> I'm a bit puzzled about what the exact purpose of the HandshakeDone
> event is then.
> Is it to verify that the SSL connection is now complete with(out)
> errors ?

When it triggers without error the certificate chain verification 
completed successfully. In case of option SslVerifyPeer is set it
is the your responsibility to do a PostConnectionCheck. 
If the SslSession was reused or SslVerifyPeer isn't set this
check is not required of course.

> And why is the certificate sent along as a param in this event too ?

The peer certificate object is required for the PostConnectionCheck,
it also has a property VerifyResult which should be X509_V_OK in case
of ErrCode = 0.   

PeerCert.PostConnectionCheck(<DNS name>);
If PostConnectionCheck failed and you set var Disconnect to TRUE
and the connection will be closed delayed. Do not call Close.
Description of PostConnectionCheck:

{ Now to the PostConnectionCheck, a very important security check!
      Our application will be vulnerable if we do not check the peer
      certificate beyond verification of the chain. Nothing prevents an
      attacker from getting his own certificate signed by one of our trusted
      CAs and then hijacking all our sessions. We thward this kind of
      masquerade by tying the certificate to some information unique to the
      machine. In SSL this information is one or multiple full qualified
      domain names (FQDN) also called DNS names stored in certificate's
      commonName field(s) of the subjectName field. Since X.509v3 the
      subjectAltName extension allows to hold the FQDN as well as other
      identifying information such as the IP address.
      We use function PostConnectionCheck to perform these checks for us. }

> Is it safe to handle just one of these events, and if not what to
> check for in each ?

Yes, it's safe to only handle OnSslHandshakeDone.

Arno Garrels

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to