EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[TElHTTPSClient] - OnCertificateValidate

Posted: 03/01/2007 08:44:05
by E V (Basic support level)
Joined: 02/10/2007
Posts: 12

I am using this event to validate if the client should trust the server. In the knowledge base is described that I should check that the commonname of the certificate matches the URL I connect to. The event however is triggered multiple times each time with another certificate. This is the entire chain. The last time the event is triggered I get the lowest certificate of which the Common name should match the URL. My question now is how do I know when a event triggered is the last one?
Posted: 03/01/2007 09:14:07
by Ken Ivanov (Team)

Please use the TElX509Certificate.Chain property to access the entire certificate chain. This will allow you to check if the particular certificate passed to OnCertificateValidate event is the lowest one in the chain.
Posted: 03/01/2007 09:37:10
by E V (Basic support level)
Joined: 02/10/2007
Posts: 12

Another question. At the moment the chain of the server consists of three certificates. I am using the TElWinCertStorage to validate these certificates. I've added the certificates via internet explorer to the store under localmachine. If the user has administrative rights I can access these certificates however when the user does not have administrative rights he can't access them. Is there a way to add the to the windows store so all 'normal' users can access it? I have 10 different users that all have to access the same certificates but they are users with limited access.
Posted: 03/01/2007 09:48:02
by Ken Ivanov (Team)

Please set the TElWinCertStorage.AccessType property to the atLocalMachine value. This will make TElWinCertStorage use certificates stored under local machine account (instead of the ones stored under current user account which are used by default).
Posted: 03/01/2007 09:53:57
by E V (Basic support level)
Joined: 02/10/2007
Posts: 12

I have done this. But if the user is not a member of the group 'Administrators' the certificates are not in the store. It is as if the user has to have administrative rights to access certificates that are stored under the local machine.
Posted: 03/01/2007 10:36:50
by Ken Ivanov (Team)

We have checked this and found that you are right. Really, certificates stored under local machine account cannot be accessed by TElWinCertStorage from a restricted account. We will prepare a fix and include it to the future build update.

Thank you for reporting the issue.
Posted: 03/01/2007 11:22:53
by Eugene Mayevski (Team)

I am not sure that this is an issue. When the administrator creates the file, the file gets permissions that let only administrator to access this file. Certificates are really stored in files in a special folder, and ACLs work there.

Sincerely yours
Eugene Mayevski
Posted: 03/01/2007 11:24:39
by E V (Basic support level)
Joined: 02/10/2007
Posts: 12

Can I alter this myself easily in the sourcecode or is thix fix hard to implement?
Posted: 03/01/2007 11:30:41
by E V (Basic support level)
Joined: 02/10/2007
Posts: 12

Well I have a service that sends data to a URL via https. This service is run under a user with limited access. I cannot log in with this user. The user is just used so if for a reason a malicious person gains access to the service he does not have alot of rights on the system. This user has to have access to the certficates in the local system store. This is not possible? Is there another place to store them besides under the user account self?
Posted: 03/01/2007 11:43:51
by Ken Ivanov (Team)

I am not sure that this is an issue.

Eugene, it is. Certificate store can be opened with two possible access types, read-only and writeable. TElWinCertStorage always opens storages for writeable access, and this leads to the described issue.



Topic viewed 9829 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!