Delphi XE and Indy SSL connection with trusted certificate [Edit]

Hi,
In the procedure *TIdSSLContext.InitContext(CtxMode: TIdSSLCtxMode)*; (IdSSLOpenSSL.pas)
Lines 
{code}  // CA list
  if RootCertFile <> '' then begin    {Do not Localize}
    SSL_CTX_set_client_CA_list(fContext, IndySSL_load_client_CA_file(RootCertFile));
  end{code}

In the function *IndySSL_load_client_CA_file(const AFileName: String): PSTACK_OF_X509_NAME;*    

The second time through the loop 
{code}while (PEM_read_bio_X509(LB, @LX, nil, nil) <> nil) do begin{code}
raise an exception (EAccessViolation in libeay32.dll) when my RootCertFile have more than 1 public key CA.

My RootCertFile was extract from my JVM KeyStore.
When my RootCertFile is like below (only one public key CA), I Have the good response : "certificate verify failed" that is good because the right CA is not in my rootCertFile. 
"
Type Keystore : JKS
Fournisseur Keystore : SUN

Votre Keystore contient 76 entrée(s)

Nom d'alias : digicertassuredidrootca
Date de création : 7 janv. 2008
Type d'entrée : trustedCertEntry

-----BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQG
EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQw
IgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzEx
MTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQL
ExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0Ew
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDhXO5EOAXLGH87dg+XESpa7cJpSIqvTO
9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qPkKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHy
UmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW
/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpy
oeb6pNnVFzF1roV9Iq4/AUaG9ih5yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whf
GHdPAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF
66Kv9JLLgjEtUYunpyGd823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkq
hkiG9w0BAQUFAAOCAQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2Bc
EkxY5NM9g0lFWJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38Fn
SbNd67IJKusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i
8b5QZ7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe
+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8g==
-----END CERTIFICATE-----
"

When I replace lines of *InitContext* by the code below (that was used with Indy9 and Delphi7) there is no problem anymore.
{code}  // CA list
  if RootCertFile <> '' then begin    {Do not Localize}
    pRootCertFile := PAnsiChar(AnsiString(RootCertFile));
    SSL_CTX_set_client_CA_list(fContext, SSL_load_client_CA_file(pRootCertFile));
  end{code}
My question : Why Indy has replaced the callback procedure *SSL_load_client_CA_file* by the indy procedure *IndySSL_load_client_CA_file*. Is it risky to replace it by the openSSL callback? 

Thanks,
Gwénaël MANCEAU

Edited by: Gwénaël Manceau on Apr 13, 2012 2:21 AM

Edited by: Gwénaël Manceau on Apr 13, 2012 2:22 AM

Edited by: Gwénaël Manceau on Apr 13, 2012 2:23 AM
0
Utf
4/13/2012 9:23:35 AM
embarcadero.delphi.tools 5366 articles. 1 followers. Follow

6 Replies
1637 Views

Similar Articles

[PageSpeed] 19

Gwénaël wrote:

> In the function *IndySSL_load_client_CA_file(const AFileName: String):
> PSTACK_OF_X509_NAME;*
> 
> The second time through the loop
> 
> {code}while (PEM_read_bio_X509(LB, @LX, nil, nil) <> nil) do
> begin{code}
> 
> raise an exception (EAccessViolation in libeay32.dll) when my
> RootCertFile have more than 1 public key CA.

Can you provide such a certificate for testing?

> My question : Why Indy has replaced the callback procedure
> *SSL_load_client_CA_file* by the indy procedure
> *IndySSL_load_client_CA_file*.

To support Unicode filenames on Windows and D2009+, and UTF-8 filenames on 
Posix.  OpenSSL does not natively support Unicode at all.  The source code 
in Indy's wrapper functions is based on OpenSSL's own source code, just replacing 
the pieces that deal with the filenames.

> Is it risky to replace it by the openSSL callback?

What callback are you referring to?

