EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Synapse Interface Broken??

Posted: 05/21/2013 17:45:59
by Erich Kuba (Standard support level)
Joined: 05/16/2013
Posts: 42

Hi there,

We have a TCPIP engine that is fundamentally built on Synapse. We've been using their interface to OpenSSL for SSL communications, and it has worked well, however that mechanism has distinct disadvantages to us.

We would prefer to replace the OpenSSL interface with an SBB/SSL interface, and we thought that Synapse make that pretty simple, however, it would appear as if the Synapse/SBB interface is broken.

When we compile our code to include the Synapse/OpenSSL code, the services work correctly and accept secure connections using our certificates (not self signed), however when we compile our code to include the Synapse/SBB code (using the same certificates), our servers fail during the handshake with the client.

We've traced the code into SBB, and it appears that something might be going wrong with the loading of the certificates and the handshake is not able to find
any SharedSuites in TElSSLServer.TLS1ParseClientHello().

It appears that this is because the call to CheckForCertificatePresense() (in that function) is returning false for each of the CipherSuites.

After working on this for almost a day, I am of the view that the Synapse/SBB interface is broken.

We've searched the net for updates from either yourselves, Synapse or the original author, but it would appear that the code is basically unmaintained at this time and seems to be dead.

Now I know that you don't maintain that code (as per your Readme file), and we are willing to re-write it in order to get the thing to work, but if you could point us in the right direction on how to get this done, that would be appreciated.

We've only just started with SBB, so be gentle ...

- How should we be loading all the certificates (cert/private-key/ca-bundle)
- Is the mechanism demonstrated in the ssl_sbb.pas file the best way?
- What about the fact that our CA-Bundle file contains more than one cert?
- Do we need to use a session pool object?
- What other pointers could you give us?

Kind regards

Posted: 05/21/2013 23:06:03
by Eugene Mayevski (Team)

Thank you for contacting us.

Synapse interface indeed is not maintained by us but I don't think it's "broken". From your description it looks like the server's certificate could not be loaded and that is the only problem so far. So before you go as far as rewriting everything, let's deal with what we have now.

I assume that you have a certificate and a key in PEM file. PEM files are text files so you can open them with the notepad for inspection.

There are several possibilities here:

1) certificate file contains only a certificate (no private key). Fine, use TElX509Certificate.LoadFrom...PEM() method. You would have to load the private key separately.
2) certificate file contains only a key. Load the key using TElX509Certificate.LoadKeyFrom...PEM() method into the same instance of TElX509Certificate, into which you have already loaded the certificate.
3) certificate file contains a certificate and a key. TElX509Certificate.LoadFrom...PEM() method will load both with one call.

About CA-Bundle - SecureBlackbox doesn't load multiple certificates from one PEM file in version 10. The beta version of SecureBlackbox 11 will be available today and it will load such files.

CA-Bundle contains CA certificate(s) that are used to build a certificate chain. Usually CA certificate(s) are included together with server certificate during the SSL/TLS handshake to help the client validate them.

Sincerely yours
Eugene Mayevski



Topic viewed 466 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!