EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Evaluating SBB SLL with RTC

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#29160
Posted: 04/07/2014 03:23:09
by Dany Marmur (Basic support level)
Joined: 04/07/2014
Posts: 5

Hello!

I'm evaluating SBB (SSL) for use with RTC both for server and client side.

The samples that where the least hazzle to compile and get running are the rtcUploadClient and rtcUploadServer. There are two certificate files there.

Interestingly enough when i copy these files to the File_Client sample it refuses to read the files. I was able to convert my own server cert files to dem and have that sample read them, though.

The samples does not work. None of those i tested (rtcUploadClient, rtcUploadServer, FileServer nor File_Client). Using the supplied server certs /or/ my own.

What i can get going is my own server, though. I can connect without any error using IE. When i connect to my own server using Chrome i always get an ERROR_SSL_HANDSHAKE_FAILURE on the server. But that might be for later.

The bigger problem seems to be client-side. When the Client(s) - as in your sample does not load any cert files and validates everything - are to connect i get two different error messages (not at the same time though, it seems to depend on a lot of factors) and the connection is always dropped. These as ERROR_SSL_BAD_RECORD_MAC and ERROR_SSL_BAD_CERTIFICATE. The client states that these errors are Fatal but not Remote.

I'm using Delphi XE2 and the latest stabile RTC.

What's up?

Regards,

/Dany
#29161
Posted: 04/07/2014 03:47:14
by Alexander Ionov (EldoS Corp.)

Thank you for contacting us.

Please specify which version of SBB are you using?

We're going to check the samples on our side and will get back to you as soon as we have any news.


--
Best regards,
Alexander Ionov
#29162
Posted: 04/07/2014 03:59:51
by Dany Marmur (Basic support level)
Joined: 04/07/2014
Posts: 5

Hmm... the only trial i can see on your site to work with XE2 is:

SecureBlackbox for Delphi XE to Delphi XE3 - Version 11.0.248 (147910 Kb). Released on 29 March 2014.

That is what i downloaded.

I hope this is the information you need.

TIA,

/Dany
#29163
Posted: 04/07/2014 05:10:42
by Alexander Ionov (EldoS Corp.)

Thank you. Also there is a preview of SBB 12 available on the site. That's why I asked about the version you use.


--
Best regards,
Alexander Ionov
#29165
Posted: 04/07/2014 06:04:48
by Dany Marmur (Basic support level)
Joined: 04/07/2014
Posts: 5

Ah, well. I think i'll stay with your production version :) /D
#29169
Posted: 04/07/2014 07:35:08
by Alexander Ionov (EldoS Corp.)

Still investigating the issue. But it seems the problem concerns only TLS1 protocol (probably a kind of misconfiguration of cipher suites). So if you leave only SSL3 enabled in the client plugin, the samples seem to work fine.


--
Best regards,
Alexander Ionov
#29170
Posted: 04/07/2014 07:52:17
by Dany Marmur (Basic support level)
Joined: 04/07/2014
Posts: 5

Interesting, i'll have another go at the whole thing later today.
Any more information will be appreciated.

/D
#29171
Posted: 04/07/2014 10:24:46
by Alexander Ionov (EldoS Corp.)

Well, due to a bug in the RTC plugins there some misconfiguration happened. We've fixed it and the fix will be available in the next SecureBlackbox build.

For evaluation purposes, if you wish to use TLS1 protocol, you should disable unnecessary cipher suites. Just add the following code to the main form's OnCreate event handler in client samples:
Code
procedure TForm1.FormCreate(Sender: TObject);
var
  I: TSBCipherSuite;
begin
  for I := SB_SUITE_DH_DSS_DES_SHA to SB_SUITE_LAST do
    ClientPlugin.CipherSuites[I] := False;
end;

Also you need to add SBSSLConstants unit to the uses clause.


--
Best regards,
Alexander Ionov
#29173
Posted: 04/07/2014 12:54:57
by Dany Marmur (Basic support level)
Joined: 04/07/2014
Posts: 5

It seems that it is possible to make it work. Albeit when i moved the more sucessful setup out to "the real world" i did not get the results i expected. I will do some more test when time allows.

Do you mean that the above fix is what will be put into the next release? Or will there be more?

I'd really like to use the same suite for all my servers and routers. Will the Chrome problem described above also be looked at until next release?

Thank you,

/Dany
#29175
Posted: 04/08/2014 03:38:08
by Alexander Ionov (EldoS Corp.)

Quote
Dany Marmur wrote:
Do you mean that the above fix is what will be put into the next release? Or will there be more?

No, this is just a workaround. It turns off cipher suites which caused the issue. The fix will contain a correct configuration of cipher suites.

Quote
Dany Marmur wrote:
Will the Chrome problem described above also be looked at until next release?

I just tried to connect to the fixed rctUploadServer sample from Chrome browser and the handshake seems to be completed successfully.


--
Best regards,
Alexander Ionov
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 827 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!