--
Remy Lebeau (TeamB)
0
Remy
4/13/2012 5:39:40 PM
> 
> Can you provide such a certificate for testing?
> 
To be sure I'm using a trusted certificate, I'm using a Google Secure page.
My testing code is :
{code}IdHTTP1.Get('https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2FManageAccount&followup=https%3A%2F%2Faccounts.google.com%2FManageAccount', stream);
stream.Position := 0;
showMessage(stream.ReadString(stream.Size));{code}
My rootCertfile is too long (2168 lines). I send it to you by "Private Message".

> > My question : Why Indy has replaced the callback procedure
> > *SSL_load_client_CA_file* by the indy procedure
> > *IndySSL_load_client_CA_file*.
> 
> > Is it risky to replace it by the openSSL callback?
> 
> What callback are you referring to?
> 
In my Indy package, to fix the "EAccessViolation" I replaced the indy procedure *IndySSL_load_client_CA_file* by the openSSL procedure *SSL_load_client_CA_file*. But I don't know the Indy code enough to understand if my repair could bring a bug.

Edited by: Gwénaël Manceau on Apr 16, 2012 12:22 AM

Edited by: Gwénaël Manceau on Apr 16, 2012 12:23 AM
0
Utf
4/16/2012 7:23:56 AM
Hello Gwénaël,

> In my Indy package, to fix the "EAccessViolation" I replaced the indy
> procedure *IndySSL_load_client_CA_file* by the openSSL procedure
> *SSL_load_client_CA_file*. But I don't know the Indy code enough to
> understand if my repair could bring a bug.

Yes, it will, if you are using Delphi 2009+.  As I explained earlier, OpenSSL 
does not support Unicode filenmes, so Indy cannot use SSL_load_client_CA_file() 
under D2009+ without risking corruption of non-ASCII filenames.  That is 
why Indy has its own IndySSL_load_client_CA_file() function to handle Unicode 
filenames directly.  If you can, please step through IndySSL_load_client_CA_file() 
in the debugger and find out exactly why an AV is being raised.  I don't 
have time to try to reproduce it myself right now.

--
Remy Lebeau (TeamB)
0
Remy
4/17/2012 1:45:37 AM
Hi Remy,
According  http://www.openssl.org/docs/crypto/pem.html#BUGS I have modified the function IndySSL_load_client_CA_file.
At the end of the loop
{code}while (PEM_read_bio_X509(LB, @LX, nil, nil) <> nil) do begin{code}
I insert               
{code}finally
  X509_free(LX);
  LX := nil;
end;{code}
instead of
{code}finally
  X509_free(LX);
end;{code}
Then SSL connection is correctly established :-) 
Does this correction is safer than replace IndySSL_load_client_CA_file by SSL_load_client_CA_file?
Thanks for your advice.
Gwénaël MANCEAU

Edited by: Gwénaël Manceau on Apr 17, 2012 2:23 AM
0
Utf
4/17/2012 9:28:08 AM
Hello Gwénaël,

> According  http://www.openssl.org/docs/crypto/pem.html#BUGS I have
> modified the function IndySSL_load_client_CA_file.
> At the end of the loop
> {code}while (PEM_read_bio_X509(LB, @LX, nil, nil) <> nil) do
> begin{code}
> I insert
> {code}finally
> X509_free(LX);
> LX := nil;
> end;{code}
> instead of
> {code}finally
> X509_free(LX);
> end;{code}

The existing call to X509_free() is outside of the loop, so setting LX to 
nil in that spot would have no effect.  The bug report on OpenSSL's website 
suggests that Indy would need to call X509_free() inside of the loop instead. 
 Is that what you actually changed?

Indy_unicode_X509_load_cert_file() already calls X509_free() before calling 
PEM_read_bio_X509_AUX(), so I have checked in a similar adjustment for IndySSL_load_client_CA_file() 
now.

