SecureBlackbox 2020 iOS Edition

Questions / Feedback?

TLSServer Class

Properties   Methods   Events   Configuration Settings   Errors  

The TLSServer class implements server-side functionality of the TLS protocol. In the TLS-disabled mode it works as a plain TCP server.

Syntax

SecureBlackboxTLSServer
SecureBlackboxTLSServerSwift

Remarks

Use this component to accept TLS-encrypted or plain TCP connections in your application.

Follow the below steps to set up and run the server in your code:

  • Create an instance of the server component and set up the license, if assumed by the edition you are using:
          var server = new Tlsserver();
          server.RuntimeLicense = "5342..0000";
        
  • Set up the listening port (make sure it is not in use):
          server.Port = 3456;
        
  • Tell the component whether TLS connections should be enforced:
          server.UseTLS = false; // set to true to enable TLS
        
  • (TLS-enabled servers only) Configure TLS parameters. The exact way of doing that may vary for different scenarios and security requirements. At the very least you need to set up the certificate chain that the server will use to authenticate itself to connecting clients. If you don"t, the component will generate a dummy certificate itself, however, that certificate is unlikely to pass any security requirements. It will let you accept test connections though.

    Below is an example of tuning up the TLS parameters of the server:

          // *** Switching TLS on and enabling the implicit mode ***
    
          server.UseTLS = true;
          server.TLSSettings.TLSMode = smImplicitTLS;
    
          // Loading the certificate chain
          var mgr = new Certificatemanager();
          mgr.RuntimeLicense = "5342..0000";
    
          // *** Setting up the host certificate ***
    
          // - it should be issued in the name that matches the hostname (such as domain.com) or its IP address (1.2.3.4),
          // - it must have an associated private key - so likely is provided in PFX or PEM format.
          mgr.ImportFromFile("CertTLSServer.pfx", "password");
          server.ServerCertificates.Add(mgr.Certificate);
    
          // The CA certificate: this is to help connecting clients validate the chain.
          mgr.ImportFromFile("CertCA.cer", "");
          server.ServerCertificates.Add(mgr.Certificate);
    
          // *** Adjusting finer-grained TLS settings ***
    
          // - session resumption (allows for faster handshakes for connections from the same origin)
          server.TLSSettings.UseSessionResumption = true;
    
          // - secure configuration
          server.TLSSettings.BaseConfiguration = stpcHighlySecure;
    
          // - disabling a ciphersuite we dislike (just because we can):
          server.TLSSettings.Ciphersuites = "-DHE_RSA_AES128_SHA"
    
          // *** Configuring versions ***
    
          // The default version setting at the time of writing (May 2021) is TLS 1.2 and TLS 1.3,
          // but that may change in future versions. The following tune-up additionally activates TLS 1.1 and TLS 1.0,
          // which weakens security, but may be necessary to accept connections from older clients:
          server.TLSSettings.Versions = csbTLS1 | csbTLS11 | csbTLS12 | csbTLS13;
    
        

  • Now that your server has been fully set up, activate it:
          server.Start();
        
  • Once the Start call completes, your server can accept connections from clients. Each accepted connection runs in a separate thread, not interfering with each other or your own threads. The server communicates its ongoing activities to your application by throwing events:
    • Accept to notify you about a new incoming connection. This event lets you accept or reject it.
    • Connect to notify your code of an accepted connection. This event introduces a ConnectionID, a unique identifier that you can use to track the connection throughout its lifetime.
    • Disconnect to notify you that a connection has been closed.
    • TLSEstablished and TLSShutdown to let you know that a TLS layer has been activated/deactivated.
    • Data to notify you about a piece of data received from the remote side.
    • Error to report a protocol or other error.
    • CertificateValidate to communicate the client authentication event to your code. To access the certificate(s) provided by the authenticating client, pin the client and use the PinnedClientChain property to access its chain:
                server.PinClient(e.ConnectionID);
                e.Accept = CheckCert(server.PinnedClientChain);          
              

    Note: every such event is thrown from the respective connection thread, so make sure you use some synchronization mechanism when dispatching the events to your UI thread - for example, by updating UI controls by sending a Window Message rather than accessing the controls directly.

    Use SendData and SendText to send data back to a client. When sending data, provide the ConnectionID that is associated with that client. Call DropClient to terminate a client connection.

  • To stop the server, call Stop:
          server.Stop();
        

TLSServer and SSLLabs

Qualys SSLLabs (https://www.ssllabs.com/) has been long known as a comprehensive TLS site quality checking tool. It is now a de-facto standard and a sign of good taste to aspire for the best SSLLabs test result for your web presence. SecureBlackbox developers share that effort and want to help their customers build secure TLS endpoints that can be independently endorsed by third-party evaluators like SSLLabs.

