Re: [twsocket] Error with SSLWSocketClient
Hi Arno, Thanks for your precise comments. The security issue in my case is not very high because this is just a server client communication with nothing sensetive (no money transfer or credit cards or personal info etc.) I will use a commercial Certificate of 3 years valid and hoping that it will work. However, I still can't find the reason why I have got that error. Are you saying that there is security leak in ICS? if yes, do we have any solutions for it? thanks -Original Message- From: Arno Garrels Sent: Sunday, February 06, 2011 10:34 PM To: ICS support mailing Subject: Re: [twsocket] Error with SSLWSocketClient Arno Garrels wrote: With OpenSSL it's easy to generate a CRL and to include its weblink in self created certificates. If you will use commercial SSL server certificates you do not have to worry about CRLs. Well that's true, however currently ICS lacks the CRL-feature. It does neither include local CRLs in the certificate verification process nor follow external CRL-links in certificates. This is a security leak, however not just in ICS. I'm not aware of any Delphi SSL-Component suite that handles CRLs correctly, one should know that if high security matters. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
On Sun, Feb 6, 2011 at 10:34 PM, Arno Garrels arno.garr...@gmx.de wrote: ... Obviously, security isn't your special subject. I think I have learned a lot about SSL via the OpenSSL book and this list while developing. As you may remember we were the company who suggested to start the ICS-SSL project back in 2002. The lack of CRLs in ICS should be the reason why I got confused while replying to Daniel. SZ -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Fastream Technologies wrote: SSL certificates expire after a period of time--usually 1 year. True, but that has nothing to do with the error message posted by Daniel: Revocation information for the security certificate for this site is not available, do you want to proceed? Obviously, security isn't your special subject. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Arno Garrels wrote: With OpenSSL it's easy to generate a CRL and to include its weblink in self created certificates. If you will use commercial SSL server certificates you do not have to worry about CRLs. Well that's true, however currently ICS lacks the CRL-feature. It does neither include local CRLs in the certificate verification process nor follow external CRL-links in certificates. This is a security leak, however not just in ICS. I'm not aware of any Delphi SSL-Component suite that handles CRLs correctly, one should know that if high security matters. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
I have received an error from my client on test, the error is, _Revocation information for the security certificate for this site is not available, do you want to proceed?_ I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. Don't use demo certificates, generate your own test SSL certificates for the servers and maybe the clients. When you go live, you'll need to buy commercial SSL/TLS certificates, which may be expensive. And read the SSL/TLS book as suggested several weeks ago. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Angus, I remember all you said. As mentioned, I am still running tests. What I need is a some kind of explanation about the error since I am not using IE or Mozilla. Do you know the reason for the error? -Original Message- From: Angus Robertson - Magenta Systems Ltd Sent: Thursday, February 03, 2011 10:07 AM To: twsocket@elists.org Subject: Re: [twsocket] Error with SSLWSocketClient I have received an error from my client on test, the error is, _Revocation information for the security certificate for this site is not available, do you want to proceed?_ I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. Don't use demo certificates, generate your own test SSL certificates for the servers and maybe the clients. When you go live, you'll need to buy commercial SSL/TLS certificates, which may be expensive. And read the SSL/TLS book as suggested several weeks ago. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
SSL certificates expire after a period of time--usually 1 year. Regards, SZ On Thu, Feb 3, 2011 at 10:49 AM, daniel cc dan...@signedsource.com wrote: Angus, I remember all you said. As mentioned, I am still running tests. What I need is a some kind of explanation about the error since I am not using IE or Mozilla. Do you know the reason for the error? -Original Message- From: Angus Robertson - Magenta Systems Ltd Sent: Thursday, February 03, 2011 10:07 AM To: twsocket@elists.org Subject: Re: [twsocket] Error with SSLWSocketClient I have received an error from my client on test, the error is, _Revocation information for the security certificate for this site is not available, do you want to proceed?_ I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. Don't use demo certificates, generate your own test SSL certificates for the servers and maybe the clients. When you go live, you'll need to buy commercial SSL/TLS certificates, which may be expensive. And read the SSL/TLS book as suggested several weeks ago. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
daniel cc wrote: Hello, I have received an error from my client on test, the error is, “Revocation information for the security certificate for this site is not available, do you want to proceed?” This is not an error from your application, isn't it? A certificate usually contains a link to a certificate revocation list CRL. When Windows or Firefox verify a certificate they try to lookup the presented certificate in that list. Applications may show that warning if there's no link to a CRL included etc.. Please notice, I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. I just would like to know if someone else has the problem and what is the solution? With OpenSSL it's easy to generate a CRL and to include its weblink in self created certificates. If you will use commercial SSL server certificates you do not have to worry about CRLs. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Guys, The certificate is not expired because I have checked it. -Original Message- From: Fastream Technologies Sent: Thursday, February 03, 2011 10:49 AM To: ICS support mailing Subject: Re: [twsocket] Error with SSLWSocketClient SSL certificates expire after a period of time--usually 1 year. Regards, SZ On Thu, Feb 3, 2011 at 10:49 AM, daniel cc dan...@signedsource.com wrote: Angus, I remember all you said. As mentioned, I am still running tests. What I need is a some kind of explanation about the error since I am not using IE or Mozilla. Do you know the reason for the error? -Original Message- From: Angus Robertson - Magenta Systems Ltd Sent: Thursday, February 03, 2011 10:07 AM To: twsocket@elists.org Subject: Re: [twsocket] Error with SSLWSocketClient I have received an error from my client on test, the error is, _Revocation information for the security certificate for this site is not available, do you want to proceed?_ I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. Don't use demo certificates, generate your own test SSL certificates for the servers and maybe the clients. When you go live, you'll need to buy commercial SSL/TLS certificates, which may be expensive. And read the SSL/TLS book as suggested several weeks ago. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Hi Arno, Thanks for the response. I am running the test with plain -- OverbyteIcsSimpleSslServer project demo which I have modified a bit (such as keepalive, error handling etc.). I do use firefox in the client machine but that is not part of my application it is just the firefox for web use (downloading drivers etc.). -Original Message- From: Arno Garrels Sent: Thursday, February 03, 2011 10:57 AM To: ICS support mailing Subject: Re: [twsocket] Error with SSLWSocketClient daniel cc wrote: Hello, I have received an error from my client on test, the error is, “Revocation information for the security certificate for this site is not available, do you want to proceed?” This is not an error from your application, isn't it? A certificate usually contains a link to a certificate revocation list CRL. When Windows or Firefox verify a certificate they try to lookup the presented certificate in that list. Applications may show that warning if there's no link to a CRL included etc.. Please notice, I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. I just would like to know if someone else has the problem and what is the solution? With OpenSSL it's easy to generate a CRL and to include its weblink in self created certificates. If you will use commercial SSL server certificates you do not have to worry about CRLs. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
What I need is a some kind of explanation about the error since I am not using IE or Mozilla. Do you know the reason for the error? Read Appendix B in the SSL and TLS Essentials book and pages 70 to 73 in the Network Security with OpenSSL book. This mailing list is not for basic teaching, it is for support of the TWSocket components. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Angus, I wouldn't type here and bother anyone if I could have found the answer from the book. So far I couldn't find the answer from the book, chapters 70-73 tells many things but nothing about this particular error. I have googled much and the answer everywhere seems to be managing the browser settings and I am wondering... What this error got to do with the browser which isn't used. one more thing, Please don't answer to my questions, if you don't have the answer. I have some brain which may not be as big as yours but I do know how to use it for looking in the book or the internet. There are always things which aren't in the books and I believe you also know that. -Original Message- From: Angus Robertson - Magenta Systems Ltd Sent: Thursday, February 03, 2011 11:41 AM To: twsocket@elists.org Subject: Re: [twsocket] Error with SSLWSocketClient What I need is a some kind of explanation about the error since I am not using IE or Mozilla. Do you know the reason for the error? Read Appendix B in the SSL and TLS Essentials book and pages 70 to 73 in the Network Security with OpenSSL book. This mailing list is not for basic teaching, it is for support of the TWSocket components. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Error with SSLWSocketClient
Please don't answer to my questions No problem, added to kill list. Also stop sending me private emails with other questions. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] Error with SSLWSocketClient
Hello, I have received an error from my client on test, the error is, “Revocation information for the security certificate for this site is not available, do you want to proceed?” Please notice, I am using the demo/test certificates delicered with ICS component package because I am still doing a test period. I just would like to know if someone else has the problem and what is the solution? Thanks -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
