EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Multiple SSL Conenct and OnCertificateValidate

Posted: 09/25/2013 02:28:19
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24


I have an issue using the library implementing an certificate check.

The webpage that I want to check, uses up to 4-5 redirects during a page call (I cant do anything about this).
Each real request has to be checked by an ssl certificate check. Because I cant know which of that webrequests is the "real" request, i need to check every request.

I implemented this, by calling an asynchronous method that uses TElSimpleSSLClient to open an ssl connection registered to OnCertificateValidate event.

var client = new TElSimpleSSLClient();
client.OnCertificateValidate += this.OnCertificateValidate;
client.Address = this.hostname;
client.Port = 443;
client.Versions = SBSSLConstants.__Global.sbTLS1;

client.OnError += this.OnError;
client.OnCertificateStatus += this.OnCertificateStatus;

client.Extensions.ServerName.Enabled = true;

int idx = client.Extensions.ServerName.Add();
var name = client.Extensions.ServerName.get_Names(idx);
name.Name = this.hostname;
name.NameType = TSBSSLServerNameType.ntHostName;


The problem now is, that OnCertificateValidate sometimes gets called, sometimes not, but the hostname is exactely the same at each Open().

So my questions are:

How should I use TElSimpleSSLClient in this scenario?

How does TElSimpleSSLClient handles parallel connections? Could this be an issue?

How can this happen and why? Should OnCertificateValidate be called everytime? What is the reason that it isn't triggered everytime the connection gets opened (happens during the redirects only)

Tanks for your help,

Holger Kreissl
Posted: 09/25/2013 02:36:08
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

OnCertificateValidate is triggered only for SSL/TLS protected connections. Its possible that not all redirects are protected, so the event handler is not called in all cases. If you are sure that all connections are protected then please post more code especially the part that is responsible for asynchronous method.
Posted: 09/25/2013 03:37:18
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

thanks for your answer

I use the hostname of the URI. As I wrote its the same hostname on each SSL open because the redirecting happens on the same webserver. I am connecting to 443 using SSLClient. So why should that connection not being protected?

The ssl connects that check the certificate are synchronized by using a lock object. So the opens are executed one after another.

Could there be and error in my sslClient usage? Do i need to wait before i call client.close() to get the cert validate events?

Posted: 09/25/2013 03:57:20
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

I could solve my issue using another design (ssl check isnt called during redirects), but if you have an idea why the certvalidation is not executed here, please let me know..


Posted: 09/25/2013 04:02:00
by Eugene Mayevski (Team)

Certificates are validated synchronously during the call to Open(). Your code seems to be correct, but the devil is in details, as usually.

So, let's narrow down the problem.

1) How do you know that OnCertificateValidate is not always called? It's possible that your method to track calls fails, and not the call is missing.
2) Did you check that there are no clashes between threads that do the check?

On a side note, use of TElHTTPSClient would be probably more effective as it would handle redirects itself and saves you from reimplementing HTTP(S) client. TElHTTPSClient is a descendant of TElSimpleSSLClient.

Sincerely yours
Eugene Mayevski
Posted: 09/25/2013 04:10:36
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24


i set a breakpoint in the callback.. It was not called. But as I wrote, I could solve the issuese by redesign. I check the connection one time now, not during each redirect..

The threads are ok.. also its not running in parallel.

Does your SSLClient use some kind of connection pooling? Probably it checks the certificates only in intervalls or something like that?

Thanks four your support and have a nice day!
Posted: 09/25/2013 04:20:51
by Eugene Mayevski (Team)

If the certificate is received, OnValidateCertificate is always fired. That's the cornerstone of SSL. So whatever problem exists, it's external to the components.

In cases like yours logging helps a lot. You need to log calls to Open, Close and the event handler. Each log entry should include thread ID and exact time (time can be relative, i.e. Environment.TickCount would do).

Sincerely yours
Eugene Mayevski



Topic viewed 907 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!