[twsocket] SSL Certificates check

[marius gabi]

I have updated the SslHandshakeDone(Sender: TObject;  ErrCode: Word; PeerCert: 
TX509Base; var Disconnect: Boolean); event as you mentioned and I used 
SslVerifyDepth = 15 and
for I := 0 to TCustomSslWSocket(Sender).SslCertChain.Count -1 do
TCustomSslWSocket(Sender).SslCertChain[I].SaveToPemFile('cert' + 
IntToStr(I) + '.pem');

The first thing I noticed is that only one certificate is saved and this one is 
the one from the very top of chain (the CA for all sub_CAs – the one that I 
posted earlier, you can find it attached).
Please advice--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Attached cert file-BEGIN CERTIFICATE-
MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG
A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk
MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw
NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS
ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM
A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj
LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE
AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ
U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y
veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs
CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy
xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi
4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY
hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C
aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE
KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD
zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX
LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL
eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe
7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar
vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD
W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW
hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb
4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP
s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp
DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w
RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp
ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b
MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB
0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu
cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p
cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF
AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL
3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ
wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg
bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO
zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG
oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn
4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd
mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8
6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx
Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u
Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF
BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs
klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50
D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+
yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq
x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57
YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L
w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy
kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e
oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5
pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij
aTqyMZ2g4QisDw7YwI5QlkljaYdFbg==
-END CERTIFICATE-
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 I have updated the SslHandshakeDone(Sender: TObject;  ErrCode: Word;
 PeerCert: TX509Base; var Disconnect: Boolean); event as you mentioned
 and I used SslVerifyDepth = 15 and  
 for I := 0 to TCustomSslWSocket(Sender).SslCertChain.Count -1 do
 TCustomSslWSocket(Sender).SslCertChain[I].SaveToPemFile('cert' +
 IntToStr(I) + '.pem'); 
 
 The first thing I noticed is that only one certificate is saved and
 this one is the one from the very top of chain (the CA for all
 sub_CAs – the one that I posted earlier, you can find it attached).  
 Please advice

One certificate is not enough, did you set OK := 1; in OnSslVerifyPeer event?
  
-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Here are the files with OK := 1;

cert0 = Greatest CA (same as server's great CA)
cert1 = Intermediary CA (client's intermediary different from mine's server)
cert2 = Client certificate-BEGIN CERTIFICATE-
MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD
VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG
A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk
MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw
NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS
ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM
A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj
LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE
AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ
U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y
veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs
CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy
xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi
4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY
hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C
aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE
KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD
zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX
LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL
eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe
7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar
vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD
W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW
hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb
4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP
s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp
DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w
RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp
ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b
MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB
0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu
cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p
cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF
AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL
3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ
wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg
bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO
zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG
oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn
4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd
mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8
6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx
Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u
Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF
BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs
klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50
D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+
yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq
x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57
YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L
w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy
kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e
oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5
pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij
aTqyMZ2g4QisDw7YwI5QlkljaYdFbg==
-END CERTIFICATE-
-BEGIN CERTIFICATE-
MIIGJjCCAg6gAwIBAgIBFDANBgkqhkiG9w0BAQ0FADCBijELMAkGA1UEBhMCRlIx
DzANBgNVBAcMBlJlbm5lczERMA8GA1UECAwIQnJpdHRhbnkxDDAKBgNVBAoMA0lI
RTEMMAoGA1UECwwDSUhFMRUwEwYDVQQDDAxQb2lzZWF1IEVyaWMxJDAiBgkqhkiG
9w0BCQEWFWVyaWMucG9pc2VhdUBpbnJpYS5mcjAeFw0xMTAyMTcxNTEwMTZaFw0x
MjAyMTcxNTEwMTZaMC4xCzAJBgNVBAYTAkdCMQwwCgYDVQQKDANJSEUxETAPBgNV
BAMMCFN1YkNBX0dCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFCHz/MlUc
4RaELsQ1orN9kNhwbNHmCIV77sqTFh0vLZuJKCgdy1EdIk8kxg3S0GS/m6NozbKY
o14YBAvXesDFwenvgiXbj5W/D5CHVsN2WrlBQMAGRfcOA3eZve/r3WbQDPm4Y1qb
2oTBKsmDInw2F0szqnvO7FD+fzyxls6vPQIDAQABo3YwdDAOBgNVHQ8BAf8EBAMC
AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFGPsK9peekOOwZu9qbvJETK2
h4QwHwYDVR0jBBgwFoAUb8ry99aB0mZlxZyStU7nYFaQ91wwEQYJYIZIAYb4QgEB
BAQDAgAHMA0GCSqGSIb3DQEBDQUAA4IEAQBul8O8Ef9eIPGdEDCAWO9keYTWCnxS
XPVa24dbi9sPIYEUFKg444jlV42EPTPTkuLeFHNuakX5ek3GaCbl7bmq/VrrAWAW
hr9puoc/H04T7wdFQhs1x+t6VHA03MosyNZ40Ja6620Rx9RSjrXMpArNclCUclR3
jzl+4Sj+CXfWNdJ3uIgVqXlw08nNAH4F3Vlq5voSltBp3PDyxeEBOA2/i+jYVmE0
wj3KI46loclI+DDTrMZu62JnwxIYVUQPLS/bTdPHzF/vNNUmthHL4WFszWyebaNP
aIv8IEm8C+T62o7zXO56yEn8pge6oQiW5W8iJeh+vONh8SJu9KmwVmkKBFk4LqcB

