[twsocket] RFC1123_Date
Hi everyone, I used the RFC1123_Date function in OverbyteIcsHttpSrv.pas to make header content (as Date, Cache control) but when I searched for it I found 2 lines that I don't understand. In THttpConnection.AnswerStreamAcceptRange : PutStringInSendBuffer ('Last-Modified: ' + RFC1123_Date(FLastModified) + ' GMT' + #13#10); and in THttpConnection.SendDocument(const CustomHeaders : String) : Header := Header + 'Last-Modified: ' + RFC1123_Date(FLastModified) + ' GMT' + #13#10; 'GMT' is always displayed, but is it really the time on the computer that execute the soft ? Maybe I missed something that's why I ask you all ;) -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
OK, I asked to my customer if he could convert his p7b'scertificate to a PEM with the private key included and he accepted : now it WORKS FINE !! ^_^ Thanks to all of you, it helps me to understand these formats by the way ;) Guillaume ROQUES Le 20:59, Fastream Technologies a écrit : Private keys are created during CSR (Certificate Signing Request) creation. He who ordered the cert should have it. Best Regards, Subzero On Fri, Oct 7, 2011 at 17:43, ROQUES Guillaume guillaume.roq...@canyon.frwrote: So as my customer bought a wildcard certificate, it must include a private key or do I need to generate one ? Actually, the problem comes from me or the customer ? Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: And ICS logger says : 15:57:49:896 InitCtx OpenSSL version: OpenSSL 0.9.8h 28 May 2008 15:57:49:897 error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_**PrivateKey_file:PEM lib So I checked MyCertificate.pem and I've got 3 blocks : Without a private key it doesn't work. InitContext raises an exeption in such case. The private key has to be converted to PEM format as well, preferably to a separate PEM file in your case and property SslPrivKeyFile should point to it. BTW: If you would not eat exceptions you would have got that error message sooner and easier. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-**bin/mailman/listinfo/twsockethttp://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
OK, thanks to all of you. I'm going to ask it from my customer and find a command line to convert p7b with the private key. Gratefully (at the end ;), Guillaume ROQUES Le 20:59, Fastream Technologies a écrit : Private keys are created during CSR (Certificate Signing Request) creation. He who ordered the cert should have it. Best Regards, Subzero On Fri, Oct 7, 2011 at 17:43, ROQUES Guillaume guillaume.roq...@canyon.frwrote: So as my customer bought a wildcard certificate, it must include a private key or do I need to generate one ? Actually, the problem comes from me or the customer ? Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: And ICS logger says : 15:57:49:896 InitCtx OpenSSL version: OpenSSL 0.9.8h 28 May 2008 15:57:49:897 error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_**PrivateKey_file:PEM lib So I checked MyCertificate.pem and I've got 3 blocks : Without a private key it doesn't work. InitContext raises an exeption in such case. The private key has to be converted to PEM format as well, preferably to a separate PEM file in your case and property SslPrivKeyFile should point to it. BTW: If you would not eat exceptions you would have got that error message sooner and easier. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-**bin/mailman/listinfo/twsockethttp://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
So as my customer bought a wildcard certificate, it must include a private key or do I need to generate one ? Actually, the problem comes from me or the customer ? Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: And ICS logger says : 15:57:49:896 InitCtx OpenSSL version: OpenSSL 0.9.8h 28 May 2008 15:57:49:897 error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib So I checked MyCertificate.pem and I've got 3 blocks : Without a private key it doesn't work. InitContext raises an exeption in such case. The private key has to be converted to PEM format as well, preferably to a separate PEM file in your case and property SslPrivKeyFile should point to it. BTW: If you would not eat exceptions you would have got that error message sooner and easier. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
