Enable HTTPS security
OpenFin's goal is to provide a secure environment for running applications built with Web technologies.
This includes supporting the encryption features of HTTPS.
OpenFin deployments operate in many network environments, from isolated internal organizational networks to the fully open Internet.
Further, organizations may have differing needs while developing applications compared to deploying them to end-users.
Starting in RVM version 10, OpenFin provides desktop owners with the flexibility to meet the varied needs of internal development teams, application deployments, and network configurations. Desktop owners can choose to prevent or allow the following situations:
- Encryption certificates that are invalid
- Redirects from HTTPS to HTTP URLs
- Redirects from HTTP to HTTPS URLs
Based on customer feedback OpenFin has chosen an opt-in approach to ensure existing environments are not disrupted.
The default for the above scenarios is to allow them.
The following features support this flexibility:
- Windows registry settings to prevent or allow security gaps
- RVM command-line option to enforce security regardless of registry settings, for development and testing purposes
- Warning banner in the RVM log at start-up, if security settings are set to allow insecure connections
- Checks in the RVM health check that fail if security settings are set to allow insecure connections
Registry settings
The following settings in the registry support this customization.
| Value | Type | Default data | Description |
|---|---|---|---|
allowInvalid NetworkCertificates | DWORD | 1 (true) | Ignore encryption certificates that are invalid due to missing the common name or expiry date, unknown certificate authority (CA) or revocation by the CA. Set to 0 (false) for best security. |
allowHttpsToHttp NetworkRedirects | DWORD | 1 (true) | Allow redirects from HTTPS to HTTP URLs. Set to 0 (false) for best security. |
allowHttpToHttps NetworkRedirects | DWORD | 1 (true) | Allow redirects from HTTP to HTTPS URLs. Note that this type of redirect is typically accepted under HTTPS. |
To implement stricter security, set these values to 0 (false), as appropriate to your needs.
Refer to Group policy and registry settings for complete information about OpenFin settings in the Windows registry, including possible locations for values and their precedence.
Recommended settings
To ensure adherence to best practices for HTTPS security, OpenFin recommends setting the following data for these registry values:
allowInvalidNetworkCertificates: 0 (false)allowHttpsToHttpNetworkRedirects: 0 (false)allowHttpToHttpsNetworkRedirects: 1 (true) — same as default data
Caution
The default values for
allowInvalidNetworkCertificatesandallowHttpsToHttpNetworkRedirectsare opposite to OpenFin's recommended values.
The default values allow reduced security during application or platform development, when strict security might be an impediment to software engineers.
OpenFin strongly recommends changing these values when deploying OpenFin software to end users.
RVM command-line option
The following command-line option enforces security for HTTPS connections:
--enable-ssl-validation
For example, use the following command line to turn on security enforcement:
$ openfinRVM.exe --config="SERVER_NAME/APP_MANIFEST_FILE" --enable-ssl-validation
Using this option is equivalent to using the recommended registry values.
RVM log warning
If any of the registry settings are set to allow insecure connections, a warning banner is written to the RVM log with messages similar to the following:
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | *********************************************************************
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | Invalid HTTPS certificates are allowed, configure with the OpenFin\RVM\Settings\allowInvalidNetworkCertificates registry key
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | HTTPS to HTTP redirects are allowed, configure with the OpenFin\RVM\Settings\allowHttpsToHttpNetworkRedirects registry key
23-04-21 14:34:28.563 | 53484:46404 | WARNING | HTTP_REQUEST | *********************************************************************
Note that the default setting of allowInvalidNetworkCertificates and allowHttpsToHttpNetworkRedirects is 1(true), and therefore triggers this log banner.
This banner is not triggered by a setting for allowHttpToHttpsNetworksRedirects of 1 (true), either as the default or as an explicit setting, because redirects from HTTP to HTTPS are typically accepted with HTTPS.
Fetching application manifests
Starting with RVM version 15, when the RVM retrieves an application manifest file, it uses strict security settings (HTTPS with valid server certificate required).
If this operation fails, it logs the failure and the reason.
If security settings are not explicitly defined in the registry, the RVM retries to fetch the manifest file using the default settings.
When the application manifest is not on a secured URL (which is often the case in application development) the RVM might load a manifest twice.
RVM health check
When OpenFinRVM.exe is run in "health check mode", by using the --health-check command line option, it reports an error if either allowInvalidNetworkCertificates or allowHttpToHttpsNetworkRedirects is set to 1 (true), either by default or explicitly specified.
Updated 3 months ago