Having said that, when assessing SecureBlackbox TLS-capable servers that are configured to use their default setup, you will often end up with a lower SSLLabs score than you could have. There is a simple reason for that. Being a vendor of a library used by thousands of customers, we have to find a delicate balance between security, compatibility, and keeping class contracts rolling from one product build to another. This makes the default configuration of the components not the strongest possible. To put it simple, we could easily make the default component setup bulletproof - but having done that, we would have likely ended up with hundreds of customers stuck with legacy environments (and there are a lot of them around) losing their connectivity.

If you are looking at achieving the best score at SSLLabs, please read on. The below guidance aims to help you tune up the server component in the way that should give you an A score.

First, switch your server to the highly secure base configuration:

  server.TLSSettings.BaseConfiguration = stpcHighlySecure;
This should immediately give you an A, or a T if your server certificate does not chain up to a trusted anchor.

Some warnings will still be included in the report. One of those is related to the session resumption. It is normally shown in orange:

Session resumption (caching): No (IDs assigned but not accepted)

This literally means that the server is not configured to re-use older sessions, which may put extra computational burden on clients and itself. Use the following setting to enable session caching:

  server.TLSSettings.UseSessionResumption = true;

Besides, the report may show that there are some weak ciphersuites. All of those should be shown in orange (there should not be any reds; if there are - please let us know), which means they are only relatively weak. While switching them off may affect the interoperability level of the server, you may still want to do that. By using the below approach you can disable individual ciphersuites selectively. For example, if the report shows that TLS_DHE_RSA_WITH_AES128_CBC_SHA256 and TLS_DHE_RSA_WITH_AES256_CBC_SHA256 are weak (because of their CBC mode), you can disable them in the following way:

  server.TLSSettings.Ciphersuites = '-DHE_RSA_AES128_SHA256;-DHE_RSA_AES256_SHA256';
Note that SBB uses slightly different, simpler naming convention by dropping unnecessart WITH and CBC. Let us know if you have difficulties matching the ciphersuite names.

