SSL via already running TCP/IP Connection

Hi Everyone,

i am writing a connection Tool for a third party device that is accessed via SSL. The exact setup is:

1. Open TCP/IP connection to the device                 (PC is TCP/IP client)
2. Device initiates SSL handshake                          (PC is SSL Server, Device is SSL client)
3. PC Accepts SSL handshake
4. Device verifies PC SSL Server
5. Connection established [running commands]

i have tried to get this done with Indy, but it seems that the Servercomponents actually cannot initiate TCP/IP (just listen/accept). I have found 
third party components (Overbyte that is) where i was able to implement the above behaviour but those components require
old OpenSSL Versions that i do not wish to use.

Besides writing my own SSL Handshake procedure, is there a way with default Delphi (or Indy) to get this done? I am using Delphi XE5 for 
the record.

i appreciate any insight on that

greetings!
0
Marcel
3/26/2015 7:29:53 AM
embarcadero.delphi.winsock 1874 articles. 2 followers. Follow

8 Replies
925 Views

Similar Articles

[PageSpeed] 23

Marcel wrote:

> i have tried to get this done with Indy, but it seems that the
> Servercomponents actually cannot initiate TCP/IP (just listen/accept).

You are thinking about this the wrong way.  You would not use a server *component* 
in this scenario, you need a client *component* that handles SSL in a server 
*mode*.

Use TIdTCPClient (or descendant) with a TIdSSLIOHandlerSocketOpenSSL assigned 
to its IOHandler property.  Set the IOHandler's SSLOptions.Mode property 
to sslmServer, and set its PassThrough property to false before before calling 
TIdTCPClient.Connect().  That way, the SSL handshake will be accepted immediately 
when the TCP/IP connection is established, before Connect() exits.  If the 
handshake fails, Connect() will close the connection automatically before 
raising the exception into your code.

-- 
Remy Lebeau (TeamB)
0
Remy
3/26/2015 1:01:01 AM
> I have found third party components (Overbyte that 
> is) where i was able to implement the above behaviour but those 
> components require old OpenSSL Versions that i do not wish to use.

ICS v