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Here are the files with OK := 1;
 
 cert0 = Greatest CA (same as server's great CA)
 cert1 = Intermediary CA (client's intermediary different from mine's
 server) cert2 = Client certificate

Use at least OpenSSL version 0.9.8k from:
http://wiki.overbyte.be/wiki/index.php/ICS_Download
Never versions don't have problems with these certificates.

-- 
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Thank you for your time!
 
 Indeed updating the OpenSSL version fixed my issue but the following
 strange thing happens: currently I am using ICS V7 but the highest
 version supported by my ICS is 0.9.8n and in this case the
 application still would not work OK.

What does that mean not work? I tested verification of your 
certificate chain with 0.9.8n successfully as well as with v1.0.0d. 

 The OpenSSL ver 0.9.8r (or higher) is not supported so I used
 libeay32.dll from n version and ssleay32.dll from r version and
 everything worked OK. Any thoughts on that?

The version checks are only against libeay32.dll so that no
error is triggered, however do not do that!
Instead upgrade to latest ICS, downloadable here:
http://wiki.overbyte.be/wiki/index.php/ICS_Download
It supports newest 0.9.8r and 1.0.0d.
  
-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Thank you for your feedback.In my current scenario the certificate structure is 
as follows:    
Server(my application)  |                  Client
  Root certificate      -same as-           Root certificate
  Intermediary CA       -not same as-       Intermediary CA
  Server Cert           -not same as-       Client Cert

 (With my
 client certificate issued for me the communication works perfectly
 but this is not an option as project specification doesn't allow
 providing certificates to clients)
When I stated this I was referring to following certificate structure:

Server(my application)  |             Client
  Root certificate = 0      -same as-     Root certificate = 0
  Intermediary CA = 1 signed by 0      -same as- Intermediary CA = 1
  Server Cert = 2 signed by 1    -not same as-   Client Cert= 2 signed by 1

Hope this is clear enough. I'm looking forward to your feedback.

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Thank you for your feedback.In my current scenario the certificate
 structure is as follows: 
 Server(my application) | Client
   Root certificate -same as- Root certificate
   Intermediary CA-not same as- Intermediary CA
   Server Cert -not same as- Client Cert

 (With my
 client certificate issued for me the communication works perfectly
 but this is not an option as project specification doesn't allow
 providing certificates to clients)
 When I stated this I was referring to following certificate structure:
 
 Server(my application) | Client
   Root certificate = 0 -same as- Root certificate = 0
   Intermediary CA = 1 signed by 0-same as- Intermediary CA = 1
   Server Cert = 2 signed by 1 -not same as- Client Cert= 2 signed by 1
 
 Hope this is clear enough. I'm looking forward to your feedback.

