Re: [twsocket] Fw: ICS SSL Questions
Thanks Arno, for the example. I'll give it a try. Private Key and certificate may exist in the same file. It's not a method in TX509Base, however you can derive your own class and add this functionality. Something like below should do the trick: -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] ICS SSL Questions
Although I was a contributor ICS SSL, I haven't really got to play with it. I gave it a try last night with V6 and had a few questions. 1. I see two sets of .bdsproj files in Vc32 folder, one with Ssl in the file names and have USE_SSL;USE_ZLIB_OBJ defined, one without. Should I install both to use wsocket with and with SSL at the same time? I installed the copy with SSL and it looks like I'm getting both the SSL and non-SSL components so I suppose the SSL version is a super set? 2. I first installed OpenSSL 0.9.8.h on my Windows XP machine but none of the tools ran. (Windows can not execute ... error) then I installed 0.9.8.e and thing worked fine. Is this a know issue? 3. After I generated the cert files, HttpsTst demo worked fine. My question here is, is there an easy way to use an embedded cert and key string, as opposed to external files? I notice that the SslContext class takes file names. Thanks, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] ICS SSL Questions
Hello Arno, Thanks for the reply. 3. After I generated the cert files, HttpsTst demo worked fine. My question here is, is there an easy way to use an embedded cert and key string, as opposed to external files? I notice that the SslContext class takes file names. No way, however both are required only if the server requests a client certificate which is mostly not the case. Do you mean it's not a good idea, or it's not technically possible? Because to me the file content is just a string. Can I set a string property in SslContext instead of a file name? Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Fw: ICS SSL Questions
Hello Arno, Usually you do not need a certificate to connect to a SSL server. Your client might however communicate with multiple servers requesting a client certificate. If that is case leave both properties unassigned and handle event OnSslCliCertRequest instead, this is demonstrated in the HttpsTst demo. Good to know! Because to me the file content is just a string. Can I set a string property in SslContext instead of a file name? Uhh, sorry, I probably missed the point. What do you want to achieve? What I want to do is to avoid providing the two .pem files as separate files. Instead, I'd like to read the content of the two files and hard-code them in a string variable, or in resource. In this case, I'd like to have a method in TX509Base called LoadFromString() or LoadFromStream() instead of LoadFromPemFile() so that I can load the value from a string or a memory stream. Thanks, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Poor man's SSL/TLS?
Yes. It would make most sense to use OpenSSL for most applications. I thought about the other direction only because in one of my applications there is a download size restraint and the OpenSSL libraries are fairly large. Given the sizes of the DLLs, I can imagine there is a huge amount of code in OpenSSL. But I suppose a good portion of the code is some legacy code that is not used most of the time. Then I don't know it enough to tell how big that portion is. Thanks for the replies. Jack Thursday, September 11, 2008, 8:36:25 AM, you wrote: I would add to Arno words that one has to look at the size of OpenSSL source code. It is huge ! I don't see any reason to rewrite it given it is open source and recognized as a high quality software. But maybe you see something I missed... -- [EMAIL PROTECTED] The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be - Original Message - From: Arno Garrels [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Thursday, September 11, 2008 11:52 AM Subject: Re: [twsocket] Poor man's SSL/TLS? that encourage people to use the OpenSSL library. I hope those who worked on ICS-SSL could shed some light... Beside the huge effort it would take to implement the SSL from scratch, do you realy believe that any home-grown solution, written by non-experts in cryptography could be more secure than an open source library that is standard in unix world, with contributers like IBM etc.? -- Arno Garrels [TeamICS] http://www.overbyte.be/eng/overbyte/teamics.html jlist wrote: I was reading TLS's wikipedia page the other day. I find that although it's a lot of work, it is probably not too bad to write the SSL handshake and encryption from scratch, say, with ICS. I must be seriously overlooking the details and complexities. I wonder what are the potential issues of taking this approach and what is the main reasons that encourage people to use the OpenSSL library. I hope those who worked on ICS-SSL could shed some light... -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Poor man's SSL/TLS?
