Hi everyone,
I'd like to use a PKCS#7 certificate with ICS 8.44. and OpenSSL 1.1.0f,
but I don't know which properties to initialize.
This is how I initialize SSL Context :
try
with SslContext do
begin
SslECDHMethod := sslECDHAuto;
SslVerifyPeer := False;
SslVerifyDepth := 9;
SslVerifyFlags := [];
SslCheckHostFlags := [];
SslSecLevel := sslSecLevel80bits;
SslOptions := [sslOpt_MICROSOFT_SESS_ID_BUG,
sslOpt_NETSCAPE_CHALLENGE_BUG,
sslOpt_NETSCAPE_REUSE_CIPHER_CHANGE_BUG,
sslOpt_MICROSOFT_BIG_SSLV3_BUFFER,
sslOpt_SSLEAY_080_CLIENT_DH_BUG,
sslOpt_TLS_D5_BUG,
sslOpt_TLS_BLOCK_PADDING_BUG,
sslOpt_TLS_ROLLBACK_BUG,
sslOpt_SINGLE_DH_USE,
sslOpt_NETSCAPE_CA_DN_BUG,
sslOpt_NO_SESSION_RESUMPTION_ON_RENEGOTIATION,
sslOpt_NETSCAPE_DEMO_CIPHER_CHANGE_BUG,
sslOpt_CIPHER_SERVER_PREFERENCE];
SslVerifyPeerModes := [SslVerifyMode_PEER];
SslSessionCacheModes := [sslSESS_CACHE_SERVER,
sslSESS_CACHE_NO_INTERNAL_LOOKUP, sslSESS_CACHE_NO_INTERNAL_STORE];
SslCipherList := sslCiphersMozillaSrvInter;
SslVersionMethod := sslBestVer_SERVER;
SslMinVersion := sslVerSSL3;
SslMaxVersion := sslVerMax;
SslECDHMethod := sslECDHAuto;
SslSessionTimeout := 10 * 60;
SslSessionCacheSize := 20480;
SslDefaultSessionIDContext := 'WebSSL';
AutoEnableBuiltinEngines := False;
SslCAFile := "D:\Web\CertificatSSL.p7b";
SslCAPath := ExtractFilePath(SslCAFile);
SslCertFile := SslCAFile;
end;
SslCertX509.LoadFromFile(CertificatSSL, croTry, croTry);
if TWSslContext.IsCtxInitialized then
begin
TWSslContext.DeInitContext;
SslHttpServer.WSocketServer.ResetSSL;
end;
TWSslContext.InitContext;
{ V8.07 load OpenSSL, then display OpenSSL DLL name and version }
GSSLEAY_DLL_IgnoreNew := FileExists(HttpServer.DocDir +
'\ssleay32.dll'); { V8.07 ignore OpenSSL 1.1.0 and later }
TWSslStaticLock.Enabled := True ;
if not FileExists(GLIBEAY_DLL_FileName) then
DoLog(0, 'SSL/TLS DLL not found : ' + GLIBEAY_DLL_FileName)
else
begin
DoLog(1, 'SSL/TLS DLL : OK');
DoLog(1, 'Version : ' + OpenSslVersion + ' (' +
GLIBEAY_DLL_FileName + ')');
end;
if not TWSslContext.SslCertX509.IsPkeyLoaded then
DoLog(1, 'Pkey not Loaded');
if not TWSslContext.SslCertX509.IsInterLoaded then
DoLog(1, 'Inter certs not Loaded');
TWSslContext.SslCertX509.LoadCATrustFromString(sslRootCACertsBundle);
{ trusted root so we check chain }
Validation := TWSslContext.SslCertX509.ValidateCertChain('',
InfoCertificat, ErrStr); { really need host name }
DoLog(0, InfoCertificat);
if TWSslContext.SslCertX509.HasExpired then
DoLog(0, '******* [ALERT] SSL Certificate has expired : ' +
TWFormatDateTime(FDATE, TWSslContext.SslCertX509.ValidNotAfter) + '
*******')
else if (Date + 30) > TWSslContext.SslCertX509.ValidNotAfter then
DoLog(0, '******* [WARNING] SSL Certificate expires shortly :
' + TWFormatDateTime(FDATE, TWSslContext.SslCertX509.ValidNotAfter) +
' *******')
else
DoLog(1, 'Expiration date : ' + TWFormatDateTime(FDATE,
TWSslContext.SslCertX509.ValidNotAfter));
if Validation = chainWarn then
ErrStr := 'Chain Warning - ' + ErrStr
else if Validation <> chainOK then
ErrStr := 'Chain Failed - ' + ErrStr;
if ErrStr <> '' then
DoLog(0, ErrStr);
if Validation <> chainFail then
SslHttpServer.Start;
except
on E: Exception do
raise Exception.Create('Failed to initialize SSL Context : ' +
E.Message);
end;
This is the result :
00:43:21:570 - SSL/TLS DLL : OK
00:43:21:571 - Version : OpenSSL 1.1.0f 25 May 2017
(D:\Web\libcrypto-1_1.dll)
00:43:21:573 - Pkey not Loaded
00:43:21:579 - Server: Issued to (CN): *.mydomain.com
Alt Domains: *.mydomain.com, mydomain.com
Issued by (CN): Gandi Standard SSL CA 2, (O): Gandi
Serial Number: ....
Fingerprint (sha1): ....
Expires: 03/04/2020, Signature: sha256WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Intermediate: Issued to (CN): Gandi Standard SSL CA 2, (O): Gandi
Issued by (CN): USERTrust RSA Certification Authority, (O): The
USERTRUST Network
Serial Number: ...
Fingerprint (sha1): ...
Expires: 11/09/2024, Signature: sha384WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Intermediate: Issued to (CN): USERTrust RSA Certification Authority,
(O): The USERTRUST Network
Issued by (CN): AddTrust External CA Root, (O): AddTrust AB
Serial Number: ...
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha384WithRSAEncryption
Public Key: RSA Key Encryption 4096 bits
Intermediate: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Intermediate: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
Trusted CA: Issued to (CN): AddTrust External CA Root, (O): AddTrust AB
Issuer: Self Signed
Serial Number: 01
Fingerprint (sha1): ...
Expires: 30/05/2020, Signature: sha1WithRSAEncryption
Public Key: RSA Key Encryption 2048 bits
00:43:21:583 - Expiration date : 03/04/2020
00:43:23:925 - HTTPS Server is waiting for connections on port : 8081
00:43:25:067 - HTTP Server is waiting for connections on port : 8080
But when I tried to go to my URL with firefox (55) or IE (11), I had
got this :
23:56:19:808 - [10.77.248.1] SNI "subdomain1.mydomain.com" received
23:56:19:808 - [10.77.248.1] SslHandshake failed (193) :
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
I've tried locally, it's the same :
00:03:31:428 - [127.0.0.1] SslHandshake failed (407) :
error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
00:03:31:428 - [127.0.0.1] SNI "localhost" received
00:03:31:428 - [127.0.0.1] SslHandshake failed (193) :
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
So I generated a self-signed certficate whith OverbytesTool, and this is
the result :
00:18:13:092 - [10.77.248.1] SSL Connected OK with TLSv1.2, cipher
ECDHE-RSA-AES128-GCM-SHA256, key auth RSA, key exchange ECDH,
encryption AESGCM(128), message auth AEAD : SessionReused 0
I dont understand how to fill the TSslContext properties : SslCAFile,
SslCAPath, SslCertFile, ... when It's not au PEM certificate, Is there a
guide ?
Thanks for the help
Guillaume ROQUES
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be