Running on the Web

SSL/TLS Security Certificates

SSL/TLS (Secure Socket Layer/Transport Layer Security) is an industry-standard protocol for managing the security of message transmissions over the Internet. It is used by millions of Web applications around the world for the protection of online customer transactions. Using SS/TLSL protocol in a website instills confidence that the user can expect a secure link and that the source belongs to a valid, legitimate organization.

SSL/TLS encodes the data, rendering it unreadable to anyone who may try to intercept the transmission. When an SSL/TLS session is started, the server sends its public key to the client, which the client uses to send a randomly generated private key back to the server in order to establish a secret key "exchange" for that session.

For information on how SSL/TLS can be used with PxPlus applications, see PxPlus SSL/TLS Support.

Certificates and Encryption Keys

To be able to generate an SSL/TLS link, a server requires an SSL/TLS certificate. While it is possible to generate your own certificate using tools available on the Internet, you should only use these internally or for testing your site. With self-generated certificates, users will likely receive warning messages on their browsers stating that the certificate has not been authenticated and may not be from a "trusted authority".

Of course, "certificate not trusted" errors in your commercial applications would be undesirable and could drive away customers. If you want to avoid warnings like these, you should obtain your SSL/TLS certificates from a trusted third-party Internet Certification Authority. Most major operating systems and browsers maintain lists of trusted Certification Authorities and establish secure links using their certificates transparently. The padlock symbol is often used to signify when an encrypted link is established using a trusted SSL/TLS certificate.

Several trusted Internet Certification Authorities are available for acquiring certificates. Obtaining a trusted certificate will require payment, domain verification, and possibly business/organization verification. The trusted certificate will last a year or longer. It is possible to get a trusted certificate for free using the Let's Encrypt service with the only limitations being that the certificates last 90 days and they do not provide business/organization verification. Let's Encrypt supports automated certificate renewal through client software; therefore, the 90-day expiry is not an issue.

For information on using Let's Encrypt certificates with PxPlus, see Let's Encrypt SSL/TLS Certificates.

(Support for Let's Encrypt was added in PxPlus 2019.)

Usually, the encryption key obtained from a Certificate Authority controls the level of encryption, such as 40-bit, 56-bit, 128-bit or 1024-bit encryption.

Internet communication, client-to-server or server-to-client must be either encrypted or unencrypted at both ends. Requests cannot be mixed as it is impossible for an unencrypted browser to communicate with an encrypted server and vice-versa. By convention, browser requests that are addressed http:// will make requests from an unencrypted Web server. Use https:// to make requests to an SSL/TLS encrypted Web server.

Note:
PxPlus, in conjunction with SSL/TLS services provided by the PVX Plus Technologies website, provides a utility, *TOOLS/SSLCERT, that can be used to create a Self-Signed Certificate.

(The SSL Certificate Generator program was added in PxPlus 2017.)

PxPlus SSL/TLS Support

Support for TCP/IP-level SSL/TLS encryption is available as part of the base PxPlus license.

Note:
PxPlus uses OpenSSL libraries to provide SSL/TLS functionality. An X509 certificate created for use with OpenSSL or Apache is needed. (Apache also uses OpenSSL libraries.) An X509 certificate usually comes in the form of a PEM file, which contains both the certificate and private key, or two PEM files, one containing the certificate and the other containing the private key.

You may get a certificate in a different format such as the Microsoft PFX file format. To use this with PxPlus, conversion to a PEM file is necessary. This can be accomplished with the PxPlus utility, *TOOLS/PFXCERTCONVERT.

(Support for separate PEM files and PFX conversion was added in PxPlus 2019.)

PxPlus uses OpenSSL to provide SSL/TLS functionality. On Windows/Mac, PxPlus ships with OpenSSL. On Linux/AIX, PxPlus uses the OS provided OpenSSL. PxPlus 2020 allows you to specify which OpenSSL PxPlus should use by setting the environment variables PXP_CRYPTO_LIB and PXP_SSL_LIB. It is also possible to query which version of OpenSSL PxPlus is using by issuing a TCB("OpenSSL_Version").

(The environment variables PXP_CRYPTO_LIB and PXP_SSL_LIB were added in PxPlus 2020.)

SSL/TLS is available for all TCP/IP connections. See [TCP] Transmission Control Protocol.

Control of SSL/TLS for existing TCP/IP connections is possible using the SETDEV SET directive or the PRINT 'OPTION' mnemonic with SSL/TLS specific options. See SETDEV SET directive, 'OPTION' mnemonic and TCP Options. For an example of switching an unsecure TCP connection to a secure one, see Changing from Non-Secure to Secure.

SSL/TLS is supported by the WindX thin-client, Simple Client-Server. See PxPlus Simple Client-Server Interface.

SSL/TLS is supported by the legacy WindX thin-clients, Application Server and NTHost/NTSlave. See Application Server and NTHost/NTSlave.

The EZWeb Server supports SSL/TLS encryption for transactions between your Web server and the user's browser. See PxPlus EZWeb Server.

The legacy PxPlus Web Server interface supports SSL/TLS encryption for transactions between your Web server and the user's browser. See PxPlus Web Server Reference.

The email utilities *web/email, *web/testemail and *web/smtp all support SSL/TLS and STARTTLS encryption. See Email Utility (*web/email), *web/testemail Utility and SMTP Utility (*web/smtp).

Both the PxServer and the PxIO Library support SSL/TLS encryption. See Configuring PxServer and PxIOCreateService.

Global PxPlus SSL/TLS Settings

Global settings for handling SSL/TLS can be set by using either of the following two methods:

Specific Environment Variables:

PVX_CERTIFICATES=IGNORE | VALIDATE | TRUSTREQD
PVX_CERTSTORE=pathname
PXP_CRYPTO_LIB=pathname
PXP_SSL_LIB=pathname

PxPlus INI Settings:

Certificates=IGNORE | VALIDATE | TRUSTREQD
CertStore=pathname
AllowedCiphers=list
IPV4Only=0 | 1
NoTLSv1.1=0 | 1

FIN( ) Function for SSL/TLS

If SSL/TLS encryption is being used with your PxPlus application, the FIN( ) function will obtain SSL/TLS details regarding a particular connection; e.g. FIN(10,"SSL_CIPHER").

The following keywords pertain specifically to SSL:

 

X509_ISSUER

Who issued the certificate

 

X509_SUBJECT

Who the certificate was issued to

 

X509_NOT_BEFORE

Earliest date the certificate is valid for

 

X509_NOT_AFTER

Latest date the certificate is valid for

 

X509_KEYTYPE

Type of key in the certificate (DSA/RAS and number of bits)

 

SSL_CIPHER

SSL connection cipher used information as per the OPENSSL SSL_cipher_description specs

All X509 keywords return information about the remote certificate; i.e. from either the server certificate (if a client requests it) or the client certificate (if the server requests it). Any of the X509 requests can be prefixed with MY_ to return the local station's certificate information.

Example:

MY_X509_KEYTYPE, MY_X509_SUBJECT

These requests can only be made once a connection is established. When made on a server, the X509/SSL information pertains to the last/current socket connected.