If that doesn't help, use a TIcsLogger to get a full debug log and send that to me if you don't find the error yourself. So I tried a few things with ICS logger ON, but no answers. First Delphi code to intialize TSSLContext : with MySslContext do begin SslCertFile:= APath + 'MyCertificate.pem'; SslPassPhrase := ''; SslPrivKeyFile := APath + 'MyCertificate.pem'; SslCAFile := APath + 'MyCertificate.pem'; SslCAPath := APath; SslVerifyPeer := False; end; And ICS logger says : 15:57:49:896 InitCtx OpenSSL version: OpenSSL 0.9.8h 28 May 2008 15:57:49:897 error:0906D06C:PEM routines:PEM_read_bio:no start line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib So I checked MyCertificate.pem and I've got 3 blocks : subject=/C=FR/OU=Domain Control Validated/CN=*.mydomain.fr issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 -BEGIN CERTIFICATE- [...] -END CERTIFICATE- subject=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2 issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -BEGIN CERTIFICATE- [...] -END CERTIFICATE- subject=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -BEGIN CERTIFICATE- [...] -END CERTIFICATE- Then I changed my Delphi code to : with TWSslContext do begin SslCertFile:= APath + 'CanyonCA.pem'; SslPassPhrase := ''; //SslPrivKeyFile := APath + 'CanyonCA.pem'; SslCAFile := APath + 'CanyonCA.pem'; SslCAPath := APath; SslVerifyPeer := False; end; And ICS logger says : 15:59:00:703 InitCtx OpenSSL version: OpenSSL 0.9.8h 28 May 2008 In my self generated certificate, I'd got a RSA Priv key included, but none here. Did I configure my SSLcontext in the right way ? Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: What client is connecting when that error happens? IE 7 to 9 or Firefox But none ask to add certificate, both say that the site is unreachablesounds weird I know T_T Have you tried newer OpenSSL libraries? http://wiki.overbyte.be/wiki/index.php/ICS_Download If that doesn't help, use a TIcsLogger to get a full debug log and send that to me if you don't find the error yourself. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
I tried mycertificate with the OverbyteIcsSslWebServ demo : * httpserver responding * sslhttpserver not responding * sslhandshake failed _ Configuration :_ * Write to log file : ON * Display header : ON * Display SSL info : ON * ICS logger.logoptions := [loSslErr,loSslInfo,loSslDump]; If anything help to understand.. Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: What client is connecting when that error happens? IE 7 to 9 or Firefox But none ask to add certificate, both say that the site is unreachablesounds weird I know T_T Have you tried newer OpenSSL libraries? http://wiki.overbyte.be/wiki/index.php/ICS_Download If that doesn't help, use a TIcsLogger to get a full debug log and send that to me if you don't find the error yourself. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
What client is connecting when that error happens? IE 7 to 9 or Firefox But none ask to add certificate, both say that the site is unreachablesounds weird I know T_T Cordialement, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: Do you ask for how to get a ICS TSslHttpServer working with a bought server certificate? Yes, and if I need to convert p7b's certificate or not ? Open the MyCertificate.pem in a text editor that understands UNIX line breaks. Does MyCertificate.pem include multiple certificates? With a bought commercial certificate there should be at least 2 certificates included in MyCertificate.pem. Make sure that the order of these certificates is correct. First has to be the server certificate followed by possible intermediate certificates followed by the root CA certificate. That's right, I found 3 certificates : 1 for the domain name *.mydomain.com, 1 for GlobalSign Domain Validation CA and 1 for GlobalSign root CA. So that looks correct, the handshake error may happen due to the client closes the connection, so I ask again: What client is connecting when that error happens? Common browsers should have the GlobalSign root CA in there trusted certificate store, TSslHttpCli clients not (by default). -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
