Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Fastream Technologies
Anything that works for Apache would work since they use OpenSSL as well.

Regards,

SZ
On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote:

 Hi,
 I am using SSL server and SSL client in my application,
 can someone please inform,
 what are the commercial certificates for the component?

 This may not be a question related to the component but,
 I would like to hear your opinions.

 Thanks in advance

 -daniel
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Hi,
Thanks for the response :)
I am so sorry :(, forgot to tell...
I am not using SSL for web communication, I am using the SSLServer and 
SSLClient for client to host connection.
I believe this has got nothing to do with Apache because there is no apache 
used.


I have been using demo server+client cert. delivered with component demo.

I would also like to ask,
Is it possible to use self made certs as told here?
are they safe?

http://acs.lbl.gov/~boverhof/openssl_certs.html

Thanks

-Original Message- 
From: Fastream Technologies

Sent: Wednesday, June 15, 2011 10:22 AM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

Anything that works for Apache would work since they use OpenSSL as well.

Regards,

SZ
On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote:


Hi,
I am using SSL server and SSL client in my application,
can someone please inform,
what are the commercial certificates for the component?

This may not be a question related to the component but,
I would like to hear your opinions.

Thanks in advance

-daniel
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Fastream Technologies
Hello again,

ICS and Apache uses the same open source component called OpenSSL as base
for their SSL features. So any certificate works for Apache works for ICS,
that's what I meant.

Self-signed certificates are open man-in-the-middle attacks.

Regards,

SZ

On Wed, Jun 15, 2011 at 10:43, daniel cc dan...@signedsource.com wrote:

 Hi,
 Thanks for the response :)
 I am so sorry :(, forgot to tell...
 I am not using SSL for web communication, I am using the SSLServer and
 SSLClient for client to host connection.
 I believe this has got nothing to do with Apache because there is no apache
 used.

 I have been using demo server+client cert. delivered with component demo.

 I would also like to ask,
 Is it possible to use self made certs as told here?
 are they safe?

 http://acs.lbl.gov/~boverhof/openssl_certs.html

 Thanks

 -Original Message- From: Fastream Technologies
 Sent: Wednesday, June 15, 2011 10:22 AM
 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.


 Anything that works for Apache would work since they use OpenSSL as well.

 Regards,

 SZ
 On Wed, Jun 15, 2011 at 09:36, daniel cc dan...@signedsource.com wrote:

  Hi,
 I am using SSL server and SSL client in my application,
 can someone please inform,
 what are the commercial certificates for the component?

 This may not be a question related to the component but,
 I would like to hear your opinions.

 Thanks in advance

 -daniel
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

  --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Francois PIETTE

Anything that works for Apache would work since they use OpenSSL as well.



Thanks for the response :)
I am so sorry :(, forgot to tell...
I am not using SSL for web communication, I am using the SSLServer and 
SSLClient for client to host connection.
I believe this has got nothing to do with Apache because there is no 
apache used.


What SZ is saying is that Apache and ICS both use OpenSSL. So any 
certificate OK for Apache is OK for OpenSSL and is OK for ICS.


You can also use OpenSSL comand line utility to convert certificates for 
some format to other OpenSSL compatible format. I've done it to to convert a 
certificate exported from IE.


--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Okay,
Thanks a lot :)
I know the different between self made and not self made now.
How about recommendations?
can you guys recommend any commercial certs?
I plan to buy..

Thanks

-Original Message- 
From: Francois PIETTE

Sent: Wednesday, June 15, 2011 10:43 AM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.


Anything that works for Apache would work since they use OpenSSL as well.



Thanks for the response :)
I am so sorry :(, forgot to tell...
I am not using SSL for web communication, I am using the SSLServer and 
SSLClient for client to host connection.
I believe this has got nothing to do with Apache because there is no 
apache used.


What SZ is saying is that Apache and ICS both use OpenSSL. So any
certificate OK for Apache is OK for OpenSSL and is OK for ICS.

You can also use OpenSSL comand line utility to convert certificates for
some format to other OpenSSL compatible format. I've done it to to convert a
certificate exported from IE.

