Re: [twsocket] when is OpenSSL connection ready?
Thanks Angus, that answers my question. Have a nice day! Merijn On 12/06/2015 16:13, Angus Robertson - Magenta Systems Ltd wrote: I'm currently setting up a connection using OpenSSL for the first I'm unsure when I can conclude (on server side) that a client is fully authenticated. Not sure if your application is a client or server, but they are similar, everything happens in the HandshakeDone event. You need to check Errcode, if not zero SSL negotiation has already failed and you should disconnect. If Errcode is zero, and you care about certificates, and set SslVerifyPeer, you can check if the certificate is basically valid. But a proper check of the certificate chain is more complicated, and either needs a list of root certificates (hundreds) to test, or use the Microsoft crypto APIs to let Windows check it's root store. That easier with the latest ICS v8 today,m using OverbyteIcsMsSslUtils. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] when is OpenSSL connection ready?
> I'm currently setting up a connection using OpenSSL for the first > I'm unsure when I can conclude (on > server side) that a client is fully authenticated. Not sure if your application is a client or server, but they are similar, everything happens in the HandshakeDone event. You need to check Errcode, if not zero SSL negotiation has already failed and you should disconnect. If Errcode is zero, and you care about certificates, and set SslVerifyPeer, you can check if the certificate is basically valid. But a proper check of the certificate chain is more complicated, and either needs a list of root certificates (hundreds) to test, or use the Microsoft crypto APIs to let Windows check it's root store. That easier with the latest ICS v8 today,m using OverbyteIcsMsSslUtils. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] when is OpenSSL connection ready?
Asked a bit too soon it seems, I just found the PeerCert.VerifyResult, which is 0 if authentication is OK. If some can confirm this is indeed the trick that would be great. Merijn On 12/06/2015 15:58, Merijn Bosma wrote: Hi all, I'm currently setting up a connection using OpenSSL for the first time. Things are going well, but I'm unsure when I can conclude (on server side) that a client is fully authenticated. I'm looking into the OnClientConnected, OnClientDisconnected and OnSSLHandshakeDone events. For a client with a valid certificate (which connects and authenticates fine), I see this order of events: 15:51:33.918 - client connected ip: 127.0.0.1 (0) 15:51:34.518 - SSL handshake done: 127.0.0.1 Which looks great. However, for a client which does not have a valid certificate I see this order of events: 15:53:26.534 - client connected ip: 127.0.0.1 (0) 15:53:27.118 - SSL handshake done: 127.0.0.1 15:53:27.121 - client disconnected ip: 127.0.0.1 (10053) Even though the client isn't authenticated yet, I already get an SSL handshake done event. I suspect I need to inspect the PeerCert argument which is supplied in the OnSSLHandshakeDone event to see if authentication went ok, but I'm not sure what to look for. Or is there an other event I can use? Hope someone can advise. Thanks in advance, Merijn -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] when is OpenSSL connection ready?
Hi all, I'm currently setting up a connection using OpenSSL for the first time. Things are going well, but I'm unsure when I can conclude (on server side) that a client is fully authenticated. I'm looking into the OnClientConnected, OnClientDisconnected and OnSSLHandshakeDone events. For a client with a valid certificate (which connects and authenticates fine), I see this order of events: 15:51:33.918 - client connected ip: 127.0.0.1 (0) 15:51:34.518 - SSL handshake done: 127.0.0.1 Which looks great. However, for a client which does not have a valid certificate I see this order of events: 15:53:26.534 - client connected ip: 127.0.0.1 (0) 15:53:27.118 - SSL handshake done: 127.0.0.1 15:53:27.121 - client disconnected ip: 127.0.0.1 (10053) Even though the client isn't authenticated yet, I already get an SSL handshake done event. I suspect I need to inspect the PeerCert argument which is supplied in the OnSSLHandshakeDone event to see if authentication went ok, but I'm not sure what to look for. Or is there an other event I can use? Hope someone can advise. Thanks in advance, Merijn -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be