EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Invalid certificate

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 01/28/2014 08:52:16
by Timothy Vogel (Standard support level)
Joined: 01/28/2014
Posts: 8

I am evaluating the Delphi components using Delphi 7 (yes I know it's very old but it is what the client requires).

I need to connect to a server that uses a self signed cert created using OpenSSL. I have a client certificate that using a dotnet client successfully connects to the server. The dotnet client uses only imports from standard Microsoft libraries.
using System.Net.Security;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
               X509CertificateCollection sslCollection = new X509CertificateCollection();

               X509Certificate SSLCertificate = new X509Certificate2(certFile, password);


               sslStream.AuthenticateAsClient(server, sslCollection, SslProtocols.Default, false);
               setLabelmessage("Authenticaton successfull");
            catch (AuthenticationException ex)
               setLabelmessage("Error : " + ex.Message);

When I use that same certificate in the simpleSSL client sample that is provided with the precompiled binaries it fails with error 75784.

Please suggest how to diagnose and correct this issue.

Posted: 01/28/2014 08:59:48
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

75784 error occurs when our component fails to validate server's certificate. The validation process is describe in this article and is performed using TElX509CertificateValidator class inside TElSimpleSSLClient.OnCertificateValidate event handler: https://www.eldos.com/sbb/articles/7545.php

For testing purposes you can simply set Validate parameter to 'true' inside OnCertificateValidate code. When the sample will work you can proceed with certificate validation.
Posted: 01/28/2014 19:06:15
by Timothy Vogel (Standard support level)
Joined: 01/28/2014
Posts: 8

Thanks for your prompt reply and pointer the the article. Let me confirm my understanding of the issue based on that article.

My understanding
- The certificate validation is failing on the client side in the SSLBlackbox code, specifically in TElX509CertificateValidator.
- The cert is a self-signed, non-root certificate.
- The reason for the failure is that neither the server nor the client load a certificate chain leading to a trusted root.

My options for fixing

    1) Just return true from OnCertificateValidate. However this is not a production solution since it would trust ANY certificate.
    2) Load a full cert chain that includes the self signed cert
    3) Add this cert to the list of trusted certs before validating it. TElX509CertificateValidator will then find it and return true.

#3 seems the easiest that is most correct.

Please validate my understanding and give me any of your thoughts on the options or additional ones.

BTW ... I did search for answers before submitting my post. You might want to add the keywords "invalid certificate" and "75784" to that document so it will show up in the Knowledgebase search.

Posted: 01/29/2014 00:28:57
by Eugene Mayevski (EldoS Corp.)

Your understanding is perfectly correct and option 3 is actually the most natural one.

Regarding the error code - search for 75784 returns help topic with SSL error code.

Sincerely yours
Eugene Mayevski



Topic viewed 1354 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!