New TSslCertTools component to create and sign certificates is finished. More minor SSL improvements for certificates.
This completes the batch of major SSL improvements over the past four months, so now just bug fixing as the new features get incorporated into applications and more widely used. There is still a planned new SSL file and string digest signing component planned. Updating applications - SSL servers Previously only PEM Base64 certificates could be used, now PKCS12, PKCS8 and DER binary certificates can be loaded to avoid manual conversions. The server certificate chain can be validated and reported before the server starts, to avoid certificate errors. If the server has the option to create SSL certificates or requests, these can now use ECC keys which use less bandwidth than RSA keys (but which few CAs support, yet) and alternate DNS names may be used, also ICS will now sign certificate requests. If certificate chains are reported, new methods simplify this to avoid loops. New cipher with only forward security ciphers to ensure SSL Labs A+ score. Host name checking now performed by OpenSSL so PostConnectionCheck not needed. Updating applications - SSL clients If certificate chains are reported, new methods simplify this to avoid loops. New OpenSSL security level to prevent connection to sites with inadequate SSL certificate key sizes or old protocols. OverbyteIcsWSocket.pas Fix bug in last build with TX509Base PEM cert error handling. Simplified checks for base64 certificates. Binary format certificate files are now saved correctly. Implemented intermediate certificate support in TX509Base which includes loading and saving them from file formats supporting them, and LoadIntersFromPemFile, LoadIntersFromString, SaveIntersToToPemFile, GetIntersList and ListInters. Implemented CA certificate support in TX509Base mainly for chain verification, LoadCAFromPemFile, LoadCAFromString. KeyInfo displays correct key length and curve for certificates. CertInfo has Brief option for shorter description. ValidateCertChain in TX509Base checks and reports cert and inters and can save a lot of cert problems in servers. Added AllCertInfo to TX509List that reports all certificates and can save code in clients reporting certificates. Added sslCiphersMozillaSrvInterFS with only forward security ciphers. Added IsCertLoaded, IsPkeyLoaded and IsInterLoaded to TX509Base. Added SslKeyAuth property to get cipher key authentication. Added SslGetCerts to context to get cert, key and intermediates. Added SslSetCertX509 to context which sets cert, key and intermediates from FSslCertX509 to load all together. If FSslCertX509 in Context has cert loaded when context is initialised, context file properties are ignored and SslSetCertX509 called to load them. Made InitializeSsl public in TSslBaseComponent for more control over SSL loading and unloading. OverbyteIcsLIBEAY.pas OverbyteIcsSSLEAY.pas Added more NIDs, constants and a few more imported functions. OverbyteIcsSslX509Utils.pas Added CreateCertBundle to build a new PEM or PKCS12 file combining certificate, private key and intermediate files. Added more certificate request extension properties including alt domains. Creating requests now adds alternate domains, IP addresses, etc. Create certificate from request now optionally copies extensions. The old CreateCertRequest and CreateSelfSignedCert functions now use the TSslCertTools component and provide backward compatibility. Create Certificate Bundle ------------------------- Builds a new PEM or PKCS12 file by combining certificate, private key and intermediate files (in any formats with correct file extension). For servers, a bundle file is easier to distribute and load than three separate files. 1 - CreateCertBundle is a simple function, that requires four full file names for the three input files and output file, optional load and save passwords, and the cipher optionally to encrypt the output file. Samples/Delphi/SslInternet/OverbyteIcsPemTool1.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool1.pas Samples/Delphi/SslInternet/OverbyteIcsPemTool3.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool3.pas Finished changes for TSslCertTools. Simplified creating bundles from Windows with new functions. Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.dfm Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.pas Added SslSecLevel to set minimum effective bits for certificate key length, 128 bits and higher won't usually work! Load certificates into SslCertX509 which supports PEM, DER, PKCS12, PKCS8 formats and check chain for errors before initialising SSL context, also reports chain. Removed old ciphers, adding new new cipher Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.dfm Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.pas Added SslSecLevel to set minimum effective bits for certificate key length, 128 bits and higher won't usually work! Simplified listing certificate chain in handshake. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
