[twsocket] How to fill ICS SSL with different certificates ?

Thu, 21 Sep 2017 16:04:58 -0700 

Hi everyone,
I'd like to use a PKCS#7 certificate with ICS 8.44. and OpenSSL 1.1.0f, but I don't know which properties to initialize. 

This is how I initialize SSL Context :

try
    with SslContext do
    begin
        SslECDHMethod := sslECDHAuto;
        SslVerifyPeer := False;
        SslVerifyDepth := 9;
        SslVerifyFlags := [];
        SslCheckHostFlags := [];
        SslSecLevel := sslSecLevel80bits;
        SslOptions := [sslOpt_MICROSOFT_SESS_ID_BUG,
                        sslOpt_NETSCAPE_CHALLENGE_BUG,
                        sslOpt_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
                        sslOpt_MICROSOFT_BIG_SSLV3_BUFFER,
                        sslOpt_SSLEAY_080_CLIENT_DH_BUG,
                        sslOpt_TLS_D5_BUG,
                        sslOpt_TLS_BLOCK_PADDING_BUG,
                        sslOpt_TLS_ROLLBACK_BUG,
                        sslOpt_SINGLE_DH_USE,
                        sslOpt_NETSCAPE_CA_DN_BUG,
sslOpt_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
                        sslOpt_NETSCAPE_DEMO_CIPHER_CHANGE_BUG,
                        sslOpt_CIPHER_SERVER_PREFERENCE];
        SslVerifyPeerModes := [SslVerifyMode_PEER];

        SslSessionCacheModes := [sslSESS_CACHE_SERVER, 
sslSESS_CACHE_NO_INTERNAL_LOOKUP, sslSESS_CACHE_NO_INTERNAL_STORE];

        SslCipherList := sslCiphersMozillaSrvInter;
        SslVersionMethod := sslBestVer_SERVER;
        SslMinVersion := sslVerSSL3;
        SslMaxVersion := sslVerMax;
        SslECDHMethod := sslECDHAuto;
        SslSessionTimeout := 10 * 60;
        SslSessionCacheSize := 20480;
        SslDefaultSessionIDContext := 'WebSSL';
        AutoEnableBuiltinEngines := False;

        SslCAFile := "D:\Web\CertificatSSL.p7b";
        SslCAPath := ExtractFilePath(SslCAFile);
        SslCertFile := SslCAFile;
    end;

    SslCertX509.LoadFromFile(CertificatSSL, croTry, croTry);

    if TWSslContext.IsCtxInitialized then
    begin
        TWSslContext.DeInitContext;
        SslHttpServer.WSocketServer.ResetSSL;
    end;
    TWSslContext.InitContext;

    { V8.07 load OpenSSL, then display OpenSSL DLL name and version  }

    GSSLEAY_DLL_IgnoreNew := FileExists(HttpServer.DocDir + 
'\ssleay32.dll');  { V8.07 ignore OpenSSL 1.1.0 and later }

    TWSslStaticLock.Enabled := True ;
    if not FileExists(GLIBEAY_DLL_FileName) then
        DoLog(0, 'SSL/TLS DLL not found : ' + GLIBEAY_DLL_FileName)
    else
    begin
        DoLog(1, 'SSL/TLS DLL : OK');

        DoLog(1, 'Version : ' + OpenSslVersion + ' (' + 
GLIBEAY_DLL_FileName + ')');

    end;

    if not TWSslContext.SslCertX509.IsPkeyLoaded then
        DoLog(1, 'Pkey not Loaded');
    if not TWSslContext.SslCertX509.IsInterLoaded then
        DoLog(1, 'Inter certs not Loaded');


 TWSslContext.SslCertX509.LoadCATrustFromString(sslRootCACertsBundle); 
{ trusted root so we check chain }
    Validation := TWSslContext.SslCertX509.ValidateCertChain('', 
InfoCertificat, ErrStr);  { really need host name  }

    DoLog(0, InfoCertificat);
    if TWSslContext.SslCertX509.HasExpired then

        DoLog(0, '******* [ALERT] SSL Certificate has expired : ' + 
TWFormatDateTime(FDATE, TWSslContext.SslCertX509.ValidNotAfter) + ' 
*******')

    else if (Date + 30) > TWSslContext.SslCertX509.ValidNotAfter then

        DoLog(0, '******* [WARNING] SSL Certificate expires shortly : 
' + TWFormatDateTime(FDATE, TWSslContext.SslCertX509.ValidNotAfter) + 
' *******')

    else

        DoLog(1, 'Expiration date : ' + TWFormatDateTime(FDATE, 
TWSslContext.SslCertX509.ValidNotAfter));

    if Validation = chainWarn then
        ErrStr := 'Chain Warning - ' + ErrStr
    else if Validation <> chainOK then
        ErrStr := 'Chain Failed - ' + ErrStr;
    if ErrStr <> '' then
        DoLog(0, ErrStr);

    if Validation <> chainFail then
        SslHttpServer.Start;
except
    on E: Exception do

        raise Exception.Create('Failed to initialize SSL Context : ' + 
E.Message);

end;



This is the result :

00:43:21:570 - SSL/TLS DLL : OK

00:43:21:571 - Version : OpenSSL 1.1.0f  25 May 2017 
(D:\Web\libcrypto-1_1.dll)

00:43:21:573 - Pkey not Loaded
00:43:21:579 - Server: Issued to (CN): *.mydomain.com
Alt Domains: *.mydomain.com, mydomain.com
Issued by (CN): Gandi Standard SSL CA 2, (O): Gandi
Serial Number: ....
Fingerprint (sha1): ....
Expires: 03/04/2020, Signature: sha256WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits

Intermediate: Issued to (CN): Gandi Standard SSL CA 2, (O): Gandi

Issued by (CN): USERTrust RSA Certification Authority, (O): The 
USERTRUST Network

Serial Number: ...
Fingerprint (sha1): ...
Expires: 11/09/2024, Signature: sha384WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits

Intermediate: Issued to (CN): USERTrust RSA Certification Authority, 
(O): The USERTRUST Network

Issued by (CN): AddTrust External CA Root, (O): AddTrust AB
Serial Number: ...
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha384WithRSAEncryption
Public Key: RSA Key Encryption 4096 bits
Intermediate: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Intermediate: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Trusted CA: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
00:43:21:583 - Expiration date : 03/04/2020
00:43:23:925 - HTTPS Server is waiting for connections on port : 8081
00:43:25:067 - HTTP Server is waiting for connections on port : 8080




But when I tried to go to my URL with firefox (55) or IE (11), I had 
got  this :

23:56:19:808 - [10.77.248.1] SNI "subdomain1.mydomain.com" received

23:56:19:808 - [10.77.248.1] SslHandshake failed (193) : 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher



I've tried locally, it's the same :

00:03:31:428 - [127.0.0.1] SslHandshake failed (407) : 
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

00:03:31:428 - [127.0.0.1] SNI "localhost" received

00:03:31:428 - [127.0.0.1] SslHandshake failed (193) : 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher




So I generated a self-signed certficate whith OverbytesTool, and this is 
the result  :

00:18:13:092 - [10.77.248.1] SSL Connected OK with TLSv1.2, cipher 
ECDHE-RSA-AES128-GCM-SHA256, key auth RSA, key exchange ECDH, 
encryption AESGCM(128), message auth AEAD : SessionReused 0




I dont understand how to fill the TSslContext properties : SslCAFile, 
SslCAPath, SslCertFile, ... when It's not au PEM certificate, Is there a 
guide ?


Thanks for the help

Guillaume ROQUES
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be





















					Reply via email to