[twsocket] Certificate pre-usage validation
Hello Do you think is possible to let me know how can certificates used in FSSLContext can be checked for validation before any usage? Following is additional detail: in an application a SSLContext is configured (for a TSSLSocket) and currently a check for files existence is present (checking if the CLCert, PrivKey, CAPath exist in their configured locations). Furthermore I want to perform additional checks for these files including: * Are all configured files valid/real certificates (and all files in CAPath)?* Are certificates not expired? * Is the full chain OK? * Is the password correct? Please let me know if the above task is doable and if so please direct me to a small demo or code. Thank you in advance -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] [FEATURE REQUEST] - Certificate from Windows store
Hello Do you believe that in the near future will be added to ICS the functionality to use a certificate directly from Windows store? Thank you in advance! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] TLS communication issue
Hello Currently I have implemented a TLS client. This application is encountering a communication issue when using a new third party server. I am setting the cert file, private key file, password and ca file. In this configuration the handshake is not performed. Currently I am using ICS v6 with OPENSSL v1.0.0d, but also a version of the client with ICS v8 and v1.0.0j. With both builds of the application the behavior is the same. Using the OPENSSL (v1.0.0d) tool I created a server (openssl s_server command) using the same .pem certificates. With my client I then successfully communicated with this OPENSSL server. Using the OPENSSL (v1.0.0d) tool I created a client call (openssl s_client command) to the third party server and it seems that it was successful. I then proceeded to set the CAPath and now the communication seems to be in place. The only problem is that in this case the server does not encounter/log any successful calls from my side. I also tested the server with a .NET client which uses the same certificate but from windows store and the server logs the activity. Please let me know if you have any pointers/indications that can help me in debugging the communication issue. Thank you in advance. Kind Regards, Marius -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Windows Certificates Store Usage
Hello Could you please let me know if there is possibility to use ICS library in combination with certificates from Windows store. If this possibility exists please provide me a small code demo (client implementation). Thank you in advance. Kind Regards, Marius Florigoanta -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
I have updated the SslHandshakeDone(Sender: TObject; ErrCode: Word; PeerCert: TX509Base; var Disconnect: Boolean); event as you mentioned and I used SslVerifyDepth = 15 and for I := 0 to TCustomSslWSocket(Sender).SslCertChain.Count -1 do TCustomSslWSocket(Sender).SslCertChain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem'); The first thing I noticed is that only one certificate is saved and this one is the one from the very top of chain (the CA for all sub_CAs – the one that I posted earlier, you can find it attached). Please advice-- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Attached cert file-BEGIN CERTIFICATE- MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi 4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe 7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb 4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB 0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL 3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn 4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8 6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50 D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+ yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57 YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5 pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij aTqyMZ2g4QisDw7YwI5QlkljaYdFbg== -END CERTIFICATE- -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Here are the files with OK := 1; cert0 = Greatest CA (same as server's great CA) cert1 = Intermediary CA (client's intermediary different from mine's server) cert2 = Client certificate-BEGIN CERTIFICATE- MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi 4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe 7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb 4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB 0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL 3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn 4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8 6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50 D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+ yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57 YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5 pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij aTqyMZ2g4QisDw7YwI5QlkljaYdFbg== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIGJjCCAg6gAwIBAgIBFDANBgkqhkiG9w0BAQ0FADCBijELMAkGA1UEBhMCRlIx DzANBgNVBAcMBlJlbm5lczERMA8GA1UECAwIQnJpdHRhbnkxDDAKBgNVBAoMA0lI RTEMMAoGA1UECwwDSUhFMRUwEwYDVQQDDAxQb2lzZWF1IEVyaWMxJDAiBgkqhkiG 9w0BCQEWFWVyaWMucG9pc2VhdUBpbnJpYS5mcjAeFw0xMTAyMTcxNTEwMTZaFw0x MjAyMTcxNTEwMTZaMC4xCzAJBgNVBAYTAkdCMQwwCgYDVQQKDANJSEUxETAPBgNV BAMMCFN1YkNBX0dCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFCHz/MlUc 4RaELsQ1orN9kNhwbNHmCIV77sqTFh0vLZuJKCgdy1EdIk8kxg3S0GS/m6NozbKY o14YBAvXesDFwenvgiXbj5W/D5CHVsN2WrlBQMAGRfcOA3eZve/r3WbQDPm4Y1qb 2oTBKsmDInw2F0szqnvO7FD+fzyxls6vPQIDAQABo3YwdDAOBgNVHQ8BAf8EBAMC AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFGPsK9peekOOwZu9qbvJETK2 h4QwHwYDVR0jBBgwFoAUb8ry99aB0mZlxZyStU7nYFaQ91wwEQYJYIZIAYb4QgEB BAQDAgAHMA0GCSqGSIb3DQEBDQUAA4IEAQBul8O8Ef9eIPGdEDCAWO9keYTWCnxS XPVa24dbi9sPIYEUFKg444jlV42EPTPTkuLeFHNuakX5ek3GaCbl7bmq/VrrAWAW hr9puoc/H04T7wdFQhs1x+t6VHA03MosyNZ40Ja6620Rx9RSjrXMpArNclCUclR3 jzl+4Sj+CXfWNdJ3uIgVqXlw08nNAH4F3Vlq5voSltBp3PDyxeEBOA2/i+jYVmE0 wj3KI46loclI+DDTrMZu62JnwxIYVUQPLS/bTdPHzF/vNNUmthHL4WFszWyebaNP aIv8IEm8C+T62o7zXO56yEn8pge6oQiW5W8iJeh+vONh8SJu9KmwVmkKBFk4LqcB
[twsocket] SSL Certificates check
Thank you for your feedback.In my current scenario the certificate structure is as follows: Server(my application) | Client Root certificate -same as- Root certificate Intermediary CA -not same as- Intermediary CA Server Cert -not same as- Client Cert (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients) When I stated this I was referring to following certificate structure: Server(my application) | Client Root certificate = 0 -same as- Root certificate = 0 Intermediary CA = 1 signed by 0 -same as- Intermediary CA = 1 Server Cert = 2 signed by 1 -not same as- Client Cert= 2 signed by 1 Hope this is clear enough. I'm looking forward to your feedback. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Thank you for your prompt response. We already tried your solution and seems to be working. The issue is as follows: I do not have (access to) the client's certificate (application not developed by me) in order to compose the chains you mentioned. Furthermore I aspect that other clients that have the same ROOT as me (but possibly other intermediary CA and client certs) will connect to my server. I was wondering if there is a possibility to test the certificates at ROOT level and complete a communication and transaction. Please advice! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Arno, in this moment the client sends the entire certificates chain: 1. its client certificate issued by the intermediary CA (2 from bellow) 2. intermediary certificate issued by the root CA 3. root CA The only certificate that is common between our server chain and client chain is (3) root CA. This should be enough, the communication should continue as both chains are issued by the same CA root. Please correct me if i'm wrong. The issue that I encounter is that in onsslverifypeer event I receive error 7. Further more, I managed to obtain a valid communication when I've always returned OK = 1 in that event but ONLY when sslcontext.sslverifydepth is 0. This has no logic for me. Thank you very much for your time. You're assistance is really appreciated. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Sorry! Please find attached the log content for Cert.GetRawText.Certificate: Data: Version: 3 (0x2) Serial Number: cb:cf:5d:05:41:b2:33:36 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau Eric/emailAddress=eric.pois...@inria.fr Validity Not Before: Jan 28 20:54:09 2010 GMT Not After : Jan 28 20:54:09 2012 GMT Subject: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau Eric/emailAddress=eric.pois...@inria.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (8192 bit) Modulus (8192 bit): 00:c5:53:bf:ab:c0:64:2d:8c:51:a8:5e:e8:77:05: bd:f0:cd:d6:52:11:4c:40:3d:f1:90:e1:0d:09:a8: a1:ae:95:9e:98:37:95:5f:3e:23:ee:2a:71:96:e3: 2b:49:53:da:ef:1a:b2:13:4c:3c:87:5e:18:2b:97: eb:61:5d:d8:f9:14:69:d4:38:cf:44:3e:29:89:2b: a0:78:33:ab:22:68:67:0f:86:a4:8b:5b:7b:db:30: f1:3c:81:af:98:bd:e5:1d:63:fc:cf:a2:d8:0d:c7: 1f:bf:4a:47:f5:3b:c3:8c:52:b8:2e:86:16:a9:de: 7f:ff:e9:29:b9:c4:0f:0f:aa:c5:54:2d:62:ce:45: 35:60:56:46:12:73:cc:6c:09:58:23:15:b6:51:f4: 32:00:c3:f0:5d:e1:11:87:6c:b4:6c:2a:e0:aa:e2: 12:a8:da:2a:66:a2:04:58:84:5e:a3:87:52:64:7b: 34:34:26:3d:ae:d0:cb:33:49:6c:f2:c4:a9:ea:a0: ef:62:26:f3:65:05:fc:48:fc:8d:3e:e1:9a:96:d3: 9c:79:c3:28:30:a4:6d:cf:11:04:8a:4d:c6:42:0e: 54:23:3f:62:38:ec:16:9c:93:5f:c2:e2:2b:22:e0: ac:64:5f:ba:5e:42:13:3a:0a:05:87:27:34:26:8c: 8e:c4:8a:50:eb:4a:08:70:da:0c:4a:18:12:21:58: e4:15:ff:25:fc:4a:c1:f4:a4:8b:c2:cb:44:3b:0f: c7:d8:87:38:e3:5b:b5:1a:82:e3:59:00:5a:f4:20: c4:09:ac:b4:b5:df:07:df:23:9c:66:8c:31:30:25: 66:2e:bc:d9:a7:ce:c9:a2:58:ba:c6:77:50:b9:76: f2:f7:5b:2d:42:68:3a:c6:03:31:cf:6a:24:d3:29: 70:3a:9a:26:4d:0b:54:20:1b:85:eb:be:85:11:70: d3:ac:91:19:f0:a4:d5:d8:f8:d2:44:a9:ab:6a:8d: ab:8c:21:12:24:ff:68:04:28:a2:8f:0f:9e:22:32: 7f:e1:2d:92:18:56:b5:9c:fe:51:cb:db:d3:7d:1f: 2a:95:40:49:ce:17:54:e3:f0:2d:5e:49:79:e2:5f: 72:97:c0:84:9f:39:ca:6d:26:c2:43:cc:63:33:03: e9:9b:75:d6:37:51:11:d1:01:b8:8b:3e:95:51:2f: bf:8f:ec:4c:4e:5d:c7:87:ee:2c:66:7d:06:3f:01: 12:83:97:03:44:c8:52:b7:ce:67:49:0e:b7:57:2d: 02:67:36:be:8d:1c:7f:91:03:77:61:c4:31:77:53: e2:a9:0d:c9:60:f9:10:f7:7e:d4:ad:9a:c4:8e:56: f7:cf:ee:ba:38:b4:ad:0f:dc:54:d5:4a:ee:92:b4: a1:8b:7b:23:0d:52:b4:08:65:a5:c1:a4:0c:72:bd: c4:f2:5e:30:43:50:79:30:bf:f8:48:ac:4c:ed:e3: cf:62:8c:25:b0:75:3e:6a:ae:66:b0:05:ba:cc:63: bc:f3:65:c0:1e:ed:aa:63:ff:b3:d8:e2:82:f9:32: 0a:f2:ca:ae:96:74:1a:74:3e:22:49:04:73:3c:d7: 83:35:99:09:c6:5d:78:bf:9b:85:63:e7:bc:8b:79: 95:d5:b1:eb:43:a4:c6:ab:bd:3d:b9:a8:e3:c3:15: 30:87:7d:e7:cb:ab:5c:d9:c1:86:2c:f9:5c:be:57: de:06:f4:57:90:63:46:dd:34:de:53:19:e4:a2:71: b5:39:ab:35:18:58:62:a6:9f:d1:83:5b:7a:39:fd: 06:0a:19:0e:df:fb:90:50:cb:dc:e4:5e:65:58:da: ab:52:2a:95:82:34:31:f1:71:74:8e:7c:fb:4c:4c: 0d:40:be:1e:66:02:94:86:32:67:9b:09:77:56:84: 64:b5:06:54:36:6b:d4:a1:15:1d:70:c9:87:85:b3: 34:98:6b:56:a4:64:49:de:95:d7:ab:94:4f:e5:91: 2e:c6:7b:a7:fe:19:c4:30:90:65:a0:bb:72:80:e8: 9b:1b:e0:32:9a:3c:c9:49:b2:43:af:6e:9d:e7:62: 40:78:c5:4f:19:c2:ec:cd:24:da:b6:ab:02:b3:7c: 67:70:93:1b:c5:6a:f2:81:3b:2e:d3:9c:57:45:80: d3:b6:ce:65:4f:b3:77:42:4f:50:47:48:9c:d7:93: dc:76:3c:43:75:a9:8c:8d:d6:44:d5:23:0c:d9:9a: 20:83:98:87:ec:a4:5d:77:9d:49:86:7c:2b:fb:c7: 68:da:a2:ad:dd:db:97:e9:0c:67:40:c8:1e:ae:47: 69:b2:1d:a7:86:f1:69:c5:a5:2c:cb:83:94:83:c1: 37:64:a9:7f:62:6c:a2:40:d8:5c:01:1d:ce:8b:a0: 12:ed:cc:64:a3:fd:29:69:e8:0f:30:44:99:26:da: 0a:c3:73:99:63:1d:c1:7c:dc:a2:46:33:c1:45:e3: 43:8d:7d:aa:72:a7:38:89:5a:d8:6b:3f:66:a8:32: f1:ef:90:f9:07:14:4c:a3:19:17:7a:c6:55:69:ae:
[twsocket] SSL Certificates check
Currently I'm facing an issue in a Server application that uses TSSLWSocketServer. I'm setting to the SSLContext a server certificate identified in code as SSLContext.SslCertFile, with the correct private key file identified as SSLContext.SslPrivKeyFile and a password. Also I'm adding a CAFile identified as SslContext.SslCAFile. All files are .pem format and stored locally in my application folder (not in Certificate Store). A client application sends a message and uses a X509 Certificate from the same CA as my own certificates. The current scenario is as follows:1. The client doesn't have a client version of my certificates (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients)2. I have to use SslContext.SslVerifyPeer = True3. I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure).The requirement is: if the client sends its own client certificate but has the same CA as my server certificate than the communication (client sends a message to server) should be possible. I already tried to implement in the SSLVerifyPeer event so this method always returns true but with no positive outcome: the mentioned error does not appear it just connects the client, performs a handshake and disconnects the client and the message never arrives. Please advice! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Hello! Here is what the log is showing:Received certificateSubject: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frIssuer: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frVerify result: certificate signature failure Verify depth: 2 Currently I'm not setting a specific value for the SslVerifyDepth. Regarding the OpenSSL DLL version I tried with 0.9.8e and 0.9.8h. --- On Mon, 5/2/11, Arno Garrels arno.garr...@gmx.de wrote: From: Arno Garrels arno.garr...@gmx.de Subject: Re: [twsocket] SSL Certificates check To: ICS support mailing twsocket@elists.org Date: Monday, May 2, 2011, 5:10 PM marius gabi wrote: I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). In the OnSslVerifyPeer event please do the following logging and post the result: Log('Received certificate'#13#10 + 'Subject: ' + Cert.SubjectOneLine + ''#13#10 + 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); Log(Cert.GetRawText); -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be