Discuss this help topic in SecureBlackbox Forum

TElX509CertificateValidator.ValidateForSSL

TElX509CertificateValidator     See also     


Filter: C#/Java  VB.NET  Pascal  C++  PHP  


Use this method to check validity of the certificates received from the remote party in SSL/TLS communication.

Declaration

[VB.NET]
    Sub ValidateForSSL(ByVal Certificate As TElX509Certificate, ByVal DomainName As String, ByVal IPAddress As String, ByVal HostRole As TSBHostRole, ByVal AdditionalCertificates As TElCustomCertStorage, ByVal CompleteChainValidation As Boolean, ByVal ValidityMoment As DateTime, ByRef Validity As TSBCertificateValidity, ByRef Reason As TSBCertificateValidityReason)
    Sub ValidateForSSL(ByVal Certificate As TElX509Certificate, ByVal DomainName As String, ByVal IPAddress As String, ByVal HostRole As TSBHostRole, ByVal AdditionalCertificates As TElCustomCertStorage, ByVal CompleteChainValidation As Boolean, ByVal ValidityMoment As DateTime, ByVal InternalValidation As Boolean, ByRef Validity As TSBCertificateValidity, ByRef Reason As TSBCertificateValidityReason)

[PHP]
    void ValidateForSSL(TElX509Certificate $Certificate, string $DomainName, string $IPAddress, integer $HostRole, TElCustomCertStorage $AdditionalCertificates, bool $CompleteChainValidation, DateTime $ValidityMoment, integer &$Validity, integer &$Reason)
    void ValidateForSSL(TElX509Certificate $Certificate, string $DomainName, string $IPAddress, integer $HostRole, TElCustomCertStorage $AdditionalCertificates, bool $CompleteChainValidation, DateTime $ValidityMoment, bool $InternalValidation, integer &$Validity, integer &$Reason)

Parameters

  • AdditionalCertificates - Additional certificates that might be known or obtained during the handshake.
  • Certificate - Certificate to be validated.
  • CompleteChainValidation - Specifies whether to check issuer (CA) certificates when the certificate is invalid.
  • DomainName - Domain name of the host, whose certificate is validated. Can be empty, if it's not known.
  • HostRole - The role of the remote host. Can be none (then the key usage is not checked against the role), server, client or both.
  • IPAddress - IP address of the host, whose certificate is validated. CAn be empty if it's not known.
  • InternalValidation - specifies if internal validation should be performed.
  • Reason - On return contains validity status reasons of the certificate.
  • Validity - On return contains validity status of the certificate.
  • ValidityMoment - Specifies the time when the certificate must be valid (i.e. the moment of handshake).

Host roles

Validity values


Validity reasons


Description

     Use this method to validate the certificate received during SSL / TLS handshake (e.g., via OnCertificateValidate event of SSL components). You need to pass the end-entity certificate only - CA certificates will be retrieved via Certificate's Chain property. So the event handler for OnCertificateValidate should look like this (in pseudocode):

			
if (Certificate.Chain = null) or (Certificate.Chain.Certificates[0] = Certificate) then
Validator.ValidateForSSL(Certificate, …)
			
		
If the chain is not available, you can pass CA certificates via AdditionalCertificates parameter or using AddKnownCertificates() method.

     The method checks whether the certificate subject and names correspond to given domain name or IP address. Next certificate's Key Usage fields are checked to ensure that the certificate may be used for TLS handshake. Finally, Validate() method is called to validate the certificate itself.

     Domain name and IP address of the other party can be obtained via RemoteHost and RemoteIP properties of SSL classes (TElHTTPSClient, TElSimpleFTPSClient, TElSMTPClient).

     When CompleteChainValidation = true and the certificate is found to be not valid, certificate validation continues, i.e. issuer (CA) certificates are validated as well. This lets you create validation report which should include all certificates in the chain. When CompleteChainValidation = false and the certificate is not valid, further validation is not performed and Validate() method returns immediately.

     Since version 13 ResetCertificateCache parameter has been replaced with ResetCertificateCache class method.

See also:     ResetCertificateCache     Validate     ValidateForSMIME     ValidateForTimestamping    

Discuss this help topic in SecureBlackbox Forum