Please read my previous message again, I already showed a resolution
to this scenario.

In short:
1)Use a certificate chain file as the SslCertFile containing both
server's certificate and server's intermediate CA certificate.

2) Use a SslCAFile containing the root and clients's Intermediary CA
certificate.
 
-- 
Arno Garrels 
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Thank you for your prompt response. We already tried your solution and seems to 
be working. The issue is as follows: I do not have (access to) the client's 
certificate (application not developed by me) in order to compose the chains 
you mentioned. Furthermore I aspect that other clients that have the same ROOT 
as me (but possibly other intermediary CA and client certs) will connect to my 
server. I was wondering if there is a possibility to test the certificates at 
ROOT level and complete a communication and transaction.

Please advice!
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Thank you for your prompt response. We already tried your solution
 and seems to be working. The issue is as follows: I do not have
 (access to) the client's certificate (application not developed by
 me) in order to compose the chains you mentioned. 

You do not need client's certificate since that will be sent
by the client always. If the client does NOT sent his intermediate 
CA certificate(s) there is no way for the server to complete 
client's certificate chain except client's intermediate 
CA certificate(s) are available locally to the server i.e.
in SslCaFile.

 Furthermore I
 aspect that other clients that have the same ROOT as me (but possibly
 other intermediary CA and client certs) will connect to my server. I
 was wondering if there is a possibility to test the certificates at
 ROOT level and complete a communication and transaction.

That is only possible if the server is able to build a complete
client certificate chain. Usually all CA certificates issued by a root
CA are available for download as well. In your case the URL is
http://sumo.irisa.fr/html/pki/ but their server currently fails
with error OpenCA Error: Server is not online or does not accept requests.

-- 
Arno Garrels
 
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

Arno Garrels wrote:
 Usually all CA certificates issued by a root
 CA are available for download as well. 

Correction: That is mostly true if they have been
issued to their own organizition.

 In your case the URL is
 http://sumo.irisa.fr/html/pki/ but their server currently fails
 with error OpenCA Error: Server is not online or does not accept
 requests. 
 
 --
 Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Arno, in this moment the client sends the entire certificates chain:
1. its client certificate issued by the intermediary CA (2 from bellow)
2. intermediary certificate issued by the root CA
3. root CA

The only certificate that is common between our server chain and client chain 
is (3) root CA.

This should be enough, the communication should continue as both chains are 
issued by the same CA root. Please correct me if i'm wrong.

The issue that I encounter is that in onsslverifypeer event I receive error 7.
Further more, I managed to obtain a valid communication when I've always 
returned OK = 1 in that event but ONLY when sslcontext.sslverifydepth is 0. 
This has no logic for me.

Thank you very much for your time. You're assistance is really appreciated.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Arno, in this moment the client sends the entire certificates chain:
 1. its client certificate issued by the intermediary CA (2 from
 bellow) 
 2. intermediary certificate issued by the root CA
 3. root CA

OK.

 
 The only certificate that is common between our server chain and
 client chain is (3) root CA. 

That's OK as well, provided it actually is the same root 
certificate, which still has to be proved. It might for
some reason use the same subject fields however that is
not enough of course. 

What happens if you do not add your root certificate to the
SslCAFile? It's possible that the client sends the complete 
chain inluding its own root certificate. Then save the root
certificate to a PEM file and compare it with your root 
certificate.  

 
 This should be enough, the communication should continue as both
 chains are issued by the same CA root. Please correct me if i'm
 wrong.  

Correct.
 
 The issue that I encounter is that in onsslverifypeer event I receive
 error 7. 

