A little over a year ago, we started adding the features that were needed to directly support SSL connections in standalone web apps. We ran into a few issues during beta testing which blocked our ability to release at that time and the feature was pulled.
A recent flurry of questions regarding this feature, and the addition of Travis Hill to the web framework team this fall, prompted us to look at this feature again. It turns out that the items which were blocking the release of this feature got fixed as a result of other bug fixes in the fall and we have been able to confirm that standalone SSL does in fact work! If you’re using Xojo 2013r3 or higher, you should be able to actually use them!
Set up the SSL Certificate
First of all, you need an SSL certificate. I’m not going to tell you how to make one or get one, as there are a lot of good references out there already. If you’re doing local testing, feel free to use a self-signed certificate. If your web app will be available on the internet, please be sure to use a real purchased SSL certificate because it adds extra protection from certain kinds of internet attacks.
Once you have a certificate and have downloaded it and the private key to your computer, you need to make a single file, putting all of the pieces together into that file. Create a text file that has the same name as your application with a .crt extension and paste the contents into it, one after another. Make sure to include your primary certificate, intermediate certificate bundle (if required) and private key. Note- if you require intermediate certificates, you will need to be using Xojo 2014r3+.
Each file must start on a new line (don’t concatenate the last line of one file and the first line of another onto the same line). As I mentioned the name of this file should match your web app name, so if your web app is named MyBestApp or MyBestApp.exe, the certificate file should be named MyBestApp.crt.
Note: If you are running in debug mode, the built app will be named MyBestApp.Debug. The certificate should still be named MyBestApp.crt.
Now that you have a correctly named and formatted certificate file, you’ll need to make sure it is next to the built web app when it runs. Personally, I like to use a CopyFiles Build Automation step for this to make sure it ends up in the right place every time.
Serving in SSL
The last piece of this puzzle is to tell your web app that you want it to listen on a secure port. As this feature hasn’t been added to the IDE yet, you’ll need to use some command-line parameters to get it to work. There are two parameters that you’ll be interested in:
- –secureport – allows you to specify the port number for secure connections
- –maxsecuresockets – allows you to set the maximum number of secure sockets (default=200)
The secure port MUST be different than the port selected in the IDE (or specified with the –port command line property). For example, if you built your web application using port 8080 as the listening port, you might use:
As with the non-ssl version, you may also increase the maximum allowed number of connected sockets if necessary, which is useful if you notice that your app rejects connections when there are a lot of users connected at the same time.
MyBestApp --secureport=8081 --maxsecuresockets=400
Remember, with the maxsecuresockets option, the number of open sockets does not represent the number of simultaneous users. Depending on the construction of your app, and how your users use it, a browser could have zero open connections (like between keystrokes or mouse clicks) or multiple open connections (if the user is clicking quickly on a control). That being said, you also shouldn’t set this value too high. WIth more open connections comes more memory and CPU use, so you’ll need to experiment with this number to find the best threshold for your app/server combination.
Once you’ve launched your app, use a browser to connect to it:
As you can see, using SSL with standalone web apps is relatively easy and we will be integrating this feature into the Xojo IDE soon!