EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate Validation

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#30276
Posted: 08/12/2014 08:34:40
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

Hi,

I create my SSL object like this:

oSSL:=TElSimpleSSLClient.Create(nil);
oSSL.Versions:=[sbSSL3,sbSSL2,sbTLS1,sbTLS11,sbTLS12];
oSSL.SocksAuthentication:=saNoAuthentication;
oSSL.OnCertificateValidate:=SSLCertificateValidate;
oSSL.SocketTimeout:=10000; {Ali:Should be justified}
oSSL.OnError:=SSLError;
oSSL.OnCloseConnection:=SSLClose;

It works well and I can send and receive anything without doing a real validation.

For certificate validation, in that method, I do not check anything else I just set "Validate:=True". Could you please let me know what is the best way to validate a certification?

Should I use just Validate/ValidateWithCA methods? Or I need to call more methods in advance?

May I have a sample code?

Procedure SSLCertificateValidate(Sender: TObject; X509Certificate: TElX509Certificate ; var Validate: boolean);
begin
Validate:=True;
end;


Thanks,
Don
#30277
Posted: 08/12/2014 08:37:36
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should use TElX509CertificateValidator class and its ValidateForSSL method. Most of our demo applications contain a code sample.

Please refer to the next article for details: https://www.eldos.com/security/articles/7545.php
#30278
Posted: 08/12/2014 08:39:29
by Eugene Mayevski (EldoS Corp.)

TElX509CertificateValidator appeared after version 8, for which you have a license.

Complete certificate validation is a non-trivial operation which involves CRL and OCSP checks and much more ( and this is what TElX509CertificateValidator does for you ).


Sincerely yours
Eugene Mayevski
#30279
Posted: 08/12/2014 08:57:48
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

Thanks for your prompt responses.

I am using SBB 9.1 and I know that I have to use TElX509Certificate class for validation of SSL certificates, but usually in our business when we want to connect to a new retailer, they just provide us a URL and Port for SSL connection.

So I know the whole class is written here: https://www.eldos.com/documentation/sbb/documentation/ref_cl_certificate.html but I got confused exactly what parameter and method to use? Do I need to get more data from retailer to validate the certification, or the URL and PORT they already provided is enough? Because just with port and url, without certification validation I can send and receive data through SBB.

Thanks,
Don
#30285
Posted: 08/12/2014 09:27:56
by Eugene Mayevski (EldoS Corp.)

Use of methods of TElX509Certificate is absolutely insufficient for proper validation. Right now you are asking how to rewrite TElX509CertificateValidator class. The short answer is "you don't" - it's a lot of work that requires good knowledge of PKI.


Sincerely yours
Eugene Mayevski
#30288
Posted: 08/12/2014 10:28:46
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

So could you please let me know, how is the best way to use TElX509Certificate for validating a SSL certificate?

Just a sample if possible.

Thanks,
Ali
#30290
Posted: 08/12/2014 10:32:53
by Eugene Mayevski (EldoS Corp.)

Please re-read my previous message, it answers the questions you asked now.


Sincerely yours
Eugene Mayevski
#30291
Posted: 08/12/2014 10:43:50
by Ali Sefidpour (Standard support level)
Joined: 04/14/2010
Posts: 9

so I do not need to validate SSL connection and I just leave it like this????

oSSL.OnCertificateValidate:=SSLCertificateValidate;

which hast this?

Procedure SSLCertificateValidate(Sender: TObject; X509Certificate: TElX509Certificate ; var Validate: boolean);
begin
Validate:=True;
end;
#30292
Posted: 08/12/2014 13:14:47
by Eugene Mayevski (EldoS Corp.)

You do need certificate validation and the code that accepts all certificates is non-secure and subject to information leak and other attacks.

Good news is that version 9 already has TElX509CertificateValidator class. Please search across the samples in <SecureBlackbox>\Samples folder for "TElX509CertificateValidator" and use the sample code as a guide for properly validating the certificates.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 748 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!