--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Fastream Technologies
AFAIK Comodo is the cheapest one.
Regards,

SubZero
On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote:

 Okay,
 Thanks a lot :)
 I know the different between self made and not self made now.
 How about recommendations?
 can you guys recommend any commercial certs?
 I plan to buy..

 Thanks

 -Original Message- From: Francois PIETTE
 Sent: Wednesday, June 15, 2011 10:43 AM

 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.

  Anything that works for Apache would work since they use OpenSSL as well.


  Thanks for the response :)
 I am so sorry :(, forgot to tell...
 I am not using SSL for web communication, I am using the SSLServer and
 SSLClient for client to host connection.
 I believe this has got nothing to do with Apache because there is no
 apache used.


 What SZ is saying is that Apache and ICS both use OpenSSL. So any
 certificate OK for Apache is OK for OpenSSL and is OK for ICS.

 You can also use OpenSSL comand line utility to convert certificates for
 some format to other OpenSSL compatible format. I've done it to to convert
 a
 certificate exported from IE.

 --
 francois.pie...@overbyte.be
 The author of the freeware multi-tier middleware MidWare
 The author of the freeware Internet Component Suite (ICS)
 http://www.overbyte.be

 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Thanks mate, very much appreciated :)

Just one more question,
If I am using ICS SSLServer and ICS SSLClients,
I do need the certificate for the server but do I need to buy the PEM file 
for the clients as well or how it goes?

What I know is,
Server needs CERT and client needs the PEM file as in my demo..

I think Comodo is good enough.

Thanks


-Original Message- 
From: Fastream Technologies

Sent: Wednesday, June 15, 2011 11:22 AM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

AFAIK Comodo is the cheapest one.
Regards,

SubZero
On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote:


Okay,
Thanks a lot :)
I know the different between self made and not self made now.
How about recommendations?
can you guys recommend any commercial certs?
I plan to buy..

Thanks

-Original Message- From: Francois PIETTE
Sent: Wednesday, June 15, 2011 10:43 AM

To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

 Anything that works for Apache would work since they use OpenSSL as well.





 Thanks for the response :)

I am so sorry :(, forgot to tell...
I am not using SSL for web communication, I am using the SSLServer and
SSLClient for client to host connection.
I believe this has got nothing to do with Apache because there is no
apache used.



What SZ is saying is that Apache and ICS both use OpenSSL. So any
certificate OK for Apache is OK for OpenSSL and is OK for ICS.

You can also use OpenSSL comand line utility to convert certificates for
some format to other OpenSSL compatible format. I've done it to to convert
a
certificate exported from IE.

--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Fastream Technologies
Hello,

If you want SSL, a server certificate is a must. It enables the client to
validate the server's authenticity. If you additionally need the server to
validate the client, then optionally you need a client SSL certificate. Some
of our reverse proxy clients use it since some Microsoft web server
applications require it but most do not need it.

Regards,

Gorkem Ates
On Wed, Jun 15, 2011 at 12:31, daniel cc dan...@signedsource.com wrote:

 Thanks mate, very much appreciated :)

 Just one more question,
 If I am using ICS SSLServer and ICS SSLClients,
 I do need the certificate for the server but do I need to buy the PEM file
 for the clients as well or how it goes?
 What I know is,
 Server needs CERT and client needs the PEM file as in my demo..

 I think Comodo is good enough.


 Thanks


 -Original Message- From: Fastream Technologies
 Sent: Wednesday, June 15, 2011 11:22 AM

 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.

 AFAIK Comodo is the cheapest one.
 Regards,

 SubZero
 On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote:

  Okay,
 Thanks a lot :)
 I know the different between self made and not self made now.
 How about recommendations?
 can you guys recommend any commercial certs?
 I plan to buy..

 Thanks

 -Original Message- From: Francois PIETTE
 Sent: Wednesday, June 15, 2011 10:43 AM

 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.

  Anything that works for Apache would work since they use OpenSSL as well.



   Thanks for the response :)

 I am so sorry :(, forgot to tell...
 I am not using SSL for web communication, I am using the SSLServer and
 SSLClient for client to host connection.
 I believe this has got nothing to do with Apache because there is no
 apache used.


