Jump to content

Help with SSL intranet!

sicoobcooplivre

By sicoobcooplivre
in General

 Share

Recommended Posts

sicoobcooplivre Advanced Member

sicoobcooplivre

Posted
Posted

Good Morning!
I'm using Delphi 10.3 and uniGUI uniGUI Personal 1.90.0.1549
When I use the SSL demo to study how to use SSL certificate, it gives the error

ssl.exe: 00000EAC: 08:17:20
[Indy]:EIdOSSLUnderlyingCryptoError : Error accepting connection with SSL.
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown : Addr: $00790FB7

Does anyone have any idea what could be wrong to help me?
Thank you very much!

Link to comment
Share on other sites
sicoobcooplivre Advanced Member

sicoobcooplivre

Posted
  • Author
Posted

Yea!
My scenario is the following: I created my application for intranet!
I followed the uniGUI manual to create the SSL certificate.
I tested it some time ago on the SSL Demo, and I remember that it worked right away.
Now the need arose for me to configure the application to work with SSL.
I went to compile the demo again to test, and it gives me the error I said!
I already updated the dlls libeay32.dll and ssleay32.dll but nothing helped!
Can you help me?
Thank you!

Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted
10 hours ago, sicoobcooplivre said:

Good Morning!
I'm using Delphi 10.3 and uniGUI uniGUI Personal 1.90.0.1549
When I use the SSL demo to study how to use SSL certificate, it gives the error

ssl.exe: 00000EAC: 08:17:20
[Indy]:EIdOSSLUnderlyingCryptoError : Error accepting connection with SSL.
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown : Addr: $00790FB7

Does anyone have any idea what could be wrong to help me?
Thank you very much!

 

http://forums.unigui.com/index.php?/topic/15767-ssl/&do=findComment&comment=86771

Link to comment
Share on other sites
picyka Advanced Member

picyka

Posted
Posted
10 hours ago, sicoobcooplivre said:

Bom Dia!
Estou usando Delphi 10.3 e uniGUI uniGUI Personal 1.90.0.1549
Quando uso a demonstração SSL para estudar como usar o certificado SSL, dá o erro

ssl.exe: 00000EAC: 08:17:20
[Indy]:EIdOSSLUnderlyingCryptoError : Erro ao aceitar conexão com SSL.
erro: 14094416: rotinas SSL: ssl3_read_bytes: certificado de alerta sslv3 desconhecido: Addr: $ 00790FB7

Alguém tem alguma idéia do que pode estar errado para me ajudar?
Muito obrigado!

I sent a private message

Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted
5 hours ago, picyka said:

Passei meu contato no privado.

Hello,

From google :

"When you use a self-signed SSL certificate, browsers cannot verify its authenticity. This means that the browser will detect an invalid SSL certificate and display a warning message to indicate the problem to users.15 déc. 2021"

 

Perhaps in the past, it was validate and used for unigui demo, today it is nomore used.

You have to buy a genium SSL from a known auhtority. You can try with somme cheaper SSL.

 

 

 

Link to comment
Share on other sites
  • 1 year later...
Abaksoft Advanced Member

Abaksoft

Posted
Posted

Dears,

I am developping an intranet Unigui  application for SuperMarket :

The purpose is to Scan BarCode from manager Smartphone Camera, in real time for Inventory.

As the camera requires SSL, the URL will be a classical  local Server IP adress like :   https://192.168.1.5:8077     

( Customer  server = 192.168.1.5 )

OK, we can buy Certificate from authority or get a free one, but in this case, supermarket customers have no internet.

So, it's not possible to attribute a Domaine Name in intranet
https://www.mysupermarket.com  

So, I give up ...

The solution will be a Self Signed Certificate (with IPAdress).  But all browsers reject this certificate.
I googled and found how to export / import for accepting Certificate, but not work with the Unigui Farshad DEMO SSL.

Any idea ?
Thx.

Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted
8 hours ago, Sherzod said:

Hello,

Can you please clarify? 

