EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Help with ELHTTPSClient

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#6415
Posted: 05/28/2008 08:45:08
by Filosoft  (Premium support level)
Joined: 05/28/2008
Posts: 12

Hi,
I am having a hard time trying to establish a connection with a secure web-server.
I am using one TElHTTPSClient.
- OnCertificateValidate Event: set Validate to True;

- OnCertificateNeededEx Event: called 4 times, first 3 times the certificate chain is sent, last time nil is set. Certificate Chain is sent starting from the "Client" certificate, ending with the root CA certificate.

- OnError Event:
- if SSLv3 is used ErrorCode is 75782 otherwise is 75783
- Fatal is True
- Remote is False

The 75782 error seems to be caused by the lack of SSLv3 support at the server. But the 75783 error is driving me crazy...

Certificate chain is being loaded into a ElMemoryCertStorage like this:
Code
  HTTPSClient.Tag := 0;
  MemCertStorage.Clear;

  stream := TMemoryStream.Create;
  stream.LoadFromFile(path+'Client.spc');
  stream.Position := 0;
  X509 := TElX509Certificate.Create(Self);
  if X509.LoadFromStreamSPC(stream) = 0 then
    MemoryCertStorage.Add(X509,True)
  else
    ShowMessage('Error loading client certificate');
  stream.Clear;
  X509.Free;

  stream.LoadFromFile(path+'CSRoot.spc');
  stream.Position := 0;
  X509 := TElX509Certificate.Create(Self);
  if X509.LoadFromStreamSPC(stream) = 0 then
    MemoryCertStorage.Add(X509,True)
  else
    ShowMessage('Error loading Code Signing Root certificate');
  stream.Clear;
  X509.Free;

  stream.LoadFromFile(path+'CARoot.spc');
  stream.Position := 0;
  X509 := TElX509Certificate.Create(Self);
  if X509.LoadFromStreamSPC(stream) = 0 then
    MemoryCertStorage.Add(X509,True)
  else
    ShowMessage('Error loading Premium Server CA certificate');
  stream.Clear;
  X509.Free;

  stream.Free;


Certificate Chain is being sent to the server like this:
Code
procedure TSSLForm.HTTPSClientCertificateNeededEx(Sender: TObject; var Certificate: TElX509Certificate);
begin
  if HTTPSClient.Tag < MemoryCertStorage.Count then
  begin
    Certificate := MemoryCertStorage.Certificates[HTTPSClient.Tag];
    HTTPSClient.Tag := HTTPSClient.Tag + 1;
  end
  else
    Certificate := nil;
end;


I must say that the certificate we are using is a code signing certificate and not a client authentication certificate. Anyway the person who has installed the certificate at the server keeps telling me that we can use this certificate. Since the error seems to be local (Remote is False) I would like to be sure if the problem is the certificate or not before spending money in a new one.

I have also tested the SimpleSSL example and the errors are the same...

Any clues on what's going on here ?
#6416
Posted: 05/28/2008 08:58:43
by Eugene Mayevski (EldoS Corp.)

You are connecting with SSL2 (only in SSL2 you can get the error that you are getting). When the certificate chain is loading, your end-entity certificate doesn't contain a private key. The chain is not valid in this case and you get the error ERROR_SSL_NO_CERTIFICATE.


Sincerely yours
Eugene Mayevski
#6417
Posted: 05/28/2008 09:17:53
by Filosoft  (Premium support level)
Joined: 05/28/2008
Posts: 12

Thanks,

That was it. Now I am getting a 75784, but this time Remote is True. It seems like the server doesn´t like the certificate...

Regards,
#6419
Posted: 05/28/2008 09:28:33
by Eugene Mayevski (EldoS Corp.)

yes, it looks so. In fact, the properly written server must use Key Usage of the certificate for validation and must not allow you use code signing certificate for authentication.


Sincerely yours
Eugene Mayevski
#6420
Posted: 05/28/2008 10:21:10
by Filosoft  (Premium support level)
Joined: 05/28/2008
Posts: 12

Now I don't know which certificate to buy and I don't trust the server team anymore.

Knowing that the server needs a RSA-SHA1 1024bits client certificate, can you help me out choosing one from Thawte or Commodo ?

Thanks,
#6421
Posted: 05/28/2008 10:49:37
by Eugene Mayevski (EldoS Corp.)

Hmm. I believe they have their own requirements.
Also, I don't know what CAs offer client-side SSL certificates. Their SSL certificates are the ones issued for the web sites, not for the clients.
The only place where I saw client-side certification used is our bank, and they issue certificates for their clients themselves.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2704 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!