 What SZ is saying is that Apache and ICS both use OpenSSL. So any
 certificate OK for Apache is OK for OpenSSL and is OK for ICS.

 You can also use OpenSSL comand line utility to convert certificates for
 some format to other OpenSSL compatible format. I've done it to to convert
 a
 certificate exported from IE.

 --
 francois.pie...@overbyte.be
 The author of the freeware multi-tier middleware MidWare
 The author of the freeware Internet Component Suite (ICS)
 http://www.overbyte.be

 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

  --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be




-- 
Gorkem Ates
*Fastream Technologies*
*Software IQ: Innovation  Quality*
http://www.fastream.com | http://twitter.com/fastream |
http://www.iqproxyserver.com
*Sales  Support: Email:* sa...@fastream.com, supp...@fastream.com | *Intl.
Hotline:* +90-312-223-2830 (weekdays, 9am-6pm *GMT+300*)
Join *IQ Proxy Server Yahoo group* at
http://groups.yahoo.com/group/IQProxyServer
Join *IQWF Server Yahoo group* at http://groups.yahoo.com/group/IQWFServer
This is a *no-nonsense* signature! Please do *join our yahoo groups for
announcements of future versions* of IQ Proxy Server and IQ Web/FTP Server
(traffic level is *very low*).
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Hein du Plessis
If I can chip in - I've used Comodo for a while and I'm sorry but their way
of dealing with certifications are very complicated and ridden with delays.

Godaddy works for me these days, not perfect of course, but it's all
automated and no delays. Price is good, too.

-Original Message-
From: twsocket-boun...@elists.org [mailto:twsocket-boun...@elists.org] On
Behalf Of Fastream Technologies
Sent: 15 June 2011 10:22
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

AFAIK Comodo is the cheapest one.
Regards,

SubZero
On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote:

 Okay,
 Thanks a lot :)
 I know the different between self made and not self made now.
 How about recommendations?
 can you guys recommend any commercial certs?
 I plan to buy..

 Thanks

 -Original Message- From: Francois PIETTE
 Sent: Wednesday, June 15, 2011 10:43 AM

 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.

  Anything that works for Apache would work since they use OpenSSL as well.


  Thanks for the response :)
 I am so sorry :(, forgot to tell...
 I am not using SSL for web communication, I am using the SSLServer 
 and SSLClient for client to host connection.
 I believe this has got nothing to do with Apache because there is no 
 apache used.


 What SZ is saying is that Apache and ICS both use OpenSSL. So any 
 certificate OK for Apache is OK for OpenSSL and is OK for ICS.

 You can also use OpenSSL comand line utility to convert certificates 
 for some format to other OpenSSL compatible format. I've done it to to 
 convert a certificate exported from IE.

 --
 francois.pie...@overbyte.be
 The author of the freeware multi-tier middleware MidWare The author of 
 the freeware Internet Component Suite (ICS) http://www.overbyte.be

 --
 To unsubscribe or change your settings for TWSocket mailing list 
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
 --
 To unsubscribe or change your settings for TWSocket mailing list 
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list please goto
http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Thanks again,
can you please clear a bit up,
I understand the server certification but,
where do I get the client key which is that PEM file?
Is it delivered with the certificate or should I buy that separately?

thanks again.

-Original Message- 
From: Fastream Technologies

Sent: Wednesday, June 15, 2011 12:30 PM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

Hello,

If you want SSL, a server certificate is a must. It enables the client to
validate the server's authenticity. If you additionally need the server to
validate the client, then optionally you need a client SSL certificate. Some
of our reverse proxy clients use it since some Microsoft web server
applications require it but most do not need it.

Regards,

Gorkem Ates
On Wed, Jun 15, 2011 at 12:31, daniel cc dan...@signedsource.com wrote:


Thanks mate, very much appreciated :)

Just one more question,
If I am using ICS SSLServer and ICS SSLClients,
I do need the certificate for the server but do I need to buy the PEM file
for the clients as well or how it goes?
What I know is,
Server needs CERT and client needs the PEM file as in my demo..

I think Comodo is good enough.


