Set connection properties

Navigation

SecureBlackbox includes quite a few SSL-enabled classes, which share a common set of properties and events, related to SSL/TLS communication. The following description applies to all SSL-enabled classes, if other is not specified.

Before the SSL/TLS connection can be established, the application must set certain properties of the class.

First of all, the application must specify, what SSL/TLS versions can be used. By default client-side components use SSL 2, SSL 3, TLS 1.0 and TLS 1.1. Server-side components use SSL 3, TLS 1.0 and TLS 1.1. The versions are set using Versions property of the SSL-enabled class. SSL 2 is outdated and not recommended for use. TLS 1.1 is currently not supported by most TLS servers. What is worse, OpenSSL silently crashes when it receives TLS 1.1 request. So unless you know for sure, that the other side supports TLS 1.1, you are suggested to disable it.

Another thing to configure is cipher suites. Cipher suite is a combination of symmetric, public-key, key exchange and digest (hash) algorithms. Also, certain algorithms can be used with specific certificates. Cipher suites are configured using CipherSuites property (EnableCipherSuite/DisableCipherSuite methods in ActiveX/DLL edition). By default on the client side all cipher suites are enabled. On the server side NULL* cipher suites are disabled, and the rest is enabled. Algorithms are different in speed and security level. DES and 3DES are quite slow, while AES and ARCFOUR are fast. Note, that AES and Camellia cipher suites are new and are not supported by some web servers (including IIS on Windows).

A special case of cipher suites are PSK (pre-shared key) cipher suites. These cipher suites don't use X.509 certificates, but instead use a shared secret (a secret key or passphrase). If you plan to use those cipher suite, see the corresponding how-to article.

TLS 1.1 supports compression and various TLS extensions. Compression is described in the corresponding how-to article. Client-side and server-side extensions are described in the corresponding sections of the how-to.

An important step is to set a handler for OnCertificateValidate event of the SSL-enabled class. The event handler must validate the certificate and must return true only if the certificate can be accepted. Otherwise False must be returned. If there's no event handler defined, the classes assume that the certificate has not been accepted, and abort the SSL/TLS handshake. Information about certificate validation procedure in SSL/TLS components is provided in the corresponding how-to article.

If the server uses client-side authentication, it can be necessary to implement a handler for OnCertificateNeededEx event of the SSL-enabled class. This event is used to pass the certificate from the application to the server. For more information about client-side authentication see the corresponding how-to article.

The SSL server classes need additional setup of the certificates, as described in the corresponding how-to article.