Property List


The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

- activeIndicates whether the server is active and is listening to new connections.
- boundPortIndicates the bound listening port.
- errorOriginIndicates the endpoint where the error originates from.
- errorSeverityThe severity of the error that happened.
- externalCryptoCustomParamsCustom parameters to be passed to the signing service (uninterpreted).
- externalCryptoDataAdditional data to be included in the async state and mirrored back by the requestor.
- externalCryptoExternalHashCalculationSpecifies whether the message hash is to be calculated at the external endpoint.
- externalCryptoHashAlgorithmSpecifies the request's signature hash algorithm.
- externalCryptoKeyIDThe ID of the pre-shared key used for DC request authentication.
- externalCryptoKeySecretThe pre-shared key used for DC request authentication.
- externalCryptoMethodSpecifies the asynchronous signing method.
- externalCryptoModeSpecifies the external cryptography mode.
- externalCryptoPublicKeyAlgorithmProvide public key algorithm here if the certificate is not available on the pre-signing stage.
- handshakeTimeoutSpecifies the handshake timeout in milliseconds.
- hostThe host to bind the listening port to.
- pinnedClientAddressThe client's IP address.
- pinnedClientChainValidationDetailsThe details of a certificate chain validation outcome.
- pinnedClientChainValidationResultThe outcome of a certificate chain validation routine.
- pinnedClientCiphersuiteThe cipher suite employed by this connection.
- pinnedClientClientAuthenticatedSpecifies whether client authentication was performed during this connection.
- pinnedClientDigestAlgorithmThe digest algorithm used in a TLS-enabled connection.
- pinnedClientEncryptionAlgorithmThe symmetric encryption algorithm used in a TLS-enabled connection.
- pinnedClientIDThe client connection's unique identifier.
- pinnedClientKeyExchangeAlgorithmThe key exchange algorithm used in a TLS-enabled connection.
- pinnedClientKeyExchangeKeyBitsThe length of the key exchange key of a TLS-enabled connection.
- pinnedClientNamedECCurveThe elliptic curve used in this connection.
- pinnedClientPFSCipherIndicates whether the chosen ciphersuite provides perfect forward secrecy (PFS).
- pinnedClientPortThe remote port of the client connection.
- pinnedClientPublicKeyBitsThe length of the public key.
- pinnedClientResumedSessionIndicates whether a TLS-enabled connection was spawned from another TLS connection.
- pinnedClientSecureConnectionIndicates whether TLS or SSL is enabled for this connection.
- pinnedClientSignatureAlgorithmThe signature algorithm used in a TLS handshake.
- pinnedClientSymmetricBlockSizeThe block size of the symmetric algorithm used.
- pinnedClientSymmetricKeyBitsThe key length of the symmetric algorithm used.
- pinnedClientTotalBytesReceivedThe total number of bytes received over this connection.
- pinnedClientTotalBytesSentThe total number of bytes sent over this connection.
- pinnedClientValidationLogContains the server certificate's chain validation log.
- pinnedClientVersionIndicates the version of SSL/TLS protocol negotiated during this connection.
- pinnedClientCertCountThe number of records in the PinnedClientCert arrays.
- pinnedClientCertBytes:(int)pinnedClientCertIndexReturns raw certificate data in DER format.
- pinnedClientCertCAKeyID:(int)pinnedClientCertIndexA unique identifier (fingerprint) of the CA certificate's private key.
- pinnedClientCertFingerprint:(int)pinnedClientCertIndexContains the fingerprint (a hash imprint) of this certificate.
- pinnedClientCertHandle:(int)pinnedClientCertIndexAllows to get or set a 'handle', a unique identifier of the underlying property object.
- pinnedClientCertIssuer:(int)pinnedClientCertIndexThe common name of the certificate issuer (CA), typically a company name.
- pinnedClientCertIssuerRDN:(int)pinnedClientCertIndexA collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer.
- pinnedClientCertKeyAlgorithm:(int)pinnedClientCertIndexSpecifies the public key algorithm of this certificate.
- pinnedClientCertKeyBits:(int)pinnedClientCertIndexReturns the length of the public key.
- pinnedClientCertKeyFingerprint:(int)pinnedClientCertIndexReturns a fingerprint of the public key contained in the certificate.
- pinnedClientCertKeyUsage:(int)pinnedClientCertIndexIndicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.
- pinnedClientCertPublicKeyBytes:(int)pinnedClientCertIndexContains the certificate's public key in DER format.
- pinnedClientCertSelfSigned:(int)pinnedClientCertIndexIndicates whether the certificate is self-signed (root) or signed by an external CA.
- pinnedClientCertSerialNumber:(int)pinnedClientCertIndexReturns the certificate's serial number.
- pinnedClientCertSigAlgorithm:(int)pinnedClientCertIndexIndicates the algorithm that was used by the CA to sign this certificate.
- pinnedClientCertSubject:(int)pinnedClientCertIndexThe common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name.
- pinnedClientCertSubjectKeyID:(int)pinnedClientCertIndexContains a unique identifier (fingerprint) of the certificate's private key.
- pinnedClientCertSubjectRDN:(int)pinnedClientCertIndexA collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject).
- pinnedClientCertValidFrom:(int)pinnedClientCertIndexThe time point at which the certificate becomes valid, in UTC.
- pinnedClientCertValidTo:(int)pinnedClientCertIndexThe time point at which the certificate expires, in UTC.
- portSpecifies the port number to listen for connections on.
- portRangeFromSpecifies the lower limit of the listening port range for incoming connections.
- portRangeToSpecifies the upper limit of the listening port range for incoming connections.
- serverCertCountThe number of records in the ServerCert arrays.
- serverCertBytes:(int)serverCertIndexReturns raw certificate data in DER format.
- serverCertHandle:(int)serverCertIndexAllows to get or set a 'handle', a unique identifier of the underlying property object.
- sessionTimeoutSpecifies the default session timeout value in milliseconds.
- socketIncomingSpeedLimitThe maximum number of bytes to read from the socket, per second.
- socketLocalAddressThe local network interface to bind the socket to.
- socketLocalPortThe local port number to bind the socket to.
- socketOutgoingSpeedLimitThe maximum number of bytes to write to the socket, per second.
- socketTimeoutThe maximum period of waiting, in milliseconds, after which the socket operation is considered unsuccessful.
- socketUseIPv6Enables or disables IP protocol version 6.
- TLSAutoValidateCertificatesSpecifies whether server-side TLS certificates should be validated automatically using internal validation rules.
- TLSBaseConfigurationSelects the base configuration for the TLS settings.
- TLSCiphersuitesA list of ciphersuites separated with commas or semicolons.
- TLSECCurvesDefines the elliptic curves to enable.
- TLSForceResumeIfDestinationChangesWhether to force TLS session resumption when the destination address changes.
- TLSPreSharedIdentityDefines the identity used when the PSK (Pre-Shared Key) key-exchange mechanism is negotiated.
- TLSPreSharedKeyContains the pre-shared for the PSK (Pre-Shared Key) key-exchange mechanism, encoded with base16.
- TLSPreSharedKeyCiphersuiteDefines the ciphersuite used for PSK (Pre-Shared Key) negotiation.
- TLSRenegotiationAttackPreventionModeSelects renegotiation attack prevention mechanism.
- TLSRevocationCheckSpecifies the kind(s) of revocation check to perform.
- TLSSSLOptionsVarious SSL (TLS) protocol options, set of cssloExpectShutdownMessage 0x001 Wait for the close-notify message when shutting down the connection cssloOpenSSLDTLSWorkaround 0x002 (DEPRECATED) Use a DTLS version workaround when talking to very old OpenSSL versions cssloDisableKexLengthAlignment 0x004 Do not align the client-side PMS by the RSA modulus size.
- TLSTLSModeSpecifies the TLS mode to use.
- TLSUseExtendedMasterSecretEnables Extended Master Secret Extension, as defined in RFC 7627.
- TLSUseSessionResumptionEnables or disables TLS session resumption capability.
- TLSVersionsTh SSL/TLS versions to enable by default.
- useTLSEnables or disables the TLS requirement.
- websiteNameSpecifies the web site name to use in the certificate.

