

I did not know that about Hyperserver!

After severals years I will be use IIS again, just for one feature that don't work as espected on service mode everything else work excent for Me.

I hope that soon the Linux implementation with UniGUI and apache module work well to use it (including good SSL support). I really don't like to use IIS.

Best Regards

http://www.unigui.com/doc/online_help/hyperserver-isapi-module-mode.htm

Best Regards

Link to comment
Share on other sites

21 hours ago, Abaksoft said:

Thank You very much for Your help Pal!!!

I breathe with relief that I don't need to change from .exe to .dll My project. It have some customizations that I know doesn't work very well when is used inside a IIS.

Best Regards

Link to comment
Share on other sites

3 hours ago, oflor said:

 It have some customizations that I know doesn't work very well when is used inside a IIS.

 

You can always ask our Maestro Sherzod.

He has huge synphony in his bag   :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...