Discuss this help topic in SecureBlackbox Forum

Set connection properties

SecureBlackbox includes quite a few SSL-enabled classes, which share a common set of properties and events, related to SSL/TLS communication. The following description applies to all SSL-enabled classes, if other is not specified.

Before the SSL/TLS connection can be established, the application must set certain properties of the class.

First of all, the application must specify, what SSL/TLS versions can be used. By default client-side components use TLS 1.0, TLS 1.1 and TLS 1.2. Server-side components have SSL 3, TLS 1.0, TLS 1.1 and TLS 1.2 enabled. SSL3 is enabled to keep compatibility with old client software. The versions are set using Versions property of the SSL-enabled class.

Another thing to configure is cipher suites. Cipher suite is a combination of symmetric, public-key, key exchange and digest (hash) algorithms. Also, certain algorithms can be used with specific certificates. Cipher suites are configured using CipherSuites property. By default on the client side all cipher suites are enabled. On the server side NULL* cipher suites are disabled, and the rest is enabled. Algorithms are different in speed and security level. DES and 3DES are quite slow, while AES and ARCFOUR are fast. Note, that AES and Camellia cipher suites are new and are not supported by some web servers and clients.

A special case of cipher suites are PSK (pre-shared key) cipher suites. These cipher suites don't use X.509 certificates, but instead use a shared secret (a secret key or passphrase). If you plan to use those cipher suite, see the corresponding how-to article.

TLS 1.1 and 1.2 support compression and various TLS extensions. Compression is described in the corresponding how-to article. Client-side and server-side extensions are described in the corresponding sections of the how-to.

An important step is to set a handler for OnCertificateValidate event of the SSL-enabled class. The event handler must validate the certificate and must return true only if the certificate can be accepted. Otherwise False must be returned. If there's no event handler defined, the classes assume that the certificate has not been accepted, and abort the SSL/TLS handshake. Information about certificate validation procedure in SSL/TLS components is provided in the corresponding how-to article.

If the server uses client-side authentication, it can be necessary to implement a handler for OnCertificateNeededEx event of the SSL-enabled class. This event is used to pass the certificate from the application to the server. For more information about client-side authentication see the corresponding how-to article.

The SSL/TLS server classes need additional setup of the certificates, as described in the corresponding how-to article.

How To articles about common SSL/TLS questions

Discuss this help topic in SecureBlackbox Forum