--
Remy Lebeau (TeamB)
0
Remy
4/17/2012 5:40:51 PM
I just download indy source on http://indy.fulgan.com/ZIP/Indy10_4743.zip
The Indy SSL file seems to be corrected.
Just for understand previous messages: I copied the code of function IndySSL_load_client_CA_file in my workspace (Delphi XE + Indy 10.5.7) : 
{code}          try
            while (PEM_read_bio_X509(LB, @LX, nil, nil) <> nil) do begin
              try
                if not Assigned(Result) then begin
                  Result := sk_X509_NAME_new_null;
                  if not Assigned(Result) then begin
                    SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
                    Exit;
                  end;
                end;
                LXN := X509_get_subject_name(LX);
                if not Assigned(LXN) then begin
                  // error
                  IndySSL_load_client_CA_file_err(Result);
                  Exit;
                end;
                // * check for duplicates */
                LXNDup := X509_NAME_dup(LXN);
                if not Assigned(LXNDup) then begin
                  // error
                  IndySSL_load_client_CA_file_err(Result);
                  Exit;
                end;
                if (sk_X509_NAME_find(Lsk, LXNDup) >= 0) then begin
                  X509_NAME_free(LXNDup);
                end else begin
                  sk_X509_NAME_push(Lsk, LXNDup);
                  sk_X509_NAME_push(Result, LXNDup);
                end;
              finally
                X509_free(LX);
                LX := nil;//My correction
              end;
            end;//End of while
          finally
            BIO_free(LB);
          end;{code}
Here, call to X509_free() is inside of the loop. In the latest version of idSSLOpenSSL there is a 'repeat' loop instead of a 'while', and at the end of the 'repeat' one there is :
{code}                X509_free(LX);
                LX := nil;
              until False;{code}
So my correction seems to be good.
Gwen
0
Utf
4/18/2012 11:13:11 AM
Reply:

Similar Artilces:

Converting Delphi 2007 Indy 10.2.3 to Delphi 2009 Indy 10.5.5 [Edit]
Hello, I am currently attempting to port over a Delphi 2007 project that uses Indy 10.2.3 (very successfully) to Delphi 2009 and Indy 10.5.5 (I just got the latest development build this morning). I think I am running into an encoding issue, but am not sure. Specifically, IDHTTP with SSL calls an old CGI and the CGI returns a .zip file and I then save it to the disk. In 2007 and before this worked perfectly. In 2009, it is not. Here is the examples of the 2 different results (though cut way short in the post) I am getting back: 2007: 'PK'#3#4#$14#0#0#0#8#0'rLQ9žrPb€'#0...

Migrating from Delphi 6 to Delphi XE 3! [Edit]
All, I am a Delphi developer working in an windows form application developed using Delphi 6. Now, we are planning to upgrade the development tool. Can anyone provide me information related to major roadblocks that we can face while migrating from Delphi 6 to Delphi XE 3? Should we migrate to Delphi XE 3 or any other preferred version of Delphi based on the fact that our target users will be using Windows 7 or Windows 8? Do we have any tools or utilities to migrate the source code from Delphi 6 to higher version of Delphi? Also, any suggestions related to best practices are welcome....

Delphi 7 to Delphi XE: TBlobField to XML [Edit]
Hi, I'm migrating a Delphi7 application to Delphi XE. I'm using a TClientDataSet to communicate, by using a XML frame, with my server. In this TClientDataSet I'm using a TBlobField which is an array of 384 byte. The blobField is allocate by a code like this : {code} myStream : TStream; myStream := aClientDataSet.CreateBlobStream(myBlobField, bmwrite); vResult := myStream.Write(ArrayOf384Byte[0], length(ArrayOf384Byte)); //vResult = 384 => GooD ! (...) {code} For communicate with the server, we have to decode the Blobfield in XML before to sending it. We have...

ShowMessage/MessagDlg wordwrap Delphi 2006
Hi, I have used Delphi 2006 up to now. ShowMessage allowed a long text without a word wrapping. Now with Delphi XE I notice that a migrated program shows smaller message window sizes and a previously carefully aligned message now appears wrapped and misaligned. How to get back to the previous behaviour? I'm not experienced to create my custom form, so a code snippet may help. Thanks, Uli Edited by: Ulrich Brueggemann on Sep 18, 2010 8:46 AM > I have used Delphi 2006 up to now. > ShowMessage allowed a long text without a word wrapping. > > Now with Delphi ...

