[twsocket] SSL server and CLient cert.
Hi, I am using SSL server and SSL client in my application, can someone please inform, what are the commercial certificates for the component? This may not be a question related to the component but, I would like to hear your opinions. Thanks in advance -daniel -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Anything that works for Apache would work since they use OpenSSL as well. Regards, SZ On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote: Hi, I am using SSL server and SSL client in my application, can someone please inform, what are the commercial certificates for the component? This may not be a question related to the component but, I would like to hear your opinions. Thanks in advance -daniel -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Hi, Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. I have been using demo server+client cert. delivered with component demo. I would also like to ask, Is it possible to use self made certs as told here? are they safe? http://acs.lbl.gov/~boverhof/openssl_certs.html Thanks -Original Message- From: Fastream Technologies Sent: Wednesday, June 15, 2011 10:22 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Regards, SZ On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote: Hi, I am using SSL server and SSL client in my application, can someone please inform, what are the commercial certificates for the component? This may not be a question related to the component but, I would like to hear your opinions. Thanks in advance -daniel -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Hello again, ICS and Apache uses the same open source component called OpenSSL as base for their SSL features. So any certificate works for Apache works for ICS, that's what I meant. Self-signed certificates are open man-in-the-middle attacks. Regards, SZ On Wed, Jun 15, 2011 at 10:43, daniel cc dan...@signedsource.com wrote: Hi, Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. I have been using demo server+client cert. delivered with component demo. I would also like to ask, Is it possible to use self made certs as told here? are they safe? http://acs.lbl.gov/~boverhof/openssl_certs.html Thanks -Original Message- From: Fastream Technologies Sent: Wednesday, June 15, 2011 10:22 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Regards, SZ On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote: Hi, I am using SSL server and SSL client in my application, can someone please inform, what are the commercial certificates for the component? This may not be a question related to the component but, I would like to hear your opinions. Thanks in advance -daniel -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Okay, Thanks a lot :) I know the different between self made and not self made now. How about recommendations? can you guys recommend any commercial certs? I plan to buy.. Thanks -Original Message- From: Francois PIETTE Sent: Wednesday, June 15, 2011 10:43 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
AFAIK Comodo is the cheapest one. Regards, SubZero On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote: Okay, Thanks a lot :) I know the different between self made and not self made now. How about recommendations? can you guys recommend any commercial certs? I plan to buy.. Thanks -Original Message- From: Francois PIETTE Sent: Wednesday, June 15, 2011 10:43 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Thanks mate, very much appreciated :) Just one more question, If I am using ICS SSLServer and ICS SSLClients, I do need the certificate for the server but do I need to buy the PEM file for the clients as well or how it goes? What I know is, Server needs CERT and client needs the PEM file as in my demo.. I think Comodo is good enough. Thanks -Original Message- From: Fastream Technologies Sent: Wednesday, June 15, 2011 11:22 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. AFAIK Comodo is the cheapest one. Regards, SubZero On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote: Okay, Thanks a lot :) I know the different between self made and not self made now. How about recommendations? can you guys recommend any commercial certs? I plan to buy.. Thanks -Original Message- From: Francois PIETTE Sent: Wednesday, June 15, 2011 10:43 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Hello, If you want SSL, a server certificate is a must. It enables the client to validate the server's authenticity. If you additionally need the server to validate the client, then optionally you need a client SSL certificate. Some of our reverse proxy clients use it since some Microsoft web server applications require it but most do not need it. Regards, Gorkem Ates On Wed, Jun 15, 2011 at 12:31, daniel cc dan...@signedsource.com wrote: Thanks mate, very much appreciated :) Just one more question, If I am using ICS SSLServer and ICS SSLClients, I do need the certificate for the server but do I need to buy the PEM file for the clients as well or how it goes? What I know is, Server needs CERT and client needs the PEM file as in my demo.. I think Comodo is good enough. Thanks -Original Message- From: Fastream Technologies Sent: Wednesday, June 15, 2011 11:22 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. AFAIK Comodo is the cheapest one. Regards, SubZero On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote: Okay, Thanks a lot :) I know the different between self made and not self made now. How about recommendations? can you guys recommend any commercial certs? I plan to buy.. Thanks -Original Message- From: Francois PIETTE Sent: Wednesday, June 15, 2011 10:43 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- Gorkem Ates *Fastream Technologies* *Software IQ: Innovation Quality* http://www.fastream.com | http://twitter.com/fastream | http://www.iqproxyserver.com *Sales Support: Email:* sa...