Well, then something seems wrong with some certificate in
the chain, that's why I asked you to log them all and post
the result. Please write each certificate to a PEM file in 
event OnSslHandShakeDone like:

{code}
for I := 0 to Chain.Count -1 do
Chain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem');
{code}

(requires that you always set OK :=1 in OnSslVerifyPeer and
 SslVerifyDepth is set to = 3, better 10 in order to get everything).

Open the resulting files in a text editor, copy and paste their 
content into your email editor and post them here.
Then I'll be able to check them when I have some minutes.
Also add the content of your root certificate to the email.  

 Further more, I managed to obtain a valid communication when I've
 always returned OK = 1 in that event but ONLY when
 sslcontext.sslverifydepth is 0. This has no logic for me.  

In that case only the end-certificate (level 0, here the client 
certificate) is verified any further checks are skipped. 
 
-- 
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:
 Hello!
 Here is what the log is showing:Received certificateSubject:
 /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau
 Eric/emailAddress=eric.pois...@inria.frIssuer:
 /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau
 Eric/emailAddress=eric.pois...@inria.frVerify result: certificate
 signature failure Verify depth: 2 
 Currently I'm not setting a specific value for the SslVerifyDepth.
 Regarding the OpenSSL DLL version I tried with 0.9.8e and 0.9.8h. 

You forgot to print out the certificate with:

Cert.GetRawText;

That would show you / us the *Signature Algorithm*.

Since there's a certificate signature failure it is my guess 
that an unsupported algorithm is used.

-- 
Arno Garrels



 --- On Mon, 5/2/11, Arno Garrels arno.garr...@gmx.de wrote:
 
 From: Arno Garrels arno.garr...@gmx.de
 Subject: Re: [twsocket] SSL Certificates check
 To: ICS support mailing twsocket@elists.org
 Date: Monday, May 2, 2011, 5:10 PM
 
 marius gabi wrote:
 
 I'm receiving the following message
 in the SSLVerifyPeer event: Error = 7 (certificate signature
 failure).
 
 In the OnSslVerifyPeer event please do the following logging and
 post the result:
 
 Log('Received certificate'#13#10 +
 'Subject: ' + Cert.SubjectOneLine + ''#13#10 +
 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 +
 'Verify result: ' + Cert.VerifyErrMsg +
 ' Verify depth: ' + IntToStr(Cert.VerifyDepth));
 
 Log(Cert.GetRawText);
 
 --
 Arno Garrels
 
 
 
