Enable HTTPS security

OpenFin's goal is to provide a secure environment for running applications built with Web technologies.
This includes supporting the encryption features of HTTPS.
OpenFin deployments operate in many network environments, from isolated internal organizational networks to the fully open Internet.
Further, organizations may have differing needs while developing applications compared to deploying them to end-users.

Starting in RVM version 10, OpenFin provides desktop owners with the flexibility to meet the varied needs of internal development teams, application deployments, and network configurations. Desktop owners can choose to prevent or allow the following situations:

  • Encryption certificates that are invalid
  • Redirects from HTTPS to HTTP URLs
  • Redirects from HTTP to HTTPS URLs

Based on customer feedback OpenFin has chosen an opt-in approach to ensure existing environments are not disrupted.
The default for the above scenarios is to allow them.

The following features support this flexibility:

  • Windows registry settings to prevent or allow security gaps
  • RVM command-line option to enforce security regardless of registry settings, for development and testing purposes
  • Warning banner in the RVM log at start-up, if security settings are set to allow insecure connections
  • Checks in the RVM health check that fail if security settings are set to allow insecure connections

Registry settings

The following settings in the Microsoft Windows registry support this customization.

ValueTypeDefault dataDescription
allowInvalid NetworkCertificatesDWORD1 (true)Ignore encryption certificates that are invalid due to missing the common name or expiry date, unknown certificate authority (CA) or revocation by the CA. Set to 0 (false) for best security.
allowHttpsToHttp NetworkRedirectsDWORD1 (true)Allow redirects from HTTPS to HTTP URLs. Set to 0 (false) for best security.
allowHttpToHttps NetworkRedirectsDWORD1 (true)Allow redirects from HTTP to HTTPS URLs. Note that this type of redirect is typically accepted under HTTPS.

To implement stricter security, set these values to 0 (false), as appropriate to your needs.

Refer to Group policy and registry settings for complete information about OpenFin settings in the Windows registry, including possible locations for values and their precedence.

Recommended settings

To ensure adherence to best practices for HTTPS security, OpenFin recommends setting the following data for these registry values:

  • allowInvalidNetworkCertificates: 0 (false)
  • allowHttpsToHttpNetworkRedirects: 0 (false)
  • allowHttpToHttpsNetworkRedirects: 1 (true) — same as default data



Note that the default values for allowInvalidNetworkCertificates and allowHttpsToHttpNetworkRedirects are opposite to OpenFin's recommended values.
The default values allow reduced security during application or platform development, when strict security might be an impediment to software engineers.
OpenFin strongly recommends changing these values when deploying OpenFin software to end users.

RVM command-line option

The following command-line option enforces security for HTTPS connections:

  • --enable-ssl-validation

For example, use the following command line to turn on security enforcement:

$ openfinRVM.exe --config="SERVER_NAME/APP_MANIFEST_FILE" --enable-ssl-validation

Using this option is equivalent to using the recommended registry values.

RVM log warning

If any of the registry settings are set to allow insecure connections, a warning banner is written to the RVM log with messages similar to the following:

23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | *********************************************************************
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | Invalid HTTPS certificates are allowed, configure with the OpenFin\RVM\Settings\allowInvalidNetworkCertificates registry key
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | HTTPS to HTTP redirects are allowed, configure with the OpenFin\RVM\Settings\allowHttpsToHttpNetworkRedirects registry key
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | *********************************************************************

Note that the default setting of allowInvalidNetworkCertificates and allowHttpsToHttpNetworkRedirects is 1(true), and therefore triggers this log banner.
This banner is not triggered by a setting for allowHttpToHttpsNetworksRedirects of 1 (true), either as the default or as an explicit setting, because redirects from HTTP to HTTPS are typically accepted with HTTPS.

RVM health check

When OpenFinRVM.exe is run in "health check mode", by using the --health-check command line option, it reports an error if either allowInvalidNetworkCertificates or allowHttpToHttpsNetworkRedirects is set to 1 (true), either by default or explicitly specified.