Delphi 2006 to Delphi XE Crystal BPL problem [Edit]
I am in the process of migrating our application from Delphi 2006 to Delphi XE and, for ease of use, I have both 2006 and XE installed on my development computer. I access Crystal Reports XI RDC in our application and so I rebuilt the BPL in XE in order to add the new package to XE. However, when I try to add the package to XE I get the error message: “Registration procedure, Craxddrt_tbl.Register in the package c:\Documents and Settings\All Uers\Documents\RADS Studio\8.0\BPL\Crystal.bpl raised exception class EFilerError: Component TDatabase can’t be registered by package crystal.bpl be...

Delphi XE / Delphi 2010
Hello! I noticed that Embarcadero® Delphi® 2010 Version is not on the list of products on Embarcadero page. Or is it still possible to buy it? Will RAD Studio XE compile programs written in Delphi 2010 without problems.? Thanks. Am 13.09.2010 09:04, schrieb Petra Nemec: > Will RAD Studio XE compile programs written in Delphi 2010 without problems.? As always you will probably have to recreate the projects as the import is still a bit -- special. Christian Hello! Does anybody know if it is still possible to get a Delphi2010 trial version (if yes where)? ...

Delphi 7 to Delphi XE
Have been using Delphi 7 for many moons ( have got later versions but never upgraded to ) My first problem is: Component Palette. in XE it is a small toolbar docked in top right in Delphi 7 it gives a large view of all the components. I am struggling to be able to cope/access my components.in Delphi XE. Can I make the component pallette tool bar the same size as Delphi 7, or is there a fast way to view/choose all available components in XE, that I have not spotted yet? Kind Regards, Robert. Hi, What I know is that in Delphi 2010 and XE you can choose between t...

Indy TIdUdpServer OnRead problem on Delphi XE [Edit]
Hi, I have some problem with Indy TIdUDPServer on Delphi XE becouse when I try to double click on the +OnUDPRead+ events in the object inspector Delphi return this error: *"Expected '>' but '.' found.* This is the generated source code: {code} type TForm2 = class(TForm) IdUDPServer1: TIdUDPServer; procedure IdUDPServer1UDPRead(AThread: TIdUDPListenerThread; AData: TArray<System.Byte>; ABinding: TIdSocketHandle); private public end; var Form2: TForm2; implementation {$R *.dfm} procedure TForm2.IdUDPServer1UD...

SEPA components for Delphi with Source Code (Delphi 5
Hi all, in the european union change next year the Bankingformat to the SEPA Format. All peoples and companies must change the bankingssoftware and the costumer data form acountnummers in the new IBAN and BIC numbers. See: http://www.arma-it.de/shop/artikelueber.php?wgruppeid=211&wgruppe_offen=211 Functions: - generate SEPA XML'S - Calc IBAN - BIC Database (DE,AT and CH) Questions: vertrieb@arma-it.de PS: Bankinssoftware for Develpoers (Germany only) http://www.arma-it.de/shop/artikelueber.php?wgruppeid=212&wgruppe_offen=212 El 26/10/13 21:38, A...

Upgrading Delphi 7 Datasnap to XE: client fails to connect to server [Edit]
Hi, I'm currently working on upgrading a codebase from Delphi 7 to XE, and am currently just trying to get an older school Datasnap application working under XE. For reference: I'm developing/testing on Windows 7 64bit and currently using Delphi XE. The client application connects to the app server via a socket connection currently, and thus uses Borland Socket server, which includes using a registered "Interceptor" which does data compression/decompression. Now the problem: Currently I'm running into a problem trying to get the client to actually talk to t...

Delphi XE HTTP: error "Socket Error #10054 Connection reset by peer" [Edit]
Communication type is set to HTTP, LifeCycle is set to Invocation. Invocation represents a stateless connection, but when the network connection drops, the client throws the error "Socket Error #10054 Connection reset by peer". Are there any other properties to set up apart from LifeCycle? Hi Irina, > Communication type is set to HTTP, LifeCycle is set to Invocation. > > Invocation represents a stateless connection, but when the network connection drops, the client throws the error "Socket Error #10054 Connection reset by peer". Are there any other proper...