That's confusing description. Did he buy a SSL server certificate in order to access your server? Or are you talking about client certificates? The customer already have a SSL certificate on his domain, so he want that my HttpServer use SSL with this certificate. Please provide more details about how you setup the component to use your the certificates. What HTTP client application is used? Here is my initialization : interface [...] TMyService = class(TService) SslHttpServer: TSslHttpServer; TWSslAvlSessionCache: TSslAvlSessionCache; TWSslContext: TSslContext; [...] end; implementation [...] procedure TMyService.ServiceStart(Sender: TService; var Started: Boolean); begin [...] SslCertFile := APath + 'MyCertificate.pem'; SslPassPhrase := ''; SslPrivKeyFile := APath + 'MyCertificate.pem'; SslCAFile := APath + 'MyCertificate.pem'; SslCAPath := APath; SslVerifyPeer := False; // Pre-loads OpenSSL DLL's TWSslContext.InitContext; DoLog('OpenSslVersion : ' + OpenSslVersion); DoLog(OpenSslCompilerFlags + #13#10 + OpenSslBuiltOn + #13#10 + OpenSslPlatForm + #13#10 + OpenSslDir); SslHttpServer.Start; end; GrateFully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: Hi everyone, I use ICS HTTPServer via SSL and a Self-Signed certificate (It is OK for an internal use). One of my customer had to access our Web server from outside and bought a ceritificate to a Certificate Authority (GlobalSign) in p7b format. That's confusing description. Did he buy a SSL server certificate in order to access your server? Or are you talking about client certificates? Could you explain me if I have to convert this format into PEM format OR is there a way to configure ICS server SSL to handle this kind of format ? Yes, you have to convert it to PEM format. p7b is a bundle format that usually contains multiple certificates, that is the certificate chain up to the root certificate in most cases. I tried to convert this p7b format with openssl command line : openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem| I don't know whether or not that command line is correct from top of my head. However openssl is capable to convert p7b to PEM nicely. But I got a SslHandshake failed from ICS HTTPserver.. Please provide more details about how you setup the component to use your the certificates. What HTTP client application is used? -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] HTTP SSL Server vs p7b certificate's format
Do you ask for how to get a ICS TSslHttpServer working with a bought server certificate? Yes, and if I need to convert p7b's certificate or not ? Open the MyCertificate.pem in a text editor that understands UNIX line breaks. Does MyCertificate.pem include multiple certificates? With a bought commercial certificate there should be at least 2 certificates included in MyCertificate.pem. Make sure that the order of these certificates is correct. First has to be the server certificate followed by possible intermediate certificates followed by the root CA certificate. That's right, I found 3 certificates : 1 for the domain name *.mydomain.com, 1 for GlobalSign Domain Validation CA and 1 for GlobalSign root CA. Gratefully, Guillaume ROQUES http://www.canyon.fr/ Le 20:59, Arno Garrels a écrit : ROQUES Guillaume wrote: That's confusing description. Did he buy a SSL server certificate in order to access your server? Or are you talking about client certificates? The customer already have a SSL certificate on his domain, so he want that my HttpServer use SSL with this certificate. Do you ask for how to get a ICS TSslHttpServer working with a bought server certificate? Please provide more details about how you setup the component to use your the certificates. What HTTP client application is used? Here is my initialization : interface [...] TMyService =lass(TService) SslHttpServer: TSslHttpServer; TWSslAvlSessionCache: TSslAvlSessionCache; TWSslContext: TSslContext; [...] end; implementation [...] procedure TMyService.ServiceStart(Sender: TService; var Started: Boolean); begin [...] SslCertFile :=Path + 'MyCertificate.pem'; SslPassPhrase :='; SslPrivKeyFile :=Path + 'MyCertificate.pem'; SslCAFile :=Path + 'MyCertificate.pem'; SslCAPath :=Path; SslVerifyPeer :=alse; // Pre-loads OpenSSL DLL's TWSslContext.InitContext; DoLog('OpenSslVersion : ' + OpenSslVersion); DoLog(OpenSslCompilerFlags + #13#10 + OpenSslBuiltOn + #13#10 + OpenSslPlatForm + #13#10 + OpenSslDir); SslHttpServer.Start; end; Open the MyCertificate.pem in a text editor that understands UNIX line breaks. Does MyCertificate.pem include multiple certificates? With a bought commercial certificate there should be at least 2 certificates included in MyCertificate.pem. Make sure that the order of these certificates is correct. First has to be the server certificate followed by possible intermediate certificates followed by the root CA certificate. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be