First of all, were you able to generate a self-signed certificate with an IP address?

Thank you Sherzod.

On customer Server, with OpenSSL as describe on unigui developer manual,

and SSL Demo,   No more.

In other words, how can we run an SSL unigui app in local network (without internet) ?

Thx.

 

Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted

Dears,

I was finally able to do something:

If one day, you will have to develop an Unigui app:
- Under local network,
- Without Internet,
- Which requires an SSL (example Scann Camera)

Then read the following:

I thought, wrongly to create  "Self Signed Certificate".  Today, most of browsers reject them.

So, after 3 days search, I understood that it was necessary to use another technic :   Create  a localhost Certificate by mkcert

This is inspired by  (thx to the Author) :
https://technixleo.com/create-locally-trusted-ssl-certificates-with-mkcert-on-windows

 

OK...Step by Step :

1. Installing mkcert on Windows

1.1   mkcert can be installed by Chocolatey
To install Chocolatey, you must first ensure the Policy AllSigned
Open PowerShell as Admin
Get-ExecutionPolicy
if Restricted then :
 Set-ExecutionPolicy AllSigned

 


1.2  To install Chocolatey  see   https://chocolatey.org/install 

In PowerSehlle type (in a single line):
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

 


1.3  install  mkcert
In PowerSehlle type:
choco install mkcert

The mkCert Directory (by default) is:
C:\Users\...\AppData\Local\mkcert


2. Generate my 2 pem  files

In PowerSehlle type:
mkcert -install

This will generate 2 files in C:\Users\...\AppData\Local\mkcert:
rootCA.pem
rootCA-key.pem

 

3. Generate a  localhost.p12  Certificate

In PowerSehlle type:
mkcert -pkcs12 localhost
This will generate  localhost.p12  certificate which will be in the PowerShell directory, ie: ..\System32

 

 

4. Import the localhost Certificate

Touche Win + R  key:   mmc

File > Add > Certificates > Add
Computer account
local computer
OK

Right click / on WEB Hosting
Certificates > All Tasks
Machine Room
Select localhost.p12 Certificate Next

specify the password (default): changeit
Check: Key Exportable

Place of the Certificate on :
Web Hosting    (dépend on your windows langage :    example for french  :  Hébergement Web)

This will create 2 Certificates (in Web Hosting):
- localhost
- mkcert  myDESKTOP-xxx

 

5.  Project Unigui

Requires 3 files:
cert.pem
key.pem
root.pem

Do not use
root.pem = rootCA.pem ( C:\Users\...\AppData\Local\mkcert )
key.pem =  rootCA-key.pem ( C:\Users\...\AppData\Local\mkcert )

wich are generated by mkcert.

Use instead the new 3 files, obtained online (by converting the p12 file in a new global pem file)

 

5.1   Split localhost.p12  into  3 Files

You can obtain the 3 files via a conversion of the Certificate:   localhost.p12

Use Online:
https://www.sslshopper.com/ssl-converter.html

- Upload the Certificate File:   localhost.p12
- indicate the type: PFX/PCKC#12
- Convert To: Standard PEM
- Password:  changeit

You will get global File, containing  3 blocks   start ...end

Separate them with Notebook, and save them into 3 files: 
The first         =  cert.pem
The second  =  root.pem
The third        =  key.pem


5.2  Compile your project and run it :

https://localhost:8077/

is Secure :)

Have fun...

___________________

PS:   if you are interesting by an easy way to scan BareCode via your Android device (wich requires an SSL  url) 

you can use Falcon Store - Components Delphi from our Friend Marlon. 

Very fast and light  !

http://forums.unigui.com/index.php?/topic/11359-falcon-store-components-delphi-httpsstorefalconsistemascombr/#comment-60260

 

  • Like 4
  • Upvote 2
Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted

 

We win the first half of the match.  Remains the second half :

Using our SSL on Android via wifi.

