EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Another Indy question

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
Posted: 09/12/2012 16:46:27
by Joseph Hassall (SUPPORT DISABLED)
Joined: 09/11/2012
Posts: 5

Ok, once again. I have two components joined the way SBB help suggests: TIdTCPClient and TElIndySSLIOHandlerSocket. They are using Indy 9 and SBB (version ~2004). The code is working for years. I have to migrate it to Indy 10+latest SBB. The SBB help suggests that TElIndySSLIOHandlerSocket equivalent (if using Indy 10) is TElClientIndySSLIOHandlerSocket.

Now, the problems are: in the new version of SBB, TElIndySSLIOHandlerSocket is missing SSLOptions property and OnGetPassword event.
I need to understand - how I can define SSLOptions (or equivalent) and how I can provide private key password.
Posted: 09/13/2012 00:05:34
by Eugene Mayevski (Team)

You are not following what I am saying. Neither Options nor OnGetPassword have any relation to SecureBlackbox. They never worked in SecureBlackbox IOHandler. Forget about them.

The reason why you see them is that in Indy 9 the only way to create an IOHandler was to make a descendant class from OpenSSL IOHandler. Consequently properties and events of OpenSSL IOHandler were inherited from that IOHandler in SecureBlackbox IOHandler (and there's no way to hide a property or event in Delphi). But they didn't ever work.

In Indy 10 the authors have reworked IOHandlers completely and now each IOHandler is independent class.

Now if you ask me how to implement functionality of those properties (which didn't work, note) in our code, I would answer that I have no single idea -- as those are not our properties and they are not documented, we don't know what they are supposed to mean. If you know this, then you are welcome to explain what *functionality* is introduced with those properties/events, and then we will be able to suggest you how to implement that functionality with SecureBlackbox.

Sincerely yours
Eugene Mayevski
Posted: 09/13/2012 00:08:40
by Eugene Mayevski (Team)

Joseph Hassall wrote:
Eugene, since you insisted on using the company's login here, I have to continue under the name of my boss (this is Alexey Parshin).

Actually your license is a company-wide license and the license ticket can be linked to any number of users. So you can link it to your account. This way you can write under your name and get email notifications about updates.

Sincerely yours
Eugene Mayevski
Posted: 09/13/2012 17:00:55
by Joseph Hassall (SUPPORT DISABLED)
Joined: 09/11/2012
Posts: 5

The missing functionality is:

1) The verify depth to use. This specifies the maximum length of the server certificate chain and turns on server certificate verification. 0 means don't verify.

2) The private key password.
Posted: 09/14/2012 00:00:21
by Eugene Mayevski (Team)

1. Doesn't have any sense: certificate validation must be performed completely, otherwise it's not validation but profanity.

To validate certificates sent by other party during SSL/TLS handshake you need to handle OnCertificateValidate event and perform validation yourself. The easiest way to do this is to use TElX509CertificateValidator class. The sample of using this class in SSL can be found in <SecureBlackbox>\Samples\Delphi\SSLBlackbox folder (just do the search for TElX509CertificateValidator there). Documentation and knowledgebase contain extensive information regarding how this class can and should be used.

2. Neither IOHandler nor SSL/TLS classes load certificates and use passwords. You pass certificates using CertStorage and ClientCertStorage properties, which reference instances of TElCustomCertStorage descendant classes. It's up to you how to load certificates into storages (and different classes of storages have different ways to manage certificates). With TElMemoryCertStorage (most common way to pass the certificate to SSL/TLS transport classes) you either add certificates (instances of TElX509Certificate) to it or load the certificate chain from PEM or PFX file. The password is specified when you load the certificate or certificate chain in Password parameter of corresponding LoadFrom*() methods.

Sincerely yours
Eugene Mayevski
Posted: 09/14/2012 00:08:46
by Joseph Hassall (SUPPORT DISABLED)
Joined: 09/11/2012
Posts: 5

Ok, that's getting somewhere.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.



Topic viewed 8616 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!