DId you also happen to see if the problem also exists with other libraries libressl/boringssl/bearssl ?
Thank you - i never knew the server could generate a certificate on the fly (your code/patches are now something to work on here for the quiet new years week!!) But won't that create a massive overhead if has to do this for each new connection? On Tue, 1 Jan 2019 19:07:04 +0100 (CET) Michael Van Canneyt <mich...@freepascal.org> wrote: > > > On Tue, 1 Jan 2019, paste...@gmx.com wrote: > > > works perfectly here with my self signed cert (test.pem) > > I know that. > > It works if you give it a file. That's not a problem. > > But it does not work if you expect the server to generate a certificate > on-the-fly. > > ( > just comment out all the assignments in unit http: > // Sock.SSL.CertCAFile := ExtractFilePath(ParamStr(0)) + 's_cabundle.pem'; > // Sock.SSL.CertificateFile := ExtractFilePath(ParamStr(0)) + 's_cacert.pem'; > // Sock.SSL.PrivateKeyFile := ExtractFilePath(ParamStr(0)) + 's_cakey.pem'; > // Sock.SSL.KeyPassword := 's_cakey'; > // Sock.SSL.verifyCert := True; > ) > > See unit ssl_opensl, > > function TSSLOpenSSL.CreateSelfSignedCert(Host: string): Boolean; > > This function is erroneous. > > After lots of searching, I found the problem. > > function TSSLOpenSSL.CreateSelfSignedCert(Host: string): Boolean; > > does a call Asn1UtctimeNew. > > This function does not (or no longer) exists as a symbol in the openssl > library. It is now a macro that calls ASN1_STRING_type_new() or somesuch. > > As a result, the certificate times are invalid, and the created certificate > is invalid. > (at least the code should check that the functions have correctly returned > something?) > > Attached are some diffs I made to fix the problem (I did the patch on an > older version > of synapse, but made a diff from current SVN, so there is some noise in the > patch). > > Essentially, it imports ASN1_STRING_type_new and the various ASN1 types, > and lets Asn1UtctimeNew call ASN1_STRING_type_new with the correct type. > > After applying this, the code creates a valid certificate on-the-fly. > > But the problem then moves: at every request, a different certificate is > created, because the certificate is created as part of the TSSLOpenSSL.Accept > request. > > The browser of course complains about this. The only solution is to > create the certificate once and set the data appropriately whenever a > connection is accepted. > > But, in essence, generating a certificate on-the-fly now works (again). > > I imagine at some point, the openssl people changed an actual call for a > macro, and synapse's import unit was not updated to match this change. > > Michael. _______________________________________________ synalist-public mailing list synalist-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synalist-public