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Sorry! Please find attached the log content for Cert.GetRawText.Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cb:cf:5d:05:41:b2:33:36
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau 
Eric/emailAddress=eric.pois...@inria.fr
Validity
Not Before: Jan 28 20:54:09 2010 GMT
Not After : Jan 28 20:54:09 2012 GMT
Subject: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau 
Eric/emailAddress=eric.pois...@inria.fr
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (8192 bit)
Modulus (8192 bit):
00:c5:53:bf:ab:c0:64:2d:8c:51:a8:5e:e8:77:05:
bd:f0:cd:d6:52:11:4c:40:3d:f1:90:e1:0d:09:a8:
a1:ae:95:9e:98:37:95:5f:3e:23:ee:2a:71:96:e3:
2b:49:53:da:ef:1a:b2:13:4c:3c:87:5e:18:2b:97:
eb:61:5d:d8:f9:14:69:d4:38:cf:44:3e:29:89:2b:
a0:78:33:ab:22:68:67:0f:86:a4:8b:5b:7b:db:30:
f1:3c:81:af:98:bd:e5:1d:63:fc:cf:a2:d8:0d:c7:
1f:bf:4a:47:f5:3b:c3:8c:52:b8:2e:86:16:a9:de:
7f:ff:e9:29:b9:c4:0f:0f:aa:c5:54:2d:62:ce:45:
35:60:56:46:12:73:cc:6c:09:58:23:15:b6:51:f4:
32:00:c3:f0:5d:e1:11:87:6c:b4:6c:2a:e0:aa:e2:
12:a8:da:2a:66:a2:04:58:84:5e:a3:87:52:64:7b:
34:34:26:3d:ae:d0:cb:33:49:6c:f2:c4:a9:ea:a0:
ef:62:26:f3:65:05:fc:48:fc:8d:3e:e1:9a:96:d3:
9c:79:c3:28:30:a4:6d:cf:11:04:8a:4d:c6:42:0e:
54:23:3f:62:38:ec:16:9c:93:5f:c2:e2:2b:22:e0:
ac:64:5f:ba:5e:42:13:3a:0a:05:87:27:34:26:8c:
8e:c4:8a:50:eb:4a:08:70:da:0c:4a:18:12:21:58:
e4:15:ff:25:fc:4a:c1:f4:a4:8b:c2:cb:44:3b:0f:
c7:d8:87:38:e3:5b:b5:1a:82:e3:59:00:5a:f4:20:
c4:09:ac:b4:b5:df:07:df:23:9c:66:8c:31:30:25:
66:2e:bc:d9:a7:ce:c9:a2:58:ba:c6:77:50:b9:76:
f2:f7:5b:2d:42:68:3a:c6:03:31:cf:6a:24:d3:29:
70:3a:9a:26:4d:0b:54:20:1b:85:eb:be:85:11:70:
d3:ac:91:19:f0:a4:d5:d8:f8:d2:44:a9:ab:6a:8d:
ab:8c:21:12:24:ff:68:04:28:a2:8f:0f:9e:22:32:
7f:e1:2d:92:18:56:b5:9c:fe:51:cb:db:d3:7d:1f:
2a:95:40:49:ce:17:54:e3:f0:2d:5e:49:79:e2:5f:
72:97:c0:84:9f:39:ca:6d:26:c2:43:cc:63:33:03:
e9:9b:75:d6:37:51:11:d1:01:b8:8b:3e:95:51:2f:
bf:8f:ec:4c:4e:5d:c7:87:ee:2c:66:7d:06:3f:01:
12:83:97:03:44:c8:52:b7:ce:67:49:0e:b7:57:2d:
02:67:36:be:8d:1c:7f:91:03:77:61:c4:31:77:53:
e2:a9:0d:c9:60:f9:10:f7:7e:d4:ad:9a:c4:8e:56:
f7:cf:ee:ba:38:b4:ad:0f:dc:54:d5:4a:ee:92:b4:
a1:8b:7b:23:0d:52:b4:08:65:a5:c1:a4:0c:72:bd:
c4:f2:5e:30:43:50:79:30:bf:f8:48:ac:4c:ed:e3:
cf:62:8c:25:b0:75:3e:6a:ae:66:b0:05:ba:cc:63:
bc:f3:65:c0:1e:ed:aa:63:ff:b3:d8:e2:82:f9:32:
0a:f2:ca:ae:96:74:1a:74:3e:22:49:04:73:3c:d7:
83:35:99:09:c6:5d:78:bf:9b:85:63:e7:bc:8b:79:
95:d5:b1:eb:43:a4:c6:ab:bd:3d:b9:a8:e3:c3:15:
30:87:7d:e7:cb:ab:5c:d9:c1:86:2c:f9:5c:be:57:
de:06:f4:57:90:63:46:dd:34:de:53:19:e4:a2:71:
b5:39:ab:35:18:58:62:a6:9f:d1:83:5b:7a:39:fd:
06:0a:19:0e:df:fb:90:50:cb:dc:e4:5e:65:58:da:
ab:52:2a:95:82:34:31:f1:71:74:8e:7c:fb:4c:4c:
0d:40:be:1e:66:02:94:86:32:67:9b:09:77:56:84:
64:b5:06:54:36:6b:d4:a1:15:1d:70:c9:87:85:b3:
34:98:6b:56:a4:64:49:de:95:d7:ab:94:4f:e5:91:
2e:c6:7b:a7:fe:19:c4:30:90:65:a0:bb:72:80:e8:
9b:1b:e0:32:9a:3c:c9:49:b2:43:af:6e:9d:e7:62:
40:78:c5:4f:19:c2:ec:cd:24:da:b6:ab:02:b3:7c:
67:70:93:1b:c5:6a:f2:81:3b:2e:d3:9c:57:45:80:
d3:b6:ce:65:4f:b3:77:42:4f:50:47:48:9c:d7:93:
dc:76:3c:43:75:a9:8c:8d:d6:44:d5:23:0c:d9:9a:
20:83:98:87:ec:a4:5d:77:9d:49:86:7c:2b:fb:c7:
68:da:a2:ad:dd:db:97:e9:0c:67:40:c8:1e:ae:47:
69:b2:1d:a7:86:f1:69:c5:a5:2c:cb:83:94:83:c1:
37:64:a9:7f:62:6c:a2:40:d8:5c:01:1d:ce:8b:a0:
12:ed:cc:64:a3:fd:29:69:e8:0f:30:44:99:26:da:
0a:c3:73:99:63:1d:c1:7c:dc:a2:46:33:c1:45:e3:
43:8d:7d:aa:72:a7:38:89:5a:d8:6b:3f:66:a8:32:
f1:ef:90:f9:07:14:4c:a3:19:17:7a:c6:55:69:ae:

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:

The certificate you posted in your previous messages doesn't use
unsupported signature algorithms as I was guessing previously.
Since its verify depth is 2 and it seems to be the root certificate,
I think the complete chain of the client certificate consists of three
certificates.

 Currently I'm facing an issue in a Server application that uses
 TSSLWSocketServer.
 I'm setting to the SSLContext a server certificate
 identified in code as SSLContext.SslCertFile, with the correct
 private key file identified as SSLContext.SslPrivKeyFile and a
 password. 

Correct.

 Also I'm adding a CAFile identified as
 SslContext.SslCAFile. 

What is the content of that file?

For instance if the server certificate chain consists of three
items:
[2] Root
[1] Intermediate_ServerCA signed by [2]
[0] SSL server certificate signed by [1]

You set [0] as the TSslContext.SslCertFile, as you did already.

Next create a CAFile that contains both [1] and [2]
(I think [1] has to be the first, however I always forget the order
 in which they must appear, just play).
That way the entire chain is sent to the client, or at least [0] and [1].
You can check what's actually sent using WireShark since the connection 
is still unencrypted.

 A client application sends a message and uses a X509 Certificate from 
 the same CA as my own certificates.

Client certificate and server certificate are signed by the exact 
_same_ certificate? I'm asking because only in such a case their
chains up to root are also the same, in which case my example 
should work. 
If client and server certificate have different chains the 
TSslContext.SslCertFile itself should contain the chain of 
certificates sent to the client, and CAFile the certicates 
required to verify client certificates.

 1. The
 client doesn't have a client version of my certificates 

In the sample above the client must explicitly trust [2].
The client might or might not have [1] locally in his trusted 
certificates. IF NOT, the server MUST send [1] during handshake
as well. That is achieved by adding intermediate certificates to
either to CAFile or use a certificate chain as the SslCertFile.

 (With my
 client certificate issued for me the communication works perfectly
 but this is not an option as project specification doesn't allow
 providing certificates to clients)

Sorry, I do not understand. Please explain again since that might
help to resolve your problem.

 2. I have to use
 SslContext.SslVerifyPeer = True

 3. I'm receiving the following message
 in the SSLVerifyPeer event: Error = 7 (certificate signature 
  failure).
 The requirement is: if the client sends its own client
 certificate but has the same CA as my server certificate than the
 communication (client sends a message to server) should be possible.

That should work.

 I already tried to implement in the SSLVerifyPeer event so this
 method always returns true but with no positive outcome: 

For debugging set OK := 1; in order to continue verification and to
log ALL events and certificates. Then post the log again.  

-- 
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

Arno Garrels wrote:
 Next create a CAFile that contains both [1] and [2]
 (I think [1] has to be the first, however I always forget the order
 in which they must appear, just play).

The best way to determine what certificates are sent to the peer
requesting certificate verification is to add them to the PEM 
file specified in TSslContext.SslCertFile. 