All google topics say that it's enough to import this p12 Certificat on the Mobile (Android device). I tried....But steel the cadet no Secure appears :(

As i launch the app from my Mobile like :   https://192.168.1.11:8077   and  not  https://localhost:8077

- So, I created a new p12 Certificat (only on server)  192.168.1.11.p12

- And test it first, on my others windows PC (local network) : just import it as described on step 4 above : Touche Win + R  key:   mmc )

Then Open browser with

https://192.168.1.11:8077

And....Yes the cadet is Secure.

 

- But when i did the same on Android....Humm......Not secure

I saw many google search :   "importing trust certificate on android phone"  No result  :(

Any help is welcome

Thx

Link to comment
Share on other sites
Abaksoft Advanced Member

Abaksoft

Posted
Posted
On 5/20/2023 at 8:53 PM, Abaksoft said:

So, it's not possible to attribute a Domaine Name in intranet

https://www.mysupermarket.com  
 

Yes it is possible :)

Solution :

1. Edit the host file :

c:\windows\system32\driver\ets\host

2. Add this line for example:

192.168.1.11   mysite.com

save it

(192.168.1.11 is your local server)

 

3. Do the same on all your PC local machines.

 

4. Create on your server a p12 Certificate for mysite.com (as described above step3 + 4)

powershell > mkcert -pkcs12  mysite.com

 

5. Install it on both : your server and client PC

 

6. Run your app from all local pc :

https://mysite.com

is secure :)

____

PS:  don't ask me for mobile device (android). I don't know...

  • Like 2
Link to comment
Share on other sites
  • 5 weeks later...
Abaksoft Advanced Member

Abaksoft

Posted
Posted

 

In a previous topic, we saw how to create a Self Signed Certificate with mkCert and trusted it with mmc.

That works fine but havy method !   

Here we will see  an other method much easier :

 

OK, Step by Step :

1. install the latest OPENSSL

2. Prepare a conf file (NotePad) :

[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = N/A
localityName = N/A
organizationName = Self-signed certificate
commonName = 120.0.0.1: Self-signed certificate
[req_ext]
subjectAltName = @alt_names
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.11

 

2. Save it as    C:\Program Files\OpenSSL-Win64\bin\san.cnf
- Replace IP.1 variable by your IP adress (local machine)
- if you want DNS instead of IP, replace the Section  [alt_names]  by :
[alt_names]
DNS.1   = mywebsite1.dev
DNS.2   = mywebsite2.dev


On a local network, without internet, mywebsite1.dev should be defined on C:\Windows\System32\drivers\etc\hosts  file :
192.168.1.11  mywebsite1.dev


3. Create your 3 .pem files (like Unigui doc) but with this conf :

3.1. cmd as admin
cd C:\Program Files\OpenSSL-Win64\bin

openssl genrsa -out root.key 2048
openssl req -x509 -days 3650 -new -nodes -key root.key -out root.pem -config san.cnf
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout key.pem -out cert.pem -config san.cnf

 


4. Copy the 3 .pem files 
C:\Program Files\OpenSSL-Win64\bin  :
root.pem
cert.pem
Key.pem

near your Unigui Project.exe 

 

5. Add the cert.pem on the Windows Trusted Root Certificates (in case of a windows server).

The most important step here, wich is not indicated on the Unigui doc : (FmSoft Team, could you please add it )

 

Copy your cert.pem on a temporary location, example  C:\cert.pem
Open PowerShell as admin
Type these commands : 

$certPath = "C:\cert.pem"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certPath)
$cert.Import($certPath)
$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList "Root", "LocalMachine"
$certStore.Open("ReadWrite")
$certStore.Add($cert)
$certStore.Close()


This will automatically add the certificat cert.pem  on the trusted root certificats zone.
If you want to do it in a single ligne (1 command ), just add  ;  between commands
line1; line2; line3;....;line7

You can verify the new certificat, by openin win + R : mmc
and go to the trusted root certificates zone


6. Run your Unigui SSL Project, and you will see the black padlock protected site.

Have fun :)

  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...