EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Question: SMTP - ValidateForSSL

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#30295
Posted: 08/13/2014 03:35:06
by Dennis Ratzek (Standard support level)
Joined: 07/28/2014
Posts: 9

Hello,

i am using the SecureBlackbox Version 12.0.257.

i tried to implement a CertificateValidateHandler in my MailingClass. But even with the international Provider like smtp.gmail.com the Validation always returns cvInvalid.

i basicly copied the function of the SMTPClientDemo (i can reproduce the problem with the demo)

Code
procedure TfmMain.CertificateValidateHandler(Sender : TObject;
  X509Certificate : TElX509Certificate; var Validate : Boolean);
var
  Validator : TElX509CertificateValidator;
  Validity: TSBCertificateValidity;
  Reason: TSBCertificateValidityReason;
begin
  Validate := true;

  if cbUseValidator.Checked then
  begin
    if (X509Certificate.Chain = nil) or (X509Certificate.Chain.Certificates[0].Equals(X509Certificate)) then
    begin
      try
        Validator := TElX509CertificateValidator.Create(nil);
        Validator.InitializeWinStorages;
        
      // For proper CRL and OCSP validation please read instructions in
      // description of ElX509CertificateValidator class in the help file
        Validator.ValidateForSSL(X509Certificate, edAddress.Text, '', hrServer,
                                 nil, false, false, Now, Validity, Reason);
        if Validity <> cvOk then
          Validate := false;
      finally
        FreeAndNil(Validator);
      end;
    end;
  end;
end;


i read the documentation and added
Code
SBHTTPCRL, SBHTTPOCSPClient
to the uses and then tried to disable some Options to get it to work.

With the following code right before i call ValidateForSSL i can successfully validate the Certificate.
Code
Validator.IgnoreCABasicConstraints := true;

i also had to adjust the smtp.Login function to
Code
smtp.Login(edAddress.Text);


The documentation mentions that you should report cvInvalid returncodes. Maybe you could also explain to me what i actually ignore in this case. Is the Validation still acceptable/secure when i ignore the CABasicContraints in the prozess?
#30296
Posted: 08/13/2014 03:49:48
by Eugene Mayevski (EldoS Corp.)

You have several different problems here:

1)
Quote
dratzek wrote:
i also had to adjust the smtp.Login function to Code

smtp.Login(edAddress.Text);


You pass the *local* host name to Login method. Login method sends HELO or EHLO command to the server and that commands expect the client to "introduce itself" by sending the name of the client's host.

2)
Quote
dratzek wrote:
i tried to implement a CertificateValidateHandler in my MailingClass. But even with the international Provider like smtp.gmail.com the Validation always returns cvInvalid.


a) to narrow down the problem try to use Validate, not ValidateForSSL method.

b) check ValidityReason values to see what didn't work

c) The validator itself has OnAfterCertificateValidate event. This event is fired for every certificate in the certificate tree after this certificate has been validated. In the event handler you can inspect which exactly certificate failed validation and why.


Sincerely yours
Eugene Mayevski
#30297
Posted: 08/13/2014 04:27:48
by Dennis Ratzek (Standard support level)
Joined: 07/28/2014
Posts: 9

Thank you for your answer. I will continue with these steps.
#30387
Posted: 08/17/2014 08:59:25
by Eugene Mayevski (EldoS Corp.)

Just checking if you have managed to solve your problem.


Sincerely yours
Eugene Mayevski
#30514
Posted: 08/27/2014 17:55:59
by Tim Frost (Standard support level)
Joined: 07/20/2007
Posts: 17

Sorry to hijack this thread but I have exactly the same problem. As suggested, I have tried switching to Validate, not ValidateForSLL, and I have written the suggested event handler, which shows four certificates, Google, Google, GeoTrust and Equifax. None shows any failure reason code, but the validate operation returns a 'CA Unauthorized' reason code. I am using Implicit SLL mode and port 465. I have tried IPv4 and IPv6 (the latter because it seems to be selected by Thunderbird, which has the same 465 port set). I am using the latest v12.

I also see in Wireshark that a working SMTP session (e.g. Thunderbird) starts with a Client Hello, then Server Hello and Certificate messages come back. Whereas your client starts by sending an 'Ignored Unknown Record', but Server Hello does then come back. The 'ignored' is presumably Wireshark's interpretation of the encrypted message. Wireshark is not omniscient, but this description seems a bad start to the transaction.

On the basis of fixing the errors that can be seen, could you investigate whether sending this 'unknown' message in place of a 'client hello' is contributing to the problem.

I cannot imagine that nobody has managed to send SMTP mail to Google using your SMTP client. Or that this site is not one of those you use yourselves for testing. It would be much appreciated if you could provide a set of parameters, or a sample validation function, which is known to work for gmail. I know this stuff is complicated, and that gmail is picky, but that is why I use SBB and expect it to make the task a little easier! Please let me know if you need more information, or PCAP files from my testing.

Incidentally I do find that explicit mode seems to work well to other servers with the standard sample validation function, but our customers of course want us to support their mailserver of choice!
#30515
Posted: 08/28/2014 01:32:10
by Vsevolod Ievgiienko (EldoS Corp.)

Please set TElX509CertificateValidator.IgnoreCABasicConstraints to 'true' before certificate validation. This will solve the problem with Gmail.
#30516
Posted: 08/28/2014 04:26:08
by Tim Frost (Standard support level)
Joined: 07/20/2007
Posts: 17

Thanks, that seems to have done the trick.
#30657
Posted: 09/10/2014 02:54:30
by Dennis Ratzek (Standard support level)
Joined: 07/28/2014
Posts: 9

hello, i was on vacation. I tried the event handler but i didn't really know what to do with the results. Like i said in my first post i tried to disable several options and i could make it work with Validator.IgnoreCABasicConstraints := true; Vsevolod Ievgiienko did mention this as well in his last post. I was wondering what exactly i was doing with this because i couldn't find this property in the documentation. I did test 4 EMail-Servers (gmail and 3 larger local EMail-Providers) and the Validation failed for all of them, unless i ignore the BasicConstraints.

I can post the Certificate Chain from gmail and the error reasons from the event handler here. The names are always the SubjectRDN.CommonName, alternatively the OrganizationUnit and afterwards the reason for the failure.

Code
'GeoTrust Global CA TGV OCSP Responder 2' - OK

'GeoTrust Global CA' - [vrCAUnauthorized]

'Google Internet Authority G2' - [vrCAUnauthorized,vrOCSPNotVerified]

'smtp.gmail.com' - [vrCAUnauthorized,vrOCSPNotVerified]

'Google Internet Authority G2' - OK

'GeoTrust Global CA' - [vrCAUnauthorized]

Exception : CRL Retrieval failed from C=US,O=Equifax,OU=Equifax Secure Certificate Authority,CN=CRL1

'Equifax Secure Certificate Authority' - [vrCRLNotVerified]

Exception: Server cannot perform SSL negotiation ( error code is 75784)
#30662
Posted: 09/10/2014 04:09:00
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
I was wondering what exactly i was doing with this because i couldn't find this property in the documentation.

According to the standard CA certificates should have BasicConstraints extension, but some of them ignore this rule and doesn't have it. When IgnoreCABasicConstraints isset to 'true' the validator doesn't interpret extension absense as validation problem and simply ignores this.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 3226 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!