EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TRtcHttpServer with multiple SSL hosts

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
Posted: 05/08/2009 04:45:24
by Richard Berends (Basic support level)
Joined: 05/08/2009
Posts: 2

Hi there,

I'm looking at adding SSL to an RTC web server project so I'm trying out SecureBlackBox, which all seemed to fit together quite nicely - with one host/dir/certificate. However as soon as I add a second host/dir/certificate, it seems to insist on using the first certificate... Is there any way to get it to use the correct certificate?

The only way so far that I've found to make it use the right one, is to intercept TRtcHttpServer.OnConnecting and swap out the TSSLServerRtcCryptPlugin's CertStorage with one that has just the single correct certificate, of course this isn't a real solution since at this point Request.Host isn't filled in so outside the IDE I don't know which is the right certificate to plug in...

I asked about this on the RTC forum and Danijel replied:
To find a solution to your current problem, I would recommend you to contact "Eldos". RTC SDK only provides a plug-in interface for SSL encryption components, but the encryption components as well as their plug-ins with any properties and events are entirely implemented by encryption component vendors ("Eldos" wrote the plug-in for "SecureBlackBox" components, while "StreamSec" wrote the plug-in for "StreamSec Tools" components).

I can not help you solve your problem, but I am quite positive that changing properties of the encryption plug-in component on an active Server will result in chaos because all connection components are sharing the same encryption plug-in and changing properties on that plug-in or components connected to the plug-in will affect all connections and not only the connection which is making the change. On top of that, making changes on the plug-in of a running Server will probably result in Access Violations in case any other connection is using the plug-in at the time the change is being made.


So any other suggestions would be appreciated..

Posted: 05/08/2009 05:02:15
by Eugene Mayevski (EldoS Corp.)

The problem with any HTTPS is that SSL/TLS handshake happens *before* HTTP. Your code really has no way to know, to which virtual host the user wants to connect. This is why you need to have a dedicated IP for HTTPS server. TLS 1.0 or 1.1 (don't remember exactly) addresses this problem by adding special TLS extension which contains the symbolic name of the host, and which lets the server present the right certificate. However, this functionality (a) works only in TLS, and not in still widely used SSL 3.0, and (b) is supported only by a limited set of software.

Sincerely yours
Eugene Mayevski
Posted: 05/08/2009 05:16:18
by Richard Berends (Basic support level)
Joined: 05/08/2009
Posts: 2

Darn, Oh well thanks for the prompt reply...




Topic viewed 1691 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!