TTrayIcon under c++Biuilder XE ? not same functionnalities as delphi XE [Edit]
Hello I had in my old c++Builder5 project a TTrayIcon object thar was very usefull to minimize and restore my application to and from the tray icon bar I want to use it under c++Builder XE but some methods have disappeared as Trayicon1->Minimize and trayIcon1->Restore() ; so i have had to rewrite my code to minimize my appli i have written Application->Minimize(); for (int i=0; i < Screen->FormCount; i++) { Screen->Forms[i]->Hide(); } this code is running and i get my icon in the tray icon bar with no problem Now i'd like to restore my appli so ...

Delphi XE and RAD Studio XE are available now [Edit]
The new product info is live on the web sites, trial downloads are available, and the products will be available to purchase worldwide between now and Wednesday. http://www.embarcadero.com/products/delphi http://www.embarcadero.com/products/rad-studio Thanks, Tim -- Tim Del Chiaro Product Marketing - RAD Studio, Delphi, C++Builder, Delphi Prism and Delphi for PHP http://delphi-insider.blogspot.com Edited by: Tim DelChiaro on Aug 30, 2010 2:15 PM > {quote:title=Tim DelChiaro wrote:}{quote} > The new product info is live on the web sites, trial downloads are availabl...

Error on Delphi 6 but not on Delphi Xe for Ftp
I am Experimenting with get a file from our webside server via Ftp. I have 2 Machines 1 a laptop runing XP Delphi 6 Indy 10.5.8.0 An a machine runing Window 7 Delphi XE2 with Indy 10.5.8.0. I am using the Same Code on Both. procedure TFrmMain.ProcessItemDalySpecial; var PathDest : String; FileName : String; begin with FrmTb2 do begin if ReadIniBoolean(IniCfg,'FTP','UseFtpDaly') then begin Ftp.Host := ReadIniStr(IniCfg,'FTP','HostDaly'); Ftp.Port := ReadIniInt(IniCfg,'FTP'...

Web resources about - Delphi XE and Indy SSL connection with trusted certificate [Edit] - embarcadero.delphi.tools

Wildcard certificate - Wikipedia, the free encyclopedia
In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example: The wildcard certificate *.wikipedia.org ...

Birth certificate mix-up sparks identity fraud fears
Parents of newborn children have been mailed birth certificates for other peoples' babies in a mix-up described as a major privacy breach.

Birth certificate mix-up sparks identity fraud fears
Human error has led to nine parents being sent&nbsp;birth certificates for other peoples' babies, in what has been described&nbsp;as a major ...

Doctor-assisted dying should be listed on death certificates: law professor
Provincial and territorial death certificates should indicate when a patient's life was ended with the help of a doctor, says an analysis published ...

Google considers following Mozilla, Microsoft, and dropping SHA-1 certificates early
Last month Microsoft said that it was considering ending support for TLS and SSL certificates that used the SHA-1 hashing algorithm, after Mozilla ...

Xbox Live certificate keys exposed according to Microsoft
... necessarily mean you've been hacked, but the possibility is there. In a new security bulletin the company claims that the SSL/TLS digital certificate ...

China's Use of Derivatives to Hide Capital Flight Comes Unglued; Reserves Fall by Record Amount; "Worthless" ...
... for a while, using swap derivatives. Things looked better, until December and January, when suddenly they didn't. About Those "Worthless" Certificates ...

Exclusive: Birth Certificate for Ted Cruz’s Mother
Eleanor Darragh, mother of Ted Cruz, was born in Delaware on Nov. 23, 1934, establishing her citizenshipand, later, his, though he was born in ...

MSNBC's Chris Matthews confronted Donald Trump about Obama's birth certificate after the debate
... , MSNBC host Chris Matthews confronted Donald Trump over the real-estate mogul's past questioning of President Barack Obama's birth certificate. ...

Cruz releases mother's birth certificate amid citizenship debate
The Republican presidential candidate has faced mounting questions over his eligibility to run for the White House

Resources last updated: 1/19/2016 12:44:18 AM