IdhttpServer basic authentication not encrypted?

Question

I have a IdHTTPServer with a IdServerIOHandlerSSLOpenSSL which requires a login during connect, by setting the AuthRealm. This is intended to be used by a government organisation to view specific data.

But they have a massive security system in place, and the web browsers on their network do not accept, or do never receive, the initial Basic Autenthication request. They end up straight to 401: Unauthorized.

I think it is because it seems that the SSL encryption for the connection is not yet established when the initial login / password request is send to the Web browser, and as a result it is blocked. I can see this in my own web browsers as well. https is not yet active.

Is there a way around this? Can I somehow force the SSL connection, before the Basic authentication request is send?

Answer 1

HTTP-based authentication is part of the HTTP request itself. You have to send the request via an https: url to ensure the connection is secured with SSL/TLS before the HTTP request is even transmitted. NEVER ask for HTTP-based authentication using an http: url !!! HTTP BASIC authentication itself is not secure, as it simply transmits the client's credentials in plain-text using base64. So the connection has to be secured beforehand.

In any case, the screenshot you have provided clearly shows that an https: url is being used. So yes, SSL/TLS encryption MUST be active on the connection BEFORE the client would send its HTTP request and consequently receive an authentication challenge. TIdHTTPServer would not be able to communicate with any HTTPS client at all if that were not the case.

TIdHTTPServer handles HTTPS just fine, provided you have set it up correctly, ie by:

1. having a TIdServerIOHandlerSSLBase-derived component assigned to the TIdHTTPServer.IOHandler property (which it sounds like you do)

2. setting the TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough property to False in the TIdHTTPServer.OnConnect event for an SSL/TLS listening port (which TIdHTTPServer handles for you by default on the standard HTTPS port, 443).

So, whatever problem you are having is related to something else. Do you have TIdHTTPServer listening on port 443? Do you have TIdSSLIOHandlerSocketOpenSSL configured to use strong encryption, identity validation, etc? There are many factors at play which you have not provided details about.

Answer 2

It seems that the problem I showed is specific to my localhost, probably because something is not set up correctly on my development pc. Looking at the actual server, yes I now see that SSL is active.

But, on the NZ Police systems, the Basic Authentication is completely ignored, and it immediately goes to 401: Unauthorized. Sadly, I have no access to their systems, and I do not understand why it happens. I really thought it was because of the SSL not yet establised. So that is not the case..