Thanks


-Original Message- From: Fastream Technologies
Sent: Wednesday, June 15, 2011 11:22 AM

To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

AFAIK Comodo is the cheapest one.
Regards,

SubZero
On Wed, Jun 15, 2011 at 11:11, daniel cc dan...@signedsource.com wrote:

 Okay,

Thanks a lot :)
I know the different between self made and not self made now.
How about recommendations?
can you guys recommend any commercial certs?
I plan to buy..

Thanks

-Original Message- From: Francois PIETTE
Sent: Wednesday, June 15, 2011 10:43 AM

To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

 Anything that works for Apache would work since they use OpenSSL as 
well.







  Thanks for the response :)



I am so sorry :(, forgot to tell...
I am not using SSL for web communication, I am using the SSLServer and
SSLClient for client to host connection.
I believe this has got nothing to do with Apache because there is no
apache used.



What SZ is saying is that Apache and ICS both use OpenSSL. So any
certificate OK for Apache is OK for OpenSSL and is OK for ICS.

You can also use OpenSSL comand line utility to convert certificates for
some format to other OpenSSL compatible format. I've done it to to 
convert

a
certificate exported from IE.

--
francois.pie...@overbyte.be
The author of the freeware multi-tier middleware MidWare
The author of the freeware Internet Component Suite (ICS)
http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

 --

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be





--
Gorkem Ates
*Fastream Technologies*
*Software IQ: Innovation  Quality*
http://www.fastream.com | http://twitter.com/fastream |
http://www.iqproxyserver.com
*Sales  Support: Email:* sa...@fastream.com, supp...@fastream.com | *Intl.
Hotline:* +90-312-223-2830 (weekdays, 9am-6pm *GMT+300*)
Join *IQ Proxy Server Yahoo group* at
http://groups.yahoo.com/group/IQProxyServer
Join *IQWF Server Yahoo group* at http://groups.yahoo.com/group/IQWFServer
This is a *no-nonsense* signature! Please do *join our yahoo groups for
announcements of future versions* of IQ Proxy Server and IQ Web/FTP Server
(traffic level is *very low*).
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Arno Garrels
daniel cc wrote:
 Thanks again,
 can you please clear a bit up,
 I understand the server certification but,

Do you realy?

 where do I get the client key which is that PEM file?

Do you need/want client certificates? If so, the server
will have to verify client certificates during the SSL handshake
process.

 Is it delivered with the certificate or should I buy that separately?

When you order a SSL certificate a matching key is created, 
you always get a key along with your certificate otherwise a 
certificate was useless.

Usually you buy a SSL server certificate. Its common name field is
the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com. 

If clients may connect from dynamic IP addresses a certificate
can neither be issued to an IP nor to a DNS name, hence rather 
useless. In such case a good password is as secure as a client
certificate that i.e. has some ID in it's common name field.   
And if both clients and server are under your control it is 
not required to buy a certificate, just create your own CA
and certificates (server and client if you like). 

-- 
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Hi Arno,
Thanks for the response.
Yes I do understand but,
looks like, I can't explain correctly.

My point is,
If I buy a certificate for the server,
I need to connect more than 5 clients to the same server.
Does this mean, I need to have 5 certificate or can I use 1 certificate 
which has 5 keys?


I hope it is clear this time..

Thanks

-Original Message- 
From: Arno Garrels

Sent: Wednesday, June 15, 2011 1:55 PM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

daniel cc wrote:

Thanks again,
can you please clear a bit up,
I understand the server certification but,


Do you realy?


where do I get the client key which is that PEM file?


Do you need/want client certificates? If so, the server
will have to verify client certificates during the SSL handshake
process.


Is it delivered with the certificate or should I buy that separately?


When you order a SSL certificate a matching key is created,
you always get a key along with your certificate otherwise a
certificate was useless.

Usually you buy a SSL server certificate. Its common name field is
the DNS name of the server. i.e. to smtp.gmail.com or www.microsoft.com.

If clients may connect from dynamic IP addresses a certificate
can neither be issued to an IP nor to a DNS name, hence rather
useless. In such case a good password is as secure as a client
certificate that i.e. has some ID in it's common name field.
And if both clients and server are under your control it is
not required to buy a certificate, just create your own CA
and certificates (server and client if you like).

