EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElClientServerIndySSLIOHandlerSocket.ClientCertStorage: What's this ?

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#12778
Posted: 03/12/2010 02:48:39
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I'm struggling to get a server application to use client certificate when accepting SSL connections and I came acros this property that is not documented.

I checked in the latest available help file and i couldn't find it.

What is it ? Is it important in my case ?
#12779
Posted: 03/12/2010 06:27:14
by Ken Ivanov (EldoS Corp.)

ElClientServerIndySSLIOHandlerSocket publishes no property named ClientCertStorage (do you confuse the class? ElClientIndySSLIOHandlerSocket does).

To force client authentication on server, please set ClientAuthentication property to true and AuthenticationLevel to alRequireCert. Then either handle the OnCertificateValidate event or assign the certificate storage containing trusted certificates to the TElIndySSLServerIOHandler.CertStorage property.
#12808
Posted: 03/17/2010 04:09:14
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you for your answer.

TElClientServerIndySSLIOHandlerSocket descends from ElClientServerIndySSLIOHandlerSocket so it does have the same property.

I managed to get the client cert validation working now but I'm left with what looks like a problem I can't solve: how can I get the client certificate from within the response handling thread ? I have a HTTP server component where I'll need to handle the GET and PUT commands and what happens will depends on what certificate is exposed by the client. Unfortunately, that property seems to be lost after the connection has been validated.

I've tried writing a global session manager object that would allow be to store X509 certificates per socket connection (CIP:CPort:SIP:SPort) but, unfortunately, I don't have access to that information at the time I validate the client certificate: I don't have the session data at all there, only the default bindings.
#12816
Posted: 03/18/2010 00:03:36
by Ken Ivanov (EldoS Corp.)

My bad. Actually, the TElClientServerIndySSLIOHandlerSocket class does have the ClientCertStorage property (exactly due to inheritance from the client-side class), though it has no effect on the work of the component. It is a kind of side effect of the IOHandler classes model proposed by Indy.

Yes, the TElX509Certificate object passed to the OnCertificateValidate method is freed once the handler returns. However, you can clone the certificate object obtained in the OnCertificateValidate handler with the use of TElX509Certificate.Clone() method and save it somewhere for future use (e.g., by assigning it to the IOHandler.Tag property).
#12822
Posted: 03/18/2010 09:10:32
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks again for answering.


Quote
Yes, the TElX509Certificate object passed to the OnCertificateValidate method is freed once the handler returns. However, you can clone the certificate object obtained in the OnCertificateValidate handler with the use of TElX509Certificate.Clone() method and save it somewhere for future use (e.g., by assigning it to the IOHandler.Tag property).


Unfortunately, that won't fly unless I have a single connection at the same time: the IOHandler is not local to the response context and therefore two successive connections from different clients are going to overwrite this value. The IDContext info that comes along the connection MUST be somehow passed the the even handler if one wants to get that information safely saved for the duration of the session (and don't even start thinking about how to FREE this new extra component).
#12823
Posted: 03/18/2010 09:11:54
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

BTW, it was the first time I got the occasion of using the certificate validator component and I must say: thank you very much. It does replaces an awfully lot of code.
#12824
Posted: 03/18/2010 09:59:23
by Ken Ivanov (EldoS Corp.)

Hmm, won't the below approach suite your task?

Code
procedure TForm1.IOHandlerCertificateValidate(Sender: TObject;
  X509Certificate: TElX509Certificate;
  IOHandler: TElClientServerIndySSLIOHandlerSocket; var Validate: Boolean);
var
  NewCert : TElX509Certificate;
begin
  // checking certificate validity
  // ...
  NewCert := TElX509Certificate.Create(nil);
  X509Certificate.Clone(NewCert, false);
  IOHandler.Tag := integer(NewCert);
end;

procedure TForm1.HTTPServerCommandGet(AContext: TIdContext;
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo);
var
  Cert : TElX509Certificate;
begin
  Log('Get Command Arrived. Sending response and closing.');
  AResponseInfo.ContentText := '12345';
  Cert := TElX509Certificate(AContext.Connection.IOHandler.Tag);
  // doing something with Cert
  // ...
end;


The best approach for certificate object destruction depends on the exact task of yours. For example, a list of <IOHandler, Certificate> or <Connection, Certificate> pairs can be kept somewhere instead of placing certificate to the Tag property of the IOHandler. Another solution would be to use certificate pool.
#12830
Posted: 03/19/2010 10:07:27
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks again.

I took the time to test your suggestion and I'm afraid it's still falling short of my needs.

Specifically:

- There is no way to property dispose of the allocated certificate objects short of writing some kind of pool and attributing it a TTL.
- If using a session pool, then the validation only occurs once be the IOhandelr is recycled between calls, breaking the link between SSL connections and TLC connections. if not using session pools, the performances for simultaneous connections gets much worse.

Just for making things clear, I need to write a HTTP upload system where files are sorted based on the provided client certificate. If absolutely necessary, I can change the requirements to force a user name and password instead of the client cert auth but it would definitely lower the value of the program.
#12831
Posted: 03/19/2010 10:39:31
by Eugene Mayevski (EldoS Corp.)

And why not use a global certificate cache ("pool")? This is trivial


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1505 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!