Arno
Once again thanks for the help. I will only implement the OnHandshakeDone event then. I have one final question though. When using the TSslWSocket in both client and server application, will the Root cert always be sent before the Certificate e.g. two handshake done events with root cert first and cert second ? Best regards Kurt -----Oprindelig meddelelse----- Fra: twsocket-boun...@elists.org [mailto:twsocket-boun...@elists.org] På vegne af Arno Garrels Sendt: 8. september 2010 15:22 Til: ICS support mailing Emne: Re: [twsocket] SSL OnSslVerifyPeer vs. OnSslHandshakeDone event Kurt, > I'm a bit puzzled about what the exact purpose of the HandshakeDone > event is then. > > > > Is it to verify that the SSL connection is now complete with(out) > errors ? > When it triggers without error the certificate chain verification completed successfully. In case of option SslVerifyPeer is set it is the your responsibility to do a PostConnectionCheck. If the SslSession was reused or SslVerifyPeer isn't set this check is not required of course. > > And why is the certificate sent along as a param in this event too ? The peer certificate object is required for the PostConnectionCheck, it also has a property VerifyResult which should be X509_V_OK in case of ErrCode = 0. PeerCert.PostConnectionCheck(<DNS name>); If PostConnectionCheck failed and you set var Disconnect to TRUE and the connection will be closed delayed. Do not call Close. Description of PostConnectionCheck: { Now to the PostConnectionCheck, a very important security check! Our application will be vulnerable if we do not check the peer certificate beyond verification of the chain. Nothing prevents an attacker from getting his own certificate signed by one of our trusted CAs and then hijacking all our sessions. We thward this kind of masquerade by tying the certificate to some information unique to the machine. In SSL this information is one or multiple full qualified domain names (FQDN) also called DNS names stored in certificate's commonName field(s) of the subjectName field. Since X.509v3 the subjectAltName extension allows to hold the FQDN as well as other identifying information such as the IP address. We use function PostConnectionCheck to perform these checks for us. } > > > Is it safe to handle just one of these events, and if not what to > check for in each ? Yes, it's safe to only handle OnSslHandshakeDone. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
