EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Validation

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#30276
Posted: 08/12/2014 08:34:40
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

Hi,

I create my SSL object like this:

oSSL:=TElSimpleSSLClient.Create(nil);
oSSL.Versions:=[sbSSL3,sbSSL2,sbTLS1,sbTLS11,sbTLS12];
oSSL.SocksAuthentication:=saNoAuthentication;
oSSL.OnCertificateValidate:=SSLCertificateValidate;
oSSL.SocketTimeout:=10000; {Ali:Should be justified}
oSSL.OnError:=SSLError;
oSSL.OnCloseConnection:=SSLClose;

It works well and I can send and receive anything without doing a real validation.

For certificate validation, in that method, I do not check anything else I just set "Validate:=True". Could you please let me know what is the best way to validate a certification?

Should I use just Validate/ValidateWithCA methods? Or I need to call more methods in advance?

May I have a sample code?

Procedure SSLCertificateValidate(Sender: TObject; X509Certificate: TElX509Certificate ; var Validate: boolean);
begin
Validate:=True;
end;


Thanks,
Don
#30277
Posted: 08/12/2014 08:37:36
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

You should use TElX509CertificateValidator class and its ValidateForSSL method. Most of our demo applications contain a code sample.

Please refer to the next article for details: https://www.eldos.com/security/articles/7545.php
#30278
Posted: 08/12/2014 08:39:29
by Eugene Mayevski (Team)

TElX509CertificateValidator appeared after version 8, for which you have a license.

Complete certificate validation is a non-trivial operation which involves CRL and OCSP checks and much more ( and this is what TElX509CertificateValidator does for you ).


Sincerely yours
Eugene Mayevski
#30279
Posted: 08/12/2014 08:57:48
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

Thanks for your prompt responses.

I am using SBB 9.1 and I know that I have to use TElX509Certificate class for validation of SSL certificates, but usually in our business when we want to connect to a new retailer, they just provide us a URL and Port for SSL connection.

So I know the whole class is written here: https://www.eldos.com/documentation/sbb/documentation/ref_cl_certificate.html but I got confused exactly what parameter and method to use? Do I need to get more data from retailer to validate the certification, or the URL and PORT they already provided is enough? Because just with port and url, without certification validation I can send and receive data through SBB.

Thanks,
Don
#30285
Posted: 08/12/2014 09:27:56
by Eugene Mayevski (Team)

Use of methods of TElX509Certificate is absolutely insufficient for proper validation. Right now you are asking how to rewrite TElX509CertificateValidator class. The short answer is "you don't" - it's a lot of work that requires good knowledge of PKI.


Sincerely yours
Eugene Mayevski
#30288
Posted: 08/12/2014 10:28:46
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

So could you please let me know, how is the best way to use TElX509Certificate for validating a SSL certificate?

Just a sample if possible.

Thanks,
Ali
#30290
Posted: 08/12/2014 10:32:53
by Eugene Mayevski (Team)

Please re-read my previous message, it answers the questions you asked now.


Sincerely yours
Eugene Mayevski
#30291
Posted: 08/12/2014 10:43:50
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

so I do not need to validate SSL connection and I just leave it like this????

oSSL.OnCertificateValidate:=SSLCertificateValidate;

which hast this?

Procedure SSLCertificateValidate(Sender: TObject; X509Certificate: TElX509Certificate ; var Validate: boolean);
begin
Validate:=True;
end;
#30292
Posted: 08/12/2014 13:14:47
by Eugene Mayevski (Team)

You do need certificate validation and the code that accepts all certificates is non-secure and subject to information leak and other attacks.

Good news is that version 9 already has TElX509CertificateValidator class. Please search across the samples in <SecureBlackbox>\Samples folder for "TElX509CertificateValidator" and use the sample code as a guide for properly validating the certificates.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 899 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!