|
![]() |
HTTPS seems blocked in RTC |
Craig David Oberfield 2018-10-31 00:10:09 Registered user |
Hello there,
I need some help with this problem. I know that I must be overlooking something simple. I have already tried Delphi XE2 and 10 (Seattle) with RTC versions 6.x and 9.x and StreamSec 2.3. I tried a few of the RTC demos RTCWebServer and RTCFileServer. The problem is that anything on HTTPS is blocked somewhere when "ServerHTTPS.CryptPlugin:=GetServerCryptPlugin;" is used. The tested browsers (Chrome and Edge) just wait for a response and then after about 90 seconds time out with "localhost didn't send any data.". The demo apps show client connections but have zero bytes in or out. They do work fine over HTTP. I never get any message about certificates. I used the provided demo certificates for testing on a Windows 10 Pro computer. I have successfully used RTC over HTTP in a standalone server for many years and I need to add HTTPS. Is this a certificate issue? Do I have to set permissions on a folder? Please get me on the correct tract. Thank you. |
Henrick Wibell Hellström 2018-10-31 13:22:08 Registered user |
Yes, a HTTPS server will need a server certificate for the domain or domains it publishes. The certificate must not have expired and the server will need access to the corresponding private key.
ST 2.3 supports the PKCS#12/PFX format, so the certificate and private key has to be bundled in such a file. |
Craig David Oberfield 2018-10-31 18:23:07 Registered user |
Two questions about this.
1) The correct ST 2.3 response is just a data block with no error message and therefore no browser message? 2) Given that the many servers that I deploy are all intranet (192.168.x.x or 10.0.x.x.) and in most cases there is no domain name do I use the machine name (server.local) or the IP numbers or ...? I can make self signing certificates with opensll. Thank you. |
Henrick Wibell Hellström 2018-10-31 18:57:54 Registered user |
1. HTTPS is exactly the same as HTTP at the HTTP level. If there is a fatal error at the TLS level, such as cipher suite mismatch, no certificate, etc, a fatal alert is sent over the TLS protocol layer to the other peer, and the connection is closed without sending anything over HTTP.
2. Might work, but some browsers will not accept server certificates with numerical ip addresses as common name. An alternative is to give the addresses a name manually, by altering the C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file on each client computer on the network. |
Craig David Oberfield 2018-10-31 21:33:40 Registered user |
"C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS file on each client computer on the network." that will not work because all the clients are Android or iOS pads.
I will post my success here when I get further. Thanks again. |
Craig David Oberfield 2018-11-06 19:27:54 Registered user |
Hello, Henrick.
I DID get a first test example to work with your provided certificates and the RTCWebServer demo. The issue that I was having is that my OpenSLL certificates were not in PEM format and that is required by your parser. I will post back when I get further. There was no error or exception thrown that I could detect. Also a note to others: I do not believe that when using RTC for a standalone web server that you will need to install any certificates onto the server computer. |
Henrick Wibell Hellström 2018-11-07 21:19:09 Registered user |
Part of your problems are due to the version you are using. For instance, the ST 4.0 raises exceptions during key decoding where ST 2.3 is silent, etc.
The rtcSSecTest unit does only support CER and PFX files, but that is largely a simplification. ST 2.3 and ST 4.0 both support a wider range of file formats. Not providing a demo interface for all of them is a design decision based on documentation requirements and support requirements. |
Craig David Oberfield 2018-11-07 22:02:08 Registered user |
I'm posting here to help others and to let them know that the RTC + StreamSec solution works fine.
Our problem required a web server running on the intranet (local IPs) and HTTPS to support powerful browser features in Chrome ver 70+. We have our test web server (RTC) working using our own OpenSLL certificates. On chrome devices we get prompted one time to trust the certificate, unless we install it to the device (usually a Samsung Pad) manually. My next step is to move this solution over to our release server that serves our Web App. We may choose to buy our certificates from a trusted authority to avoid having to install them onto the devices. Thanks to Henrick for his help and hard work on StreamSec tools. Thank you. |
Henrick Wibell Hellström 2018-11-08 10:45:46 Registered user |
You're welcome and thank you for your kind words!
|