--
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be 


--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Arno Garrels
Arno Garrels wrote:
 If clients may connect from dynamic IP addresses a certificate
 can neither be issued to an IP nor to a DNS name, hence rather
 useless. In such case a good password is as secure as a client
 certificate that i.e. has some ID in it's common name field.

Not quite correct since a client certificate might be safer 
since the server will check client certificate's issuer.
However a client certificate including its key can be stolen or
given to some non-authorized third party.

 And if both clients and server are under your control it is
 not required to buy a certificate, just create your own CA
 and certificates (server and client if you like).

And if you prefer GUI over command line tools have a look at
XCA (sourceforge.net) to manage you own CA.

-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Thank you very much :)
Now I got the whole picture.

Best regards

-Original Message- 
From: Arno Garrels 
Sent: Wednesday, June 15, 2011 2:43 PM 
To: ICS support mailing 
Subject: Re: [twsocket] SSL server and CLient cert. 


Arno Garrels wrote:

If clients may connect from dynamic IP addresses a certificate
can neither be issued to an IP nor to a DNS name, hence rather
useless. In such case a good password is as secure as a client
certificate that i.e. has some ID in it's common name field.


Not quite correct since a client certificate might be safer 
since the server will check client certificate's issuer.

However a client certificate including its key can be stolen or
given to some non-authorized third party.


And if both clients and server are under your control it is
not required to buy a certificate, just create your own CA
and certificates (server and client if you like).


And if you prefer GUI over command line tools have a look at
XCA (sourceforge.net) to manage you own CA.

--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Arno Garrels
daniel cc wrote:
 Hi Arno,
 Thanks for the response.
 Yes I do understand but,
 looks like, I can't explain correctly.
 
 My point is,
 If I buy a certificate for the server,
 I need to connect more than 5 clients to the same server.
 Does this mean, I need to have 5 certificate or can I use 1
 certificate which has 5 keys?

Clients do not need a certificate (and key) to be able to 
connect to a SSL server.

-- 
Arno Garrels




 
 I hope it is clear this time..
 
 Thanks
 
 -Original Message-
 From: Arno Garrels
 Sent: Wednesday, June 15, 2011 1:55 PM
 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.
 
 daniel cc wrote:
 Thanks again,
 can you please clear a bit up,
 I understand the server certification but,
 
 Do you realy?
 
 where do I get the client key which is that PEM file?
 
 Do you need/want client certificates? If so, the server
 will have to verify client certificates during the SSL handshake
 process.
 
 Is it delivered with the certificate or should I buy that separately?
 
 When you order a SSL certificate a matching key is created,
 you always get a key along with your certificate otherwise a
 certificate was useless.
 
 Usually you buy a SSL server certificate. Its common name field is
 the DNS name of the server. i.e. to smtp.gmail.com or
 www.microsoft.com. 
 
 If clients may connect from dynamic IP addresses a certificate
 can neither be issued to an IP nor to a DNS name, hence rather
 useless. In such case a good password is as secure as a client
 certificate that i.e. has some ID in it's common name field.
 And if both clients and server are under your control it is
 not required to buy a certificate, just create your own CA
 and certificates (server and client if you like).
 
 --
 Arno Garrels
 
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread Arno Garrels
Arno Garrels wrote:
 daniel cc wrote:
 Hi Arno,
 Thanks for the response.
 Yes I do understand but,
 looks like, I can't explain correctly.
 
 My point is,
 If I buy a certificate for the server,
 I need to connect more than 5 clients to the same server.
 Does this mean, I need to have 5 certificate or can I use 1
 certificate which has 5 keys?
 
 Clients do not need a certificate (and key) to be able to
 connect to a SSL server.

Provided the server DOES NOT enforce client certificates
(as the German tax office server does).
Most servers don't. It is on your side how you set up the 
server.

And if you want client certificates do that with your own
CA, but do never ever send keys over the internet.
The client has to generate his private key locally and use
that to sign a certificate request. The certificate request
can be sent to the CA that will create the client certificate
and send it to the client. See OverbyteIcsX509Utils.pas
for a simple Delphi function to generate a key and a 
certificate request.

