Re: [twsocket] remote SSL certificate verification
Arno Garrels wrote: > If there is one or more errors OnSSLVerifyPeer triggers for each > error of the certificate with OK = 0. Provided that you set OK := 1, otherwise verification stops immediately. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > OK, everything is fine now. > But may I ask something strange (at least for me) I noticed ? > When I use following code to retrieve remote cert : > > form1.SslHttpCli1.URL := 'https://'; > form1.SslHttpCli1.Get; > form1.SslHttpCli1.SslContext.InitContext; Calling SslContext.InitContext after Get is useless. Call it before Get once and wrap it in a try except block. > > I have noticed that the event "OnSSLVerifyPeer", after every call I > make to code above, on some sites event is fired 1 time, on other > sites 2 times, on other sites 4 times etc. > For example, when I call at https://www.facebook.com, event is fired 4 > times, all 4 instances have the same structure (of a certificate - > TX509) but are not all of them always the same. > > For example for https://www.facebook.com, I have following Serial > Numbers return on each reply (notice: I make 1 call) : > > 1) > Serial Number: 1116160165 (0x428740a5) > Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. > (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure > Server Certification Authority > > 2) > Serial Number: 1116160165 (0x428740a5) > Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. > (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure > Server Certification Authority > > 3) > Serial Number: 08:51:f9:59:81:41:45:ca:bd:e0:24:e2:12:c9:c2:0e > Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High > Assurance EV Root CA > > 4) > Serial Number: 0c:6f:c8:59:57:fa:1f:5f:c9:67:2c:9f:e6:5c:db:e6 > Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High > Assurance CA-3 > > Can you please explain that ? It's simple, if a certificate passed OpenSSL's verification OnSSLVerifyPeer is called once for the current certificate with OK = 1. If there is one or more errors OnSSLVerifyPeer triggers for each error of the certificate with OK = 0. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
OK, everything is fine now. But may I ask something strange (at least for me) I noticed ? When I use following code to retrieve remote cert : form1.SslHttpCli1.URL := 'https://'; form1.SslHttpCli1.Get; form1.SslHttpCli1.SslContext.InitContext; I have noticed that the event "OnSSLVerifyPeer", after every call I make to code above, on some sites event is fired 1 time, on other sites 2 times, on other sites 4 times etc. For example, when I call at https://www.facebook.com, event is fired 4 times, all 4 instances have the same structure (of a certificate - TX509) but are not all of them always the same. For example for https://www.facebook.com, I have following Serial Numbers return on each reply (notice: I make 1 call) : 1) Serial Number: 1116160165 (0x428740a5) Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority 2) Serial Number: 1116160165 (0x428740a5) Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority 3) Serial Number: 08:51:f9:59:81:41:45:ca:bd:e0:24:e2:12:c9:c2:0e Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA 4) Serial Number: 0c:6f:c8:59:57:fa:1f:5f:c9:67:2c:9f:e6:5c:db:e6 Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 Can you please explain that ? On 1/9/2011 9:52 μμ, Dimitris Botsis wrote: On 1/9/2011 9:48 μμ, Arno Garrels wrote: Dimitris Botsis wrote: Hi again, I can read the certificate's Serial Number right, by parsing "cert.GetRawText" at OnSSLVerifyPeer, but is it possible to read the fingerprint too ? The fingerprint isn't a value stored in the certificate but a calculated one. Methods Sha1Digest and Sha1Hex provide the Sha1 fingerprint, if you need the MD5 hash or other properties derive your own class from TX509Base. Thank you -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
On 1/9/2011 9:48 μμ, Arno Garrels wrote: Dimitris Botsis wrote: Hi again, I can read the certificate's Serial Number right, by parsing "cert.GetRawText" at OnSSLVerifyPeer, but is it possible to read the fingerprint too ? The fingerprint isn't a value stored in the certificate but a calculated one. Methods Sha1Digest and Sha1Hex provide the Sha1 fingerprint, if you need the MD5 hash or other properties derive your own class from TX509Base. Thank you -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > Hi again, > I can read the certificate's Serial Number right, by parsing > "cert.GetRawText" at OnSSLVerifyPeer, but is it possible to read the > fingerprint too ? The fingerprint isn't a value stored in the certificate but a calculated one. Methods Sha1Digest and Sha1Hex provide the Sha1 fingerprint, if you need the MD5 hash or other properties derive your own class from TX509Base. -- Arno Garrels > I cannot find it in the rawtext I have, may I find it somewhere else ? > Thank you. > > On 28/8/2011 8:42 πμ, Arno Garrels wrote: >> Dimitris Botsis wrote: >>> Hi again, >>> from what I understand from you e-mails and tests I tried to do, the >>> certificate file has to exist locally, where my application that >>> checks it runs ? >>> Also in the sample "HttpsTst" cert file has to be provided locally, >>> isn't it ? Can it use a certificate from an https site being >>> connected on it ? >>> >>> Please reply if the following is possible using ICS: >>> Suppose I want to make an application using ICS, where the >>> application will have a text box a button and a memo field. >>> In the the text box we can give any https address/website, press the >>> button to start check and in the memo field to have detailed >>> information about the certificate of the site checked. >> >> In event OnSslHandShakeDone call PeerCert.GetRawText to display >> the peer certificate as simple text (not available if a session was >> reused). TX509Base also provides most common properties of a >> certificate >> however not all are available. >> >>> For example, like when I open Firefox or any other browser, open an >>> https website and from (Firefox) Tools -> Page info -> Security -> >>> View certificate, everyone can see details about certificate. >> >> That's exactly what the OverbyteIcsMsVerify demo demonstrates. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Hi again, I can read the certificate's Serial Number right, by parsing "cert.GetRawText" at OnSSLVerifyPeer, but is it possible to read the fingerprint too ? I cannot find it in the rawtext I have, may I find it somewhere else ? Thank you. On 28/8/2011 8:42 πμ, Arno Garrels wrote: Dimitris Botsis wrote: Hi again, from what I understand from you e-mails and tests I tried to do, the certificate file has to exist locally, where my application that checks it runs ? Also in the sample "HttpsTst" cert file has to be provided locally, isn't it ? Can it use a certificate from an https site being connected on it ? Please reply if the following is possible using ICS: Suppose I want to make an application using ICS, where the application will have a text box a button and a memo field. In the the text box we can give any https address/website, press the button to start check and in the memo field to have detailed information about the certificate of the site checked. In event OnSslHandShakeDone call PeerCert.GetRawText to display the peer certificate as simple text (not available if a session was reused). TX509Base also provides most common properties of a certificate however not all are available. For example, like when I open Firefox or any other browser, open an https website and from (Firefox) Tools -> Page info -> Security -> View certificate, everyone can see details about certificate. That's exactly what the OverbyteIcsMsVerify demo demonstrates. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > Hi again, > from what I understand from you e-mails and tests I tried to do, the > certificate file has to exist locally, where my application that > checks it runs ? > Also in the sample "HttpsTst" cert file has to be provided locally, > isn't it ? Can it use a certificate from an https site being connected > on it ? > > Please reply if the following is possible using ICS: > Suppose I want to make an application using ICS, where the application > will have a text box a button and a memo field. > In the the text box we can give any https address/website, press the > button to start check and in the memo field to have detailed > information about the certificate of the site checked. In event OnSslHandShakeDone call PeerCert.GetRawText to display the peer certificate as simple text (not available if a session was reused). TX509Base also provides most common properties of a certificate however not all are available. > For example, like when I open Firefox or any other browser, open an > https website and from (Firefox) Tools -> Page info -> Security -> > View certificate, everyone can see details about certificate. That's exactly what the OverbyteIcsMsVerify demo demonstrates. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
I found the solution, setting "SSLVerifyPeer" to True for SSLHTTPCli's SSLContect and then reading the cert. Thank you. On 27/8/2011 11:18 μμ, Dimitris Botsis wrote: Hi again, from what I understand from you e-mails and tests I tried to do, the certificate file has to exist locally, where my application that checks it runs ? Also in the sample "HttpsTst" cert file has to be provided locally, isn't it ? Can it use a certificate from an https site being connected on it ? Please reply if the following is possible using ICS: Suppose I want to make an application using ICS, where the application will have a text box a button and a memo field. In the the text box we can give any https address/website, press the button to start check and in the memo field to have detailed information about the certificate of the site checked. For example, like when I open Firefox or any other browser, open an https website and from (Firefox) Tools -> Page info -> Security -> View certificate, everyone can see details about certificate. Thank you On 27/8/2011 9:25 μμ, Arno Garrels wrote: Arno Garrels wrote: use method PostConnection .. Sorry typo, the method name is "PostConnectionCheck". -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Hi again, from what I understand from you e-mails and tests I tried to do, the certificate file has to exist locally, where my application that checks it runs ? Also in the sample "HttpsTst" cert file has to be provided locally, isn't it ? Can it use a certificate from an https site being connected on it ? Please reply if the following is possible using ICS: Suppose I want to make an application using ICS, where the application will have a text box a button and a memo field. In the the text box we can give any https address/website, press the button to start check and in the memo field to have detailed information about the certificate of the site checked. For example, like when I open Firefox or any other browser, open an https website and from (Firefox) Tools -> Page info -> Security -> View certificate, everyone can see details about certificate. Thank you On 27/8/2011 9:25 μμ, Arno Garrels wrote: Arno Garrels wrote: use method PostConnection .. Sorry typo, the method name is "PostConnectionCheck". -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Arno Garrels wrote: > use method PostConnection .. Sorry typo, the method name is "PostConnectionCheck". -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Thank you very much for all help and information. On 27/8/2011 7:29 μμ, Arno Garrels wrote: Dimitris Botsis wrote: OK, let me explain what I want. I want my client that connects over https to a server, before start exchanging data with server, first to check if the certificate provided by the server is the right one. I think there is a signature in certificate which client will know, and verify if the certificate's signature that is read from the server are the same. I see, so this is the common procedure as shown in the demos mentioned in one of my previous mails. A certificate is always signed / issued by another certificate and it can be quite a long chain from top level root certificate down to the server certificate. The top level root certificate is always self-signed. All you have to do is to provide the signing certificates you trust in either the TSslContext.SslCAFile or TSslContext.SslCAPath so OpenSSL finds them on certificate verification when it builds up the chain. All certificates issued by these certificates are trusted as well. Event OnSslVerifyPeer is triggered for each certificate check, OnSslHandShakeDone triggers after the certificate chain has been verified. When this was OK you use method PostConnection of the peer certificate to check for DNS name match. If you are new to SSL and OpenSSL you should read a good book about that stuff first i.e. "Network Security with OpenSSL" published by O'REILY. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > OK, let me explain what I want. > I want my client that connects over https to a server, before start > exchanging data with server, first to check if the certificate > provided by the server is the right one. I think there is a signature > in certificate which client will know, and verify if the certificate's > signature that is read from the server are the same. I see, so this is the common procedure as shown in the demos mentioned in one of my previous mails. A certificate is always signed / issued by another certificate and it can be quite a long chain from top level root certificate down to the server certificate. The top level root certificate is always self-signed. All you have to do is to provide the signing certificates you trust in either the TSslContext.SslCAFile or TSslContext.SslCAPath so OpenSSL finds them on certificate verification when it builds up the chain. All certificates issued by these certificates are trusted as well. Event OnSslVerifyPeer is triggered for each certificate check, OnSslHandShakeDone triggers after the certificate chain has been verified. When this was OK you use method PostConnection of the peer certificate to check for DNS name match. If you are new to SSL and OpenSSL you should read a good book about that stuff first i.e. "Network Security with OpenSSL" published by O'REILY. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
On 26/8/2011 2:29 μμ, Arno Garrels wrote: Dimitris Botsis wrote: "remotely" I mean that client must contact server in order to find certificate and then verify it to see if it contains signature that client expects in order to establish trusted connection. Thank you for replying I still do not understand. A client must always connect to a server in order to receive its certificate (chain). Verification of the received certificate can be done locally or remotely by sending it to an OCSP server. Do you by any chance mean OCSP? http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol OCSP is not implemented in ICS, however if you use the Microsoft Crypto API for certificate verification as shown in demo OverbyteIcsMsVerify then Windows (Vista+) may use OCSP as well. OK, let me explain what I want. I want my client that connects over https to a server, before start exchanging data with server, first to check if the certificate provided by the server is the right one. I think there is a signature in certificate which client will know, and verify if the certificate's signature that is read from the server are the same. And of course, any other things that may be used so that the client to be sure that this is the right server or is not (not only based on IP address connected). Thank you. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > "remotely" I mean that client must contact server in order to find > certificate and then verify it to see if it contains signature that > client expects in order to establish trusted connection. Thank you > for replying I still do not understand. A client must always connect to a server in order to receive its certificate (chain). Verification of the received certificate can be done locally or remotely by sending it to an OCSP server. Do you by any chance mean OCSP? http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol OCSP is not implemented in ICS, however if you use the Microsoft Crypto API for certificate verification as shown in demo OverbyteIcsMsVerify then Windows (Vista+) may use OCSP as well. -- Arno Garrels > > 26 Αυγ 2011, 11:00 π.μ., ο/η "Arno Garrels" > έγραψε: > >> Dimitris Botsis wrote: >>> How can a client that connects with https verify the server's SSL >>> certificate remotely ? >> >> What do you mean by "remotely"? >> >> Take a look at two samples in the SslInternet folder: >> OverbyteIcsHttpsTst and OverbyteIcsMsVerify. >> >> -- >> Arno Garrels >> -- >> To unsubscribe or change your settings for TWSocket mailing list >> please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket >> Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
"remotely" I mean that client must contact server in order to find certificate and then verify it to see if it contains signature that client expects in order to establish trusted connection. Thank you for replying 26 Αυγ 2011, 11:00 π.μ., ο/η "Arno Garrels" έγραψε: > Dimitris Botsis wrote: >> How can a client that connects with https verify the server's SSL >> certificate remotely ? > > What do you mean by "remotely"? > > Take a look at two samples in the SslInternet folder: > OverbyteIcsHttpsTst and OverbyteIcsMsVerify. > > -- > Arno Garrels > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] remote SSL certificate verification
Dimitris Botsis wrote: > How can a client that connects with https verify the server's SSL > certificate remotely ? What do you mean by "remotely"? Take a look at two samples in the SslInternet folder: OverbyteIcsHttpsTst and OverbyteIcsMsVerify. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be