EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Multiple SSL Conenct and OnCertificateValidate

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#26599
Posted: 09/25/2013 02:28:19
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

Hi,

I have an issue using the library implementing an certificate check.

The webpage that I want to check, uses up to 4-5 redirects during a page call (I cant do anything about this).
Each real request has to be checked by an ssl certificate check. Because I cant know which of that webrequests is the "real" request, i need to check every request.

I implemented this, by calling an asynchronous method that uses TElSimpleSSLClient to open an ssl connection registered to OnCertificateValidate event.

Code
var client = new TElSimpleSSLClient();
client.OnCertificateValidate += this.OnCertificateValidate;
client.Address = this.hostname;
client.Port = 443;
client.Versions = SBSSLConstants.__Global.sbTLS1;

client.OnError += this.OnError;
client.OnCertificateStatus += this.OnCertificateStatus;

client.Extensions.ServerName.Enabled = true;

int idx = client.Extensions.ServerName.Add();
var name = client.Extensions.ServerName.get_Names(idx);
name.Name = this.hostname;
name.NameType = TSBSSLServerNameType.ntHostName;

client.Open();
client.Close(false);
this.waitHandle.Set();


The problem now is, that OnCertificateValidate sometimes gets called, sometimes not, but the hostname is exactely the same at each Open().

So my questions are:

How should I use TElSimpleSSLClient in this scenario?

How does TElSimpleSSLClient handles parallel connections? Could this be an issue?

How can this happen and why? Should OnCertificateValidate be called everytime? What is the reason that it isn't triggered everytime the connection gets opened (happens during the redirects only)

Tanks for your help,

Holger Kreissl
#26601
Posted: 09/25/2013 02:36:08
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

OnCertificateValidate is triggered only for SSL/TLS protected connections. Its possible that not all redirects are protected, so the event handler is not called in all cases. If you are sure that all connections are protected then please post more code especially the part that is responsible for asynchronous method.
#26605
Posted: 09/25/2013 03:37:18
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

thanks for your answer

I use the hostname of the URI. As I wrote its the same hostname on each SSL open because the redirecting happens on the same webserver. I am connecting to 443 using SSLClient. So why should that connection not being protected?

The ssl connects that check the certificate are synchronized by using a lock object. So the opens are executed one after another.

Could there be and error in my sslClient usage? Do i need to wait before i call client.close() to get the cert validate events?

Thanks!
#26606
Posted: 09/25/2013 03:57:20
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

I could solve my issue using another design (ssl check isnt called during redirects), but if you have an idea why the certvalidation is not executed here, please let me know..

regards

Holger
#26607
Posted: 09/25/2013 04:02:00
by Eugene Mayevski (EldoS Corp.)

Certificates are validated synchronously during the call to Open(). Your code seems to be correct, but the devil is in details, as usually.

So, let's narrow down the problem.

1) How do you know that OnCertificateValidate is not always called? It's possible that your method to track calls fails, and not the call is missing.
2) Did you check that there are no clashes between threads that do the check?

On a side note, use of TElHTTPSClient would be probably more effective as it would handle redirects itself and saves you from reimplementing HTTP(S) client. TElHTTPSClient is a descendant of TElSimpleSSLClient.


Sincerely yours
Eugene Mayevski
#26608
Posted: 09/25/2013 04:10:36
by Kreissl Hogler (Priority Standard support level)
Joined: 09/16/2013
Posts: 24

Hi,

i set a breakpoint in the callback.. It was not called. But as I wrote, I could solve the issuese by redesign. I check the connection one time now, not during each redirect..

The threads are ok.. also its not running in parallel.

Does your SSLClient use some kind of connection pooling? Probably it checks the certificates only in intervalls or something like that?

Thanks four your support and have a nice day!
Holger
#26609
Posted: 09/25/2013 04:20:51
by Eugene Mayevski (EldoS Corp.)

If the certificate is received, OnValidateCertificate is always fired. That's the cornerstone of SSL. So whatever problem exists, it's external to the components.

In cases like yours logging helps a lot. You need to log calls to Open, Close and the event handler. Each log entry should include thread ID and exact time (time can be relative, i.e. Environment.TickCount would do).


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 781 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!