BTW: When you order a commercial certificate the key and 
certificate request are either created by an ActiveX or Java
browser plugin.

-- 
Arno Garrels   



 
 
 I hope it is clear this time..
 
 Thanks
 
 -Original Message-
 From: Arno Garrels
 Sent: Wednesday, June 15, 2011 1:55 PM
 To: ICS support mailing
 Subject: Re: [twsocket] SSL server and CLient cert.
 
 daniel cc wrote:
 Thanks again,
 can you please clear a bit up,
 I understand the server certification but,
 
 Do you realy?
 
 where do I get the client key which is that PEM file?
 
 Do you need/want client certificates? If so, the server
 will have to verify client certificates during the SSL handshake
 process.
 
 Is it delivered with the certificate or should I buy that
 separately? 
 
 When you order a SSL certificate a matching key is created,
 you always get a key along with your certificate otherwise a
 certificate was useless.
 
 Usually you buy a SSL server certificate. Its common name field is
 the DNS name of the server. i.e. to smtp.gmail.com or
 www.microsoft.com.
 
 If clients may connect from dynamic IP addresses a certificate
 can neither be issued to an IP nor to a DNS name, hence rather
 useless. In such case a good password is as secure as a client
 certificate that i.e. has some ID in it's common name field.
 And if both clients and server are under your control it is
 not required to buy a certificate, just create your own CA
 and certificates (server and client if you like).
 
 --
 Arno Garrels
 
 --
 To unsubscribe or change your settings for TWSocket mailing list
 please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
 Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be


Re: [twsocket] SSL server and CLient cert.

2011-06-15 Thread daniel cc

Thanks Arno :)

-daniel

-Original Message- 
From: Arno Garrels 
Sent: Wednesday, June 15, 2011 3:40 PM 
To: ICS support mailing 
Subject: Re: [twsocket] SSL server and CLient cert. 


Arno Garrels wrote:

daniel cc wrote:

Hi Arno,
Thanks for the response.
Yes I do understand but,
looks like, I can't explain correctly.

My point is,
If I buy a certificate for the server,
I need to connect more than 5 clients to the same server.
Does this mean, I need to have 5 certificate or can I use 1
certificate which has 5 keys?


Clients do not need a certificate (and key) to be able to
connect to a SSL server.


Provided the server DOES NOT enforce client certificates
(as the German tax office server does).
Most servers don't. It is on your side how you set up the 
server.


And if you want client certificates do that with your own
CA, but do never ever send keys over the internet.
The client has to generate his private key locally and use
that to sign a certificate request. The certificate request
can be sent to the CA that will create the client certificate
and send it to the client. See OverbyteIcsX509Utils.pas
for a simple Delphi function to generate a key and a 
certificate request.


BTW: When you order a commercial certificate the key and 
certificate request are either created by an ActiveX or Java

browser plugin.

--
Arno Garrels   








I hope it is clear this time..

Thanks

-Original Message-
From: Arno Garrels
Sent: Wednesday, June 15, 2011 1:55 PM
To: ICS support mailing
Subject: Re: [twsocket] SSL server and CLient cert.

daniel cc wrote:

Thanks again,
can you please clear a bit up,
I understand the server certification but,


Do you realy?


where do I get the client key which is that PEM file?


Do you need/want client certificates? If so, the server
will have to verify client certificates during the SSL handshake
process.


Is it delivered with the certificate or should I buy that
separately? 


When you order a SSL certificate a matching key is created,
you always get a key along with your certificate otherwise a
certificate was useless.

Usually you buy a SSL server certificate. Its common name field is
the DNS name of the server. i.e. to smtp.gmail.com or
www.microsoft.com.

If clients may connect from dynamic IP addresses a certificate
can neither be issued to an IP nor to a DNS name, hence rather
useless. In such case a good password is as secure as a client
certificate that i.e. has some ID in it's common name field.
And if both clients and server are under your control it is
not required to buy a certificate, just create your own CA
and certificates (server and client if you like).

--
Arno Garrels

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be