EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL sertificate verification on server side

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#3353
Posted: 07/12/2007 09:51:46
by Leonid Bandas (Basic support level)
Joined: 07/12/2007
Posts: 4

I am investigating option to buy Eldos SecureBlackBox components to use in our application. I am working with Delphi 7.0, Indy 9.0.18, SecureBlackBox trial - last version from the site. In my small test application I am trying to get some info from internet site over https. I am using TIdHTTP to communication and TElIndySSLIOHandlerSocket as SSL protocol implementation. When I am connecting to the server with valid certificate all works fine, but when I am connecting to server with invalid certificate I am expecting that the application raise an exception, but it works with no problem. Where is my error? How can I check server's certificate validity with TElIndySSLIOHandlerSocket? I attach my example to the message.
Regards, Leonid


[ Download ]
#3354
Posted: 07/12/2007 10:02:28
by Eugene Mayevski (EldoS Corp.)

Please use OnCertificateValidate event of the IOHandler and read the corresponding how-to in the Knowledgebase


Sincerely yours
Eugene Mayevski
#3363
Posted: 07/15/2007 10:05:57
by Leonid Bandas (Basic support level)
Joined: 07/12/2007
Posts: 4

As far as I understand from how to if the received certificate being validated is self-signed I have to check if this certificate is trusted. I run loop for ElWinCertStorage.Certificates to check is the received certificate is one of the trusted on local computer. But how can I compare 2 certificates? I found nothing in "How to". Can you provide some example of certificate comparison?
Thanks for you help.
#3364
Posted: 07/15/2007 10:19:06
by Eugene Mayevski (EldoS Corp.)

First compare hashes (use GetHashSHA1() method), then, if they are equal, you need to compare serial numbers and issuer records.


Sincerely yours
Eugene Mayevski
#3371
Posted: 07/17/2007 09:16:33
by Leonid Bandas (Basic support level)
Joined: 07/12/2007
Posts: 4

Hello.
According to "Validate the Certificate" howto (http://www.eldos.com/sbb/articles/1966.php?phrase_id=177058) we understand that OnCertificateValidate event is called once for the bottom certificate and the handler should evaluate it and its "parents".
However, we get this event fired twice for 3 certificates chain including VeriSign root, VeriSign public and our site certificate. What is more weird is the first received certificate was VeriSign public and not the bottom (our site) certificate.
This behavior prevent us from running the validation algorithm. Can you advise how we can force the OnCertificateValidate event to be fired only once for the bottom certificate in the chain, so we can implement verification algorithm from the tutorial
#3373
Posted: 07/17/2007 09:42:15
by Eugene Mayevski (EldoS Corp.)

1) Do you have an URL that we can check?
2) There seems to be some misunderstanding of what's written in the how-to. Here's the text:
"The SSL component passes the application a reference to the certificate. The event is called for every certificate in the chain, received from the remote side. The first passed certificate is the topmost CA certificate, present in the list. The next one is the certificate, issued using the topmost CA certificate, and so on. The last certificate is the end-entity certificate.
"

The source code corresponds to the text (I've checked this again). So we need an URL to see the problem ourselves.


Sincerely yours
Eugene Mayevski
#3389
Posted: 07/18/2007 07:57:20
by Leonid Bandas (Basic support level)
Joined: 07/12/2007
Posts: 4

The problem occurs when we are working with
https://otv.mojopacific.com/
In Internet Explorer we saw 3 certificates in chain, but OnCertificateValidate event was fired twice and not 3 times. With URl https://is.opentvparticipate.com/ found another problem. In Internet Explorer we saw 4 certificates in chain, but OnCertificateValidate event was fired twice too. And SSlHandler.InternalValidate for every certificate in chain return that the certificate is invalid because of unknown publisher. When we have installed topmost certificate in Internet explorer on local machine the SSlHandler.InternalValidate method start return OK.
#3390
Posted: 07/18/2007 08:12:58
by Eugene Mayevski (EldoS Corp.)

Most likely IE shows you the certificates it received and also the certificates in local storage, all in one chain. And SecureBlackbox only reports the certificates that were sent by the server. It doesn't access other certificates (like the ones in Windows certificate storage) automatically.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 3029 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!