Method List


The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

- configSets or retrieves a configuration setting.
- dropClientTerminates a client connection.
- listClientsEnumerates the connected clients.
- pinClientTakes a snapshot of the connection's properties.
- sendDataSends a data buffer to a connection client.
- sendKeepAliveSends a keep-alive packet.
- sendTextSends a text string to a client.
- startStarts the TLS server.
- stopStops the TLS server.

Event List


The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

- onAcceptReports an incoming connection.
- onCertificateValidateFires when a client certificate needs to be validated.
- onConnectReports an accepted connection.
- onDataSupplies a data chunk received from a client.
- onDisconnectFires to report a disconnected client.
- onErrorInformation about errors during data delivery.
- onExternalSignHandles remote or external signing initiated by the server protocol.
- onNotificationThis event notifies the application about an underlying control flow event.
- onTLSEstablishedReports the setup of a TLS session.
- onTLSPSKRequests a pre-shared key for TLS-PSK.
- onTLSShutdownReports closure of a TLS session.

Configuration Settings


The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.

ClientAuthEnables or disables certificate-based client authentication.
DualStackAllows the use of ip4 and ip6 simultaneously.
HostThe host to bind to.
ServerSSLDHKeyLengthSets the size of the TLS DHE key exchange group.
TLSExtensionsProvides access to TLS extensions.
WebsiteNameThe website name for the TLS certificate.
CheckKeyIntegrityBeforeUseEnables or disable private key integrity check before use.
CookieCachingSpecifies whether a cookie cache should be used for HTTP(S) transports.
CookiesGets or sets local cookies for the class (supported for HTTPClient, RESTClient and SOAPClient only).
DefDeriveKeyIterationsSpecifies the default key derivation algorithm iteration count.
EnableClientSideSSLFFDHEEnables or disables finite field DHE key exchange support in TLS clients.
GlobalCookiesGets or sets global cookies for all the HTTP transports.
HttpUserAgentSpecifies the user agent name to be used by all HTTP clients.
LogDestinationSpecifies the debug log destination.
LogDetailsSpecifies the debug log details to dump.
LogFileSpecifies the debug log filename.
LogFiltersSpecifies the debug log filters.
LogFlushModeSpecifies the log flush mode.
LogLevelSpecifies the debug log level.
LogMaxEventCountSpecifies the maximum number of events to cache before further action is taken.
LogRotationModeSpecifies the log rotation mode.
MaxASN1BufferLengthSpecifies the maximal allowed length for ASN.1 primitive tag data.
MaxASN1TreeDepthSpecifies the maximal depth for processed ASN.1 trees.
OCSPHashAlgorithmSpecifies the hash algorithm to be used to identify certificates in OCSP requests.
UseOwnDNSResolverSpecifies whether the client classes should use own DNS resolver.
UseSharedSystemStoragesSpecifies whether the validation engine should use a global per-process copy of the system certificate stores.
UseSystemOAEPAndPSSEnforces or disables the use of system-driven RSA OAEP and PSS computations.
UseSystemRandomEnables or disables the use of the OS PRNG.

Copyright (c) 2022 /n software inc. - All rights reserved.
SecureBlackbox 2020 iOS Edition - Version 20.0 [Build 8166]