The order starts with the server or client certificate followed
by required intermediate certificates until the root certificate,
for example:


// Server or client certificate
-BEGIN CERTIFICATE-
MIIC+DCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJCRTEO
MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNTTCBD
QTAeFw0wOTEyMTQwMDAwMDBaFw0yOTEyMDgyMzU5NTlaMEUxCzAJBgNVBAYTAkJF
MQ4wDAYDVQQHEwVMaWVnZTEMMAoGA1UEChMDSUNTMRgwFgYDVQQDEw93d3cuZG9t
YWluMS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKus0idVJ6i82cje
RMQQOyIwpL4LQ1QODi/6qHK5gZVk14uEgtHVJ7aIFoyWoacQMVFE3gShwpQ5cEbe
tLHzVp+tnLw8xe1caP/UjvbTX5NkPenvh1nHxFhJDWlb0MQhXR5PFeJ+EVtRRCX+
bLpOjOxL6ky2Si4qLtHGJ9CN7vCzAgMBAAGjgfwwgfkwDwYDVR0TAQH/BAUwAwIB
ADAdBgNVHQ4EFgQUyUdb+crJAOYS7Wdva6NHjei9+HUwUwYDVR0jBEwwSqFFpEMw
QTELMAkGA1UEBhMCQkUxDjAMBgNVBAcTBUxpZWdlMQwwCgYDVQQKEwNJQ1MxFDAS
BgNVBAMTC0lDUyBSb290IENBggECMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5v
dmVyYnl0ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCBsAwDQYJKoZI
hvcNAQEFBQADgYEAE99KuClUXfh27+dsoLIi96g4xS0Idg4AfKEEiEWVZLluG7xP
GU9/UfXVt+9/m8fAgzjXEGzxMf/eKADr2HVq+gI3qD93CcuStxd+b8YPc6MkrneZ
vImqBms3rC4XPfFgGwpH8R/z66Bv2bupAi4c1fpDWsydXp3FOoQsTBivQxw=
-END CERTIFICATE-

// Intermediate CA, signed preceding certificate
-BEGIN CERTIFICATE-
MIICYjCCAcugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJCRTEO
MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzEUMBIGA1UEAxMLSUNTIFJvb3Qg
Q0EwHhcNMDkxMjE0MDAwMDAwWhcNMjkxMjA4MjM1OTU5WjBAMQswCQYDVQQGEwJC
RTEOMAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNT
TCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucOlN3IAxsRpu7PzKK1N
1xGzYKtqXYadx+x0sb+Z0Zq8b9+i1B6ruFmDChUkrC4kI9+WBzrTw39/YpswCrwt
GR6I7rkOXJ6ycPIl3yDwBmQQ9KWjSlb772Lf3v9M0Blm05tD5bBkLpM65CCSsbLo
Ljyw1HE9iQl3tZP6an0l+a0CAwEAAaNrMGkwEgYDVR0TAQH/BAgwBgEB/wIBAjAL
BgNVHQ8EBAMCAYYwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5vdmVyYnl0
ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCABcwDQYJKoZIhvcNAQEF
BQADgYEASuI9oM/fMSn30ToF27FxU7cY2XssKVPPdk6+jfm6zKQltZceoY89mtRQ
FM7PBDcM0X1OBDYVfGrajLUKENssNl7bE1GVjDFgw3/A2HOzgNAXWfRVzuL86+DN
xQY4CLOsRZJkDlKGiI38WNjEVF5+Rf12pXFOiR/78YlQVlUcPgM=
-END CERTIFICATE-

// Here we do not add the root since we assume the verifying
// peer has at least the root in his trusted certificates.
// But it could be appended as well if you like to.
// If there are more intermediate CAs in the chain they have
// to be added all.  