I was reading TLS's wikipedia page the other day. I find that although it's a lot of work, it is probably not too bad to write the SSL handshake and encryption from scratch, say, with ICS. I must be seriously overlooking the details and complexities. I wonder what are the potential issues of taking this approach and what is the main reasons that encourage people to use the OpenSSL library. I hope those who worked on ICS-SSL could shed some light... -- Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SessionClosed and close/shutdown
Hello Francois and Arno for the replies. I read online that on Unix, close() reduce a ref count for a socket. The last close() will call shutdown() automatically. I'm not sure if the same is true on Windows but I would think so because it makes sense and the whole TCP/IP thing starts on Unix platforms. Anyway to answer my original question, I made a test and found out that calling shutdown(0) locally will not trigger a SessionClosed on remote side. Calling shutdown(1) and shutdown(2) will. Sunday, August 10, 2008, 10:44:15 PM, you wrote: Yes, Shutdown at one side will cause session close at the other side. Actaully, Shutdown is the way to gracefully close a connection. Shutdown send to the other part a close request. The other part respond with a close. The the initiating part call close. This is really the proper way to negociate session end. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SessionClosed and close/shutdown
Hello all, ICS TWSocket only has a SessionClosed event for close of connection. I suppose a socket.close() from the remote side (or local) will trigger this event. I wonder if shutdown(0/1/2) will also trigger the event? For example, a browser using HTTP/1.0 often sends a request then does a shutdown(1). Will in this case the ICS server component get a SessionClosed event? What if it's a shutdown(0) or shutdown(2)? -- Best regards, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] ICS won't work anymore...
It looks like HttpTst User-Agent header is triggering the firewall on the web server. Use another User-Agent string, it will go through. Hey, I got a strange problem, I am downloading (XML) news from different website, and it all was working for a long time. But now it won't download anymore from reouters (http://feeds.reuters.com/reuters/worldNews). First I thought it was a bug in my program, but then I test the ICS own example program HttpTst (BCB6) and same problem there. It starting the download, but never get any data, only the head, then the timeout break the connection. It works fine in firefox or explorer, even a program call XMLSpy download it all. Anyone has an idea, I don't want to replace ICS with another tools, so I was hopping there is a solution. BCB6/XP/ICSV5 Thanks Satto -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] UDP Hole Punching
My understanding is that it works on certain types of NAT firewalls. On these NATs, an external port is mapped to an internal IP:Port. If this is the case, all packets going to that external port will go to the internet IP:Port. Making it work is not that simple though, with the difficult part being coordinating two parties that do not talk to each other. I'm not sure what's being used in real life solutions but it sounds to me that both A and B have to have very frequent UDP communications with S, or have a TCP connection with S in order to coordinate a hole punching attempt. Isn't the translation state based on the remote peer IP address, too? Then the same translation created for A-S and B-S would not work when you try to connect directly A with B. - Original Message - From: wayne forrest [EMAIL PROTECTED] To: ICS support mailing twsocket@elists.org Sent: Thursday, February 21, 2008 8:22 PM Subject: [twsocket] UDP Hole Punching Has any one made a UDP Hole puncher with ICS ? Let A and B be the two hosts, each in its own private network; N1 and N2 are the two NAT devices; S is a public server with a well-known globally reachable IP address. 1. A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers 2. S relays these port numbers back to A and B 3. A and B contact each others' NAT devices directly on the translated ports; the NAT devices use the previously created translation states and send the packets to A and B If I were to implement the above, is it really that simple? or is there much more to it than that ? Any help appreciated, or alternatives, maybe a plugin / generic solution that can be incorporated. Our current setup is Server on PC behind nat and then client on Cell phone. We will have a lot of users not knowing how to do port forwarding. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Some components not included in ICS v5
It seems that some components are not included in ICS v5 project file. For example, DnsQuery. Was this intentional? Thanks, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] UDP IP Spoofing Possible with ICS?
Hello all, Is it possible to UDP IP spoofing with twsocket component? Not that I'm trying to create a security threat - it's used in UDP firewall traversal, commonly used in VOIP apps. I think I should be able to do it with raw socket but it doesn't really work very reliably (and it doesn't work on some OS at all) and it's more work to construct the whole IP packet. It'll be great if it's a feature TWSocket provides for UDP sockets. -- Best regards, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] UDP IP Spoofing Possible with ICS?
Hello Arno, Is it possible to UDP IP spoofing with twsocket component? The only possibility is to use raw sockets with any component built around winsock API. You may want to use WinPCap instead which allows sending raw packets as well. I see. In that case I suppose I can still use ICS for receiving the packets and use WinPCAP for sending. Thanks, Jack -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be