Re: [twsocket] Poll 1 - SslContext and loading certificates
I have no serious experience with that so I can't decide what is better. I usually prefer implementations that do not break existing code, triggering new feature using an option. -- francois.pie...@overbyte.be The author of the freeware multi-tier middleware MidWare The author of the freeware Internet Component Suite (ICS) http://www.overbyte.be -Message d'origine- De : TWSocket [mailto:twsocket-boun...@lists.elists.org] De la part de Angus Robertson - Magenta Systems Ltd Envoyé : jeudi 2 mars 2017 13:04 À : twsocket@lists.elists.org Objet : [twsocket] Poll 1 - SslContext and loading certificates The recent SSL changes allow ICS servers to load SSL certificates in various formats and easily validate them, previously a lot of SSL problem were caused by loading the wrong certificates since there no feedback other than failed connections. But I implemented this in a fully backward compatible way, so server applications need to load SSL certificates the new way. Using the old SslContext properties SslCertFile, SslCAFile and SslPrivKeyFile still loads only PEM base64 files without validation. Currently, if the new public property SslSetCertX509 is used to load certificates, these are loaded into the context instead of the published properties when the InitContext is called, or when the SslSetCertX509 method is called. But perhaps it would be easier to understand and update existing applications if ICS loaded the exiting published properties via SslSetCertX509 so they support multiple certificate formats. The issue is how and if this is a good idea: 1 - Leave backward compatibility as now, so program changes needed to use new format certificates. 2 - Automatically use existing published SSL file properties to load new format certificates via SslSetCertX509. No program changes needed, except if you want to validate certificates after loading. May not be fully backward compatible if old separate methods like LoadCertFromChainFile are used to load files. Potentially space saving since old loading code can be removed, simplifying maintenance. 3 - SslContext has a new published property NewLoading that must be set to cause the existing published SSL file properties to be used (as 2). No space or maintenance saving. Can you please reply to this email with solution 1, 2 or 3, or any better suggestions. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] Poll 1 - SslContext and loading certificates
Hello Angus, I don't use SSL on the moment, I have encryption on a peer to peer level. But a 1 one implementation in the ICS and maybe a kind of certificate conversion utility (from multi formats to 1 very well implemented ICS format) has my preference. Regards, Jasja Op 2-3-2017 om 13:04 schreef Angus Robertson - Magenta Systems Ltd: The recent SSL changes allow ICS servers to load SSL certificates in various formats and easily validate them, previously a lot of SSL problem were caused by loading the wrong certificates since there no feedback other than failed connections. But I implemented this in a fully backward compatible way, so server applications need to load SSL certificates the new way. Using the old SslContext properties SslCertFile, SslCAFile and SslPrivKeyFile still loads only PEM base64 files without validation. Currently, if the new public property SslSetCertX509 is used to load certificates, these are loaded into the context instead of the published properties when the InitContext is called, or when the SslSetCertX509 method is called. But perhaps it would be easier to understand and update existing applications if ICS loaded the exiting published properties via SslSetCertX509 so they support multiple certificate formats. The issue is how and if this is a good idea: 1 - Leave backward compatibility as now, so program changes needed to use new format certificates. 2 - Automatically use existing published SSL file properties to load new format certificates via SslSetCertX509. No program changes needed, except if you want to validate certificates after loading. May not be fully backward compatible if old separate methods like LoadCertFromChainFile are used to load files. Potentially space saving since old loading code can be removed, simplifying maintenance. 3 - SslContext has a new published property NewLoading that must be set to cause the existing published SSL file properties to be used (as 2). No space or maintenance saving. Can you please reply to this email with solution 1, 2 or 3, or any better suggestions. Angus -- /Met vriendelijke groeten - Best regards - Mit freundlichen Grüßen - Bestu kveðjur - Sincères salutations/ Jasja Glasbeek | Sales/Export/ICT | Machandel BV *tel:* (+31) 516-425020 | *mobile:* (+31) 6-20165848 | *email:* ja...@machandel.com -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be