@fastream.com, supp...@fastream.com | *Intl. Hotline:* +90-312-223-2830 (weekdays, 9am-6pm *GMT+300*) Join *IQ Proxy Server Yahoo group* at http://groups.yahoo.com/group/IQProxyServer Join *IQWF Server Yahoo group* at http://groups.yahoo.com/group/IQWFServer This is a *no-nonsense* signature! Please do *join our yahoo groups for announcements of future versions* of IQ Proxy Server and IQ Web/FTP Server (traffic level is *very low*). -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
If I can chip in - I've used Comodo for a while and I'm sorry but their way of dealing with certifications are very complicated and ridden with delays. Godaddy works for me these days, not perfect of course, but it's all automated and no delays. Price is good, too. -Original Message- From: twsocket-boun...@elists.org [mailto:twsocket-boun...@elists.org] On Behalf Of Fastream Technologies Sent: 15 June 2011 10:22 To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. AFAIK Comodo is the cheapest one. Regards, SubZero On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote: Okay, Thanks a lot :) I know the different between self made and not self made now. How about recommendations? can you guys recommend any commercial certs? I plan to buy.. Thanks -Original Message- From: Francois PIETTE Sent: Wednesday, June 15, 2011 10:43 AM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Anything that works for Apache would work since they use OpenSSL as well. Thanks for the response :) I am so sorry :(, forgot to tell... I am not using SSL for web communication, I am using the SSLServer and SSLClient for client to host connection. I believe this has got nothing to do with Apache because there is no apache used. What SZ is saying is that Apache and ICS both use OpenSSL. So any certificate OK for Apache is OK for OpenSSL and is OK for ICS. You can also use OpenSSL comand line utility to convert certificates for some format to other OpenSSL compatible format. I've done it to to convert a certificate exported from IE. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
daniel cc wrote: Thanks again, can you please clear a bit up, I understand the server certification but, Do you realy? where do I get the client key which is that PEM file? Do you need/want client certificates? If so, the server will have to verify client certificates during the SSL handshake process. Is it delivered with the certificate or should I buy that separately? When you order a SSL certificate a matching key is created, you always get a key along with your certificate otherwise a certificate was useless. Usually you buy a SSL server certificate. Its common name field is the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Hi Arno, Thanks for the response. Yes I do understand but, looks like, I can't explain correctly. My point is, If I buy a certificate for the server, I need to connect more than 5 clients to the same server. Does this mean, I need to have 5 certificate or can I use 1 certificate which has 5 keys? I hope it is clear this time.. Thanks -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 1:55 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. daniel cc wrote: Thanks again, can you please clear a bit up, I understand the server certification but, Do you realy? where do I get the client key which is that PEM file? Do you need/want client certificates? If so, the server will have to verify client certificates during the SSL handshake process. Is it delivered with the certificate or should I buy that separately? When you order a SSL certificate a matching key is created, you always get a key along with your certificate otherwise a certificate was useless. Usually you buy a SSL server certificate. Its common name field is the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Thank you very much :) Now I got the whole picture. Best regards -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 2:43 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Arno Garrels wrote: If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. Not quite correct since a client certificate might be safer since the server will check client certificate's issuer. However a client certificate including its key can be stolen or given to some non-authorized third party. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). And if you prefer GUI over command line tools have a look at XCA (sourceforge.net) to manage you own CA. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
daniel cc wrote: Hi Arno, Thanks for the response. Yes I do understand but, looks like, I can't explain correctly. My point is, If I buy a certificate for the server, I need to connect more than 5 clients to the same server. Does this mean, I need to have 5 certificate or can I use 1 certificate which has 5 keys? Clients do not need a certificate (and key) to be able to connect to a SSL server. -- Arno Garrels I hope it is clear this time.. Thanks -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 1:55 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. daniel cc wrote: Thanks again, can you please clear a bit up, I understand the server certification but, Do you realy? where do I get the client key which is that PEM file? Do you need/want client certificates? If so, the server will have to verify client certificates during the SSL handshake process. Is it delivered with the certificate or should I buy that separately? When you order a SSL certificate a matching key is created, you always get a key along with your certificate otherwise a certificate was useless. Usually you buy a SSL server certificate. Its common name field is the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Arno Garrels wrote: daniel cc wrote: Hi Arno, Thanks for the response. Yes I do understand but, looks like, I can't explain correctly. My point is, If I buy a certificate for the server, I need to connect more than 5 clients to the same server. Does this mean, I need to have 5 certificate or can I use 1 certificate which has 5 keys? Clients do not need a certificate (and key) to be able to connect to a SSL server. Provided the server DOES NOT enforce client certificates (as the German tax office server does). Most servers don't. It is on your side how you set up the server. And if you want client certificates do that with your own CA, but do never ever send keys over the internet. The client has to generate his private key locally and use that to sign a certificate request. The certificate request can be sent to the CA that will create the client certificate and send it to the client. See OverbyteIcsX509Utils.pas for a simple Delphi function to generate a key and a certificate request. BTW: When you order a commercial certificate the key and certificate request are either created by an ActiveX or Java browser plugin. -- Arno Garrels I hope it is clear this time.. Thanks -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 1:55 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. daniel cc wrote: Thanks again, can you please clear a bit up, I understand the server certification but, Do you realy? where do I get the client key which is that PEM file? Do you need/want client certificates? If so, the server will have to verify client certificates during the SSL handshake process. Is it delivered with the certificate or should I buy that separately? When you order a SSL certificate a matching key is created, you always get a key along with your certificate otherwise a certificate was useless. Usually you buy a SSL server certificate. Its common name field is the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL server and CLient cert.
Thanks Arno :) -daniel -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 3:40 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. Arno Garrels wrote: daniel cc wrote: Hi Arno, Thanks for the response. Yes I do understand but, looks like, I can't explain correctly. My point is, If I buy a certificate for the server, I need to connect more than 5 clients to the same server. Does this mean, I need to have 5 certificate or can I use 1 certificate which has 5 keys? Clients do not need a certificate (and key) to be able to connect to a SSL server. Provided the server DOES NOT enforce client certificates (as the German tax office server does). Most servers don't. It is on your side how you set up the server. And if you want client certificates do that with your own CA, but do never ever send keys over the internet. The client has to generate his private key locally and use that to sign a certificate request. The certificate request can be sent to the CA that will create the client certificate and send it to the client. See OverbyteIcsX509Utils.pas for a simple Delphi function to generate a key and a certificate request. BTW: When you order a commercial certificate the key and certificate request are either created by an ActiveX or Java browser plugin. -- Arno Garrels I hope it is clear this time.. Thanks -Original Message- From: Arno Garrels Sent: Wednesday, June 15, 2011 1:55 PM To: ICS support mailing Subject: Re: [twsocket] SSL server and CLient cert. daniel cc wrote: Thanks again, can you please clear a bit up, I understand the server certification but, Do you realy? where do I get the client key which is that PEM file? Do you need/want client certificates? If so, the server will have to verify client certificates during the SSL handshake process. Is it delivered with the certificate or should I buy that separately? When you order a SSL certificate a matching key is created, you always get a key along with your certificate otherwise a certificate was useless. Usually you buy a SSL server certificate. Its common name field is the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. If clients may connect from dynamic IP addresses a certificate can neither be issued to an IP nor to a DNS name, hence rather useless. In such case a good password is as secure as a client certificate that i.e. has some ID in it's common name field. And if both clients and server are under your control it is not required to buy a certificate, just create your own CA and certificates (server and client if you like). -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