-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Currently I'm facing an issue in a Server application that 
uses TSSLWSocketServer. I'm setting to the SSLContext a server certificate 
identified in code as SSLContext.SslCertFile, with the correct private key file 
identified as SSLContext.SslPrivKeyFile and a password. Also I'm adding a 
CAFile identified as SslContext.SslCAFile. All files are .pem format and stored 
locally in my application folder (not in Certificate Store). A client 
application sends a message and uses a X509 Certificate from the same CA as my 
own certificates. The current scenario is as follows:1. The client doesn't have 
a client version of my certificates (With my client certificate issued for me 
the communication works perfectly but this is not an option as project 
specification doesn't allow providing certificates to clients)2. I have to 
use SslContext.SslVerifyPeer = True3. I'm receiving the following message in 
the SSLVerifyPeer event: Error  = 7 (certificate signature
 failure).The requirement is: if the client sends its own client certificate 
but has the same CA as my server certificate than the communication (client 
sends a message to server) should be possible. I already tried to implement in 
the SSLVerifyPeer event so this method always returns true but with no positive 
outcome: the mentioned error does not appear it just connects the client, 
performs a handshake and disconnects the client and the message never arrives. 
Please advice!
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

marius gabi wrote:

 I'm receiving the following message
 in the SSLVerifyPeer event: Error = 7 (certificate signature 
  failure).

In the OnSslVerifyPeer event please do the following logging and
post the result:

Log('Received certificate'#13#10 +
'Subject: ' + Cert.SubjectOneLine + ''#13#10 +
'Issuer:  ' + Cert.IssuerOneLine + ''#13#10  +
'Verify result: ' + Cert.VerifyErrMsg +
' Verify depth: ' + IntToStr(Cert.VerifyDepth));

Log(Cert.GetRawText);

-- 
Arno Garrels



--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Re: [twsocket] SSL Certificates check

[Arno Garrels]

Arno Garrels wrote:
 marius gabi wrote:
 
 I'm receiving the following message
 in the SSLVerifyPeer event: Error = 7 (certificate signature
  failure).
 
 In the OnSslVerifyPeer event please do the following logging and
 post the result:
 
 Log('Received certificate'#13#10 +
'Subject: ' + Cert.SubjectOneLine + ''#13#10 +
'Issuer:  ' + Cert.IssuerOneLine + ''#13#10  +
'Verify result: ' + Cert.VerifyErrMsg +
' Verify depth: ' + IntToStr(Cert.VerifyDepth));
 
 Log(Cert.GetRawText);

Since it might happen that some certificate in the chain uses
an unsupported, deprecated hash algorithm. AFAIK, i.e. newer 
OpenSSL DLLs are all built without MD2-support by default.

-- 
Arno Garrels


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

[twsocket] SSL Certificates check

[marius gabi]

Hello! 
Here is what the log is showing:Received certificateSubject: 
/C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau 
Eric/emailAddress=eric.pois...@inria.frIssuer:  
/C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau 
Eric/emailAddress=eric.pois...@inria.frVerify result: certificate signature 
failure Verify depth: 2
Currently I'm not setting a specific value for the SslVerifyDepth. Regarding 
the OpenSSL DLL version I tried with 0.9.8e and 0.9.8h.
--- On Mon, 5/2/11, Arno Garrels arno.garr...@gmx.de wrote:

From: Arno Garrels arno.garr...@gmx.de
Subject: Re: [twsocket] SSL Certificates check
To: ICS support mailing twsocket@elists.org
Date: Monday, May 2, 2011, 5:10 PM

marius gabi wrote:

 I'm receiving the following message
 in the SSLVerifyPeer event: Error = 7 (certificate signature         
  failure).

In the OnSslVerifyPeer event please do the following logging and
post the result:

Log('Received certificate'#13#10 +
            'Subject: ' + Cert.SubjectOneLine + ''#13#10 +
            'Issuer:  ' + Cert.IssuerOneLine + ''#13#10  +
            'Verify result: ' + Cert.VerifyErrMsg +
            ' Verify depth: ' + IntToStr(Cert.VerifyDepth));

Log(Cert.GetRawText);

-- 
Arno Garrels



--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be