EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Another Indy question

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#21287
Posted: 08/31/2012 00:36:45
by Eugene Mayevski (EldoS Corp.)

SSLOptions had no effect on TElIndySSLIOHandlerSocket.

Our IOHandlers have their own properties which are used.


Sincerely yours
Eugene Mayevski
#21289
Posted: 08/31/2012 00:56:13
by Alexey Parshin (Basic support level)
Joined: 08/29/2012
Posts: 4

Yes, I got that. The question is - how do I set SSLOptions such as VerifyMode (see TIdSSLOptions) that are available in Indy9 version?
I'm migrating code that uses TElIndySSLIOHandlerSocket, to SBB+Indy10. That component doesn't exist in SBB+Indy10 combination, so I'm trying to replace it with TElClientIndySSLIOHandlerSocket. May be this is incorrect?
#21290
Posted: 08/31/2012 01:10:04
by Eugene Mayevski (EldoS Corp.)

There must be some misunderstanding here.

First, you mention TElIndySSLIOHandlerSocket - supposedly the class of SecureBlackbox. But it never used SSLOptions in its work (though SSLOptions was exposed in the interface as the inherited property) so it's unlikely you are "migrating". This is what I mentioned in the previous e-mail.

Next, SecureBlackbox has completely different ideology to OpenSSL (whose behavior is exposed via SSLOptions property of OpenSSLIndyIOHandler). I have no idea what VerifyMode does, but to validate certificates you need to handle OnCertificateValidate event. The easiest and most complete validation method is to use TElX509CertificateValidator. Do the search in the sample folder (SecureBlackbox\Samples\Delphi\SSLBlackbox) for "TElX509CertificateValidator", this will give you samples which use the validator.

Finally, SecureBlackbox has almost anything you can find in Indy (when it comes to common protocols) and in many cases offers more with a smaller footprint and greater efficiency. It often makes sense to consider dropping Indy (which was not updated for 8 years or so) and switch to SecureBlackbox functionality.


On a side note, if you have a license, please assign the license ticket to your user account. The ticket itself and the procedure of it's use are specified in the registration e-mail that was sent to you upon license purchase. If you don't have the license ticket, please contact the person from which you have obtained the license key (the one in your code) for a ticket.

NOTE: please don't post license keys and license tickets to the forum. If you need to clarify something about your license, please use HelpDesk ( http://www.eldos.com/helpdesk/ ).


Sincerely yours
Eugene Mayevski
#21291
Posted: 08/31/2012 03:41:18
by Alexey Parshin (Basic support level)
Joined: 08/29/2012
Posts: 4

I gonna be back from vacation after 12th, and will assign license to my account then.

At the moment, the following page:

https://www.eldos.com/documentation/sbb/documentation/ref_cl_indyssliohandlersocket.html

says: TElIndySSLIOHandlerSocket is a descendant of TIdSSLIOHandlerSocketBase

Now, both these classes belong to SBB+Indy9 combination, and TIdSSLIOHandlerSocketBase does have SSLOptions I'm asking about. In the SBB+Indy10 combination, the page:

https://www.eldos.com/documentation/sbb/documentation/ref_cl_clientindyssliohandlersocket.html

says: TElClientIndySSLIOHandlerSocket is a descendant of TIdSSLIOHandlerSocketBase

Now, TIdSSLIOHandlerSocketBase doesn't have SSLOptions. Only TIdSSLIOHandlerSocketOpenSSL, derived from TIdSSLIOHandlerSocketBase, has it.

Our current code that uses SBB and Indy9 both bought around 2004 uses SSLOptions. I see the way to set protocols set (SSLv2/SSLv3) in the new version, but I can't find a way to set nether VerifyMode nor VerifyDepth.

I can raise an official support ticket, but only in two weeks.
#21292
Posted: 08/31/2012 04:14:52
by Eugene Mayevski (EldoS Corp.)

You seem to not follow me on this. Depsite the fact that you see SSLOptions property in TElClientIndySSLIOHandlerSocket , this property does nothing. We can't remove it as it is inherited, but it's not used.


Sincerely yours
Eugene Mayevski
#21426
Posted: 09/11/2012 18:32:30
by Joseph Hassall (SUPPORT DISABLED)
Joined: 09/11/2012
Posts: 5

Eugene, since you insisted on using the company's login here, I have to continue under the name of my boss (this is Alexey Parshin).

Here is the deal: I need to understand how I can set two options: VerifyMode and VerifyDepth. I can do it with SBB based on Indy9 we're using in current code base. These are pretty important parameters that define the properties of SSL handshake. How can I do it in the new version of SBB for Indy 10?
#21428
Posted: 09/12/2012 00:48:30
by Eugene Mayevski (EldoS Corp.)

Huh. VerifyMode and VerifyDepth don't do anything in SBB's IOHandler in Indy 9. Forget about them - they didn't ever work.

What do you want to accomplish? What you need to verify?


Sincerely yours
Eugene Mayevski
#21430
Posted: 09/12/2012 01:07:25
by Joseph Hassall (SUPPORT DISABLED)
Joined: 09/11/2012
Posts: 5

Interesting. I still want to know how to set VerifyDepth. Assuming that default depth is 0, I may not need it immediately, but eventually I may need to set it to 1 or 2.

Also, what about password? In the code that I'm porting, password is provided through a callback method assigned to OnGetPassword event. That is critical.
#21431
Posted: 09/12/2012 01:10:03
by Eugene Mayevski (EldoS Corp.)

I am completely lost on what you are talking about. If you want to set the property that never worked and doesn't work now - go ahead and set it. And I don't know what password you are talking about - while TLS supports SRP ciphersuites, this is likely not what one would need.


Sincerely yours
Eugene Mayevski
#21433
Posted: 09/12/2012 02:05:56
by Eugene Mayevski (EldoS Corp.)

Just to make it clear - SecureBlackbox's IOHandler class for Indy is not a replacement for OpenSSL IOHandler, and these two IOHandlers have very little in common. So if you are migrating your code from OpenSSL stuff, you need to forget about OpenSSL and start looking at how things are done in SecureBlackbox. SecureBlackbox is much more powerful and flexible than OpenSSL and consequently it has different approaches to all SSL-related functionality. There are no one-to-one mappings to any behavior and any properties between two.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 7999 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!