SSL support

Pro Web supports Secure Sockets Layer (SSL). This support is achieved using OpenSSL and the following acknowledgments apply:

• This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
• This product includes cryptographic software written by Eric Young
• This product includes software written by Tim Hudson

To use Pro Web with HTTPS, a certificate and private key must be available whose subject matches that of the DNS address of the server. Both certificate (including any intermediates) and private key must be provided in PEM format. The path to these files must be configured in the qawserve.ini file (see server configuration).

The client should be able to trust the certificate provided by the server. The mechanism that achieves this trust varies depending on the client in use. Generally there must be a chain of trust from the server's certificate to a certificate authority known by the client. The Configuration Editor and Admin Console do not check certificate validity by default. To enable checking, supply the relevant CA certificate that issued the server's certificate in PEM format. The path to this file must be specified in the qaworld.ini file (see client configuration).

Windows

Pro Web ships with DLLs for Windows that include a compiled version of OpenSSL. These are ssleay64.dll and libeay64.dll, and are currently OpenSSL 1.1.1g. It is possible to compile your own copies of this software if you prefer.

UNIX/Linux

Pro Web will attempt to load "libssl.so" and "libcrypto.so". Often these are on the loader path, but occasionally they are only available on the path if development packages have been installed. When the Pro Web server (qaswvd) cannot load OpenSSL it will startup with "Cannot load SSL library: libssl.so" or "Cannot load CRYPTO library: libcrypto.so".

In this case it is necessary to supply paths to a compatible version of OpenSSL using the ini keys "SSLLibrary" and "CRYPTOLibrary". The exact path will vary based on the operating system, version and bitness, for example:

SSLLibrary=/lib/libssl.so.1.1.1
CRYPTOLibrary=/lib/libcrypto.so.1.1.1

SSLLibrary=/lib64/libssl.so.1.1.1
CRYPTOLibrary=/lib64/libcrypto.so.1.1.1

SSLLibrary=/lib/x86_64-linux-gnu/libssl.so.1.1.1.
CRYPTOLibrary=/lib/x86_64-linux-gnu/libcrypto.so.1.1.1

The Pro Web software should be compatible with OpenSSL libraries between 1.0.0 and 1.1.x

TLS Support

Pro Web supports TLS 1.1 and 1.2 only. Earlier protocols (SSLv3/TLS 1.0) are vulnerable and supporting them breaks PCI compliance. With this in mind, consider the following.

• Some versions of IE do not support TLS 1.1 and 1.2 by default.
• The .NET 4.0 framework does not support TLS versions greater than 1.0 (and is therefore incompatible)
• The .NET 4.5 framework does not enable TLS 1.1 and 1.2 by default.
• To solve this issue include the following line: System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Similar issues may apply to other client stacks, depending on vintage.