Re: [twsocket] SSL OnHandshakeDone ceritificate contains empty members
Hi Arno
Thanks for the quick reply.
Setting the Clients SslContext obj property SslVerifyPeer = true yields
an errCode = 1 in the Clients HandshakeDone event (not a winsock error)
I tried setting up the clients SslContext::SslPrivKeyFile to the "C:\
... \ClientKey.pem" file created by the IcsSslBuildCerts.bat file and
retried, got ErrCode = 1 still.
I also tried setting up SslContext::SslCertFile on the client to "C:\
... \ClientCert.pem" created by IcsSslBuildCerts.bat, but still ErrCode
= 1.
I should note that the passphrase was set up correctly to "password",
failing to do so gave me an exception.
Any idea what might be causing this errCode = 1 ?
Below are some snippets from the initializing code and the DFM files:
All cert files are located in my
""C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\" folder.
Server init code:
SslWSocketServer1->SslContext = this->SslContext1;
SslWSocketServer1->OnClientConnect = SslWSocketServer1ClientConnect;
SslWSocketServer1->SslMode = sslModeServer;
SslWSocketServer1->Proto = "tcp";
SslWSocketServer1->Addr = "0.0.0.0"; // Use any interface
SslWSocketServer1->Port = "443";
SslWSocketServer1->SslEnable = true;
SslContext1->SslCertFile =
"C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\ServerCert.pem
";
SslContext1->SslPassPhrase= "password";
SslContext1->SslPrivKeyFile =
"C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\ServerKey.pem"
;
SslContext1->SslCAFile=
"C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\ServerCA.pem";
SslContext1->SslCAPath= "";
SslContext1->SslVerifyPeer= true;
SslWSocketServer1->SetAcceptableHostsList("127.0.0.1;www.overbyte.be;www
.borland.com");
SslWSocketServer1->Listen();
SslWSocketServer1->ClientClass= __classid(TTcpSrvClient); // Use our
component
Display("Listenning...");
Server DFM:
object SslWSocketServer1: TSslWSocketServer
LineMode = False
LineLimit = 65536
LineEnd = #13#10
LineEcho = False
LineEdit = False
Addr = '0.0.0.0'
Port = '443'
Proto = 'tcp'
LocalAddr = '0.0.0.0'
LocalPort = '0'
MultiThreaded = False
MultiCast = False
MultiCastIpTTL = 1
FlushTimeout = 60
SendFlags = wsSendNormal
LingerOnOff = wsLingerOn
LingerTimeout = 0
KeepAliveOnOff = wsKeepAliveOff
KeepAliveTime = 0
KeepAliveInterval = 0
SocksLevel = '5'
SocksAuthentication = socksNoAuthentication
LastError = 0
ReuseAddr = False
ComponentOptions = []
ListenBacklog = 5
ReqVerLow = 1
ReqVerHigh = 1
Banner = 'Welcome to OverByte ICS TcpSrv'
BannerTooBusy = 'Sorry, too many clients'
MaxClients = 0
SslEnable = True
Left = 352
Top = 240
end
object SslContext1: TSslContext
SslVerifyPeer = False
SslVerifyDepth = 9
SslOptions = []
SslVerifyPeerModes = [SslVerifyMode_PEER]
SslSessionCacheModes = [sslSESS_CACHE_SERVER]
SslCipherList = 'ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH'
SslVersionMethod = sslV23_SERVER
SslSessionTimeout = 0
SslSessionCacheSize = 20480
SslDefaultSessionIDContext = 'dfhgdfg'
Left = 384
Top = 240
end
Client init code:
Sock->SslContext = this->SslContext1;
Sock->SslEnable = false;
Sock->SslMode = sslModeClient;
Sock->OnDataAvailable = SockDataAvailable;
Sock->OnSessionClosed = SockSessionClosed;
Sock->OnSessionConnected = SockSessionConnected;
Sock->OnSslHandshakeDone = SockSslHandshakeDone;
Sock->OnSslCliCertRequest = SockSslCliCertRequest;
SslContext1->SslVerifyPeer = true;
SslContext1->SslCertFile =
"C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\ClientCert.pem
";
SslContext1->SslPrivKeyFile =
"C:\\cvswork\\prereq\\ics\\Delphi\\SslInternet\\SslCerts\\ClientKey.pem"
;
SslContext1->SslPassPhrase = "password";
Sock->Addr = "127.0.0.1";
Sock->Port = "443";
Sock->SslEnable = false;
Sock->Connect();
//Client Connect event
void __fastcall TForm2::SockSessionConnected(TObject* Sender, Word
ErrCode)
{
if( ErrCode == 0 )
{
Sock->SslEnable = True;
Sock->StartSslHandshake();
Button1->Enabled = false;
Button2->Enabled = true;
}
}
// Client Handshake done event
void __fastcall TForm2::SockSslHandshakeDone(TObject* Sender, Word
ErrCode, TX509Base* PeerCert, bool& Disconnect)
{
// ErrCode resolves to 1 ... should be 0 if successfull
Memo1->Lines->Add( "SockSslHandshakeDone, ErrCode = " +
IntToStr(ErrCode) + ", Desc = " + WSocketErrorDesc(ErrCode) );
// All data members read contain NULL or other default values.
PeerCert->IssuerOneLine;
AnsiString s = PeerCert->GetRawText();
PeerCert->Sub
[twsocket] TIcsLogger.DoDebugLog optimization
TIcsLogger.DoDebugLog uses non-optimal algorithm dealing with timestamps: it is
being added to Msg three times.
I suggest change the code as following:
procedure TIcsLogger.DoDebugLog(
Sender : TObject;
LogOption : TLogOption;
Msg : String); // remove const to avoid declaring a local variable
begin
{$IFNDEF NO_LOGGER_MT}
Lock;
try
{$ENDIF}
{$IFDEF VCL}
if csDestroying in Componentstate then { V1.02 }
Exit;
{$ENDIF}
if loAddStamp in FLogOptions then
Msg := AddTimeStamp + FTimeStampSeparator + Msg; // construct new Msg
if loDestEvent in FLogOptions then
if Assigned(FOnIcsLogEvent) then
FOnIcsLogEvent(Sender, LogOption, Msg);
if loDestOutDebug in FLogOptions then
OutputDebugString(TOutputDebugStringType(Msg));
if loDestFile in FLogOptions then
WriteToLogFile(Msg + #13#10); {V6.03}
{$IFNDEF NO_LOGGER_MT}
finally
Unlock;
end;
{$ENDIF}
end;
--
Anton
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] TIcsLogger.DoDebugLog optimization
Anton,
> TIcsLogger.DoDebugLog uses non-optimal algorithm dealing with
> timestamps: it is being added to Msg three times.
I do not think that people use multiple log destinations at the
same time. Currently the string is allocated and concatenated
only when actually required.
> I suggest change
> the code as following:
This is non-optimal as well.
You always concatenate and allocate the string even though it's
not used. That sure leads to smaller source code but only performs
faster _if you actually write to multiple log destinations.
--
Arno Garrels
>
> procedure TIcsLogger.DoDebugLog(
>Sender : TObject;
>LogOption : TLogOption;
>Msg : String); // remove const to avoid declaring a local
> variable
> begin
> {$IFNDEF NO_LOGGER_MT}
>Lock;
>try
> {$ENDIF}
> {$IFDEF VCL}
>if csDestroying in Componentstate then { V1.02 }
>Exit;
> {$ENDIF}
>if loAddStamp in FLogOptions then
> Msg := AddTimeStamp + FTimeStampSeparator + Msg; //
> construct new Msg
>
>if loDestEvent in FLogOptions then
>if Assigned(FOnIcsLogEvent) then
>FOnIcsLogEvent(Sender, LogOption, Msg);
>
>if loDestOutDebug in FLogOptions then
>OutputDebugString(TOutputDebugStringType(Msg));
>
>if loDestFile in FLogOptions then
>WriteToLogFile(Msg + #13#10); {V6.03}
> {$IFNDEF NO_LOGGER_MT}
>finally
>Unlock;
>end;
> {$ENDIF}
> end;
>
> --
> Anton
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] SSL OnHandshakeDone ceritificate contains emptymembers
Kurt,
> Setting the Clients SslContext obj property SslVerifyPeer = true
> yields an errCode = 1 in the Clients HandshakeDone event (not a
> winsock error)
>
> I tried setting up the clients SslContext::SslPrivKeyFile to the "C:\
> ... \ClientKey.pem" file created by the IcsSslBuildCerts.bat file and
> retried, got ErrCode = 1 still.
At first, the private key has nothing to do with peer/certificate
verification.
The purpose of SslVerifyPeer is to check for a complete, valid and
trusted certificate chain.
For example:
Root signed-> intermediate signed-> peer certificate.
Usually the peer (in your case the server) sends the peer
certificate.
In order to be able to build the chain you have to provide the
root and intermediate certificate locally.
Either included in a single PEM file (property TSslContext.SslCAFile,
example: Ics\Delphi\Sslinternet\TrustedCABundle.pem) or
as separate files (property TSslContext.SslCAPath, example:
Ics\Delphi\SslInternet\TrustedCaStore). At least the root cert
must be available in one of these trusted locations locally. The
peer might send all or intermediate and peer certificates
or just a single self-signed (root) certificate.
Handle event OnSslVerifyPeer and see what happens:
procedure THttpsTstForm.SslHttpCli1SslVerifyPeer(
Sender : TObject;
var Ok : Integer;
Cert: TX509Base);
begin
Ok := 1; // Marks current check as passed
// just for testing or to skip any error.
Display('Checking certificate'#13#10 +
'Subject: "' + Cert.SubjectOneLine + '"'#13#10 +
'Issuer: "' + Cert.IssuerOneLine + '"'#13#10 +
'Verify result: ' + Cert.VerifyErrMsg +
' Verify depth: ' + IntToStr(Cert.VerifyDepth));
end;
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] TIcsLogger.DoDebugLog optimization
Arno, >I do not think that people use multiple log destinations at the >same time. Currently the string is allocated and concatenated >only when actually required. But it's possible. My modification is more compact also. >This is non-optimal as well. >You always concatenate and allocate the string even though it's >not used. That sure leads to smaller source code but only performs >faster _if you actually write to multiple log destinations. Where? I concatenate it _only_ if loAddStamp is set and it's the same as execute procedure with AddTimeStamp + Msg. Maybe you mean that additional concatenation with #13#10? I think it would be better to move this to WriteToLogFile because newline is added before call to this method anyway. Moreover I think additional check should be added to determine whether newline is already present in Msg - in that case it shouldn't attach another one. -- Anton -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] TIcsLogger.DoDebugLog optimization
Anton, >> I do not think that people use multiple log destinations at the >> same time. Currently the string is allocated and concatenated >> only when actually required. >> > But it's possible. My modification is more compact also. Yes it is possible but rather unlikely IMO. >> This is non-optimal as well. >> You always concatenate and allocate the string even though it's >> not used. That sure leads to smaller source code but only performs >> faster _if you actually write to multiple log destinations. > > Where? I concatenate it _only_ if loAddStamp is set and it's the same > as execute procedure with AddTimeStamp + Msg. You do it always if loAddStamp is set regardless whether one of the destination options is set and in case of loDestEvent the OnIcsLogEvent is assigned or not. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
