The recent SSL changes allow ICS servers to load SSL certificates in
various formats and easily validate them, previously a lot of SSL
problem were caused by loading the wrong certificates since there no
feedback other than failed connections. 

But I implemented this in a fully backward compatible way, so server
applications need to load SSL certificates the new way.  Using the old
SslContext properties SslCertFile, SslCAFile and SslPrivKeyFile still
loads only PEM base64 files without validation.

Currently, if the new public property SslSetCertX509 is used to load
certificates, these are loaded into the context instead of the
published properties when the InitContext is called, or when the
SslSetCertX509 method is called.  

But perhaps it would be easier to understand and update existing
applications if ICS loaded the exiting published properties via
SslSetCertX509 so they support multiple certificate formats.  The issue
is how and if this is a good idea:

1 - Leave backward compatibility as now, so program changes needed to
use new format certificates.

2 - Automatically use existing published SSL file properties to load
new format certificates via SslSetCertX509.  No program changes needed,
except if you want to validate certificates after loading.  May not be
fully backward compatible if old separate methods like
LoadCertFromChainFile are used to load files.  Potentially space saving
since old loading code can be removed, simplifying maintenance.

3 - SslContext has a new published property NewLoading that must be set
to cause the existing published SSL file properties to be used (as 2).
No space or maintenance saving.  

Can you please reply to this email with solution 1, 2 or 3, or any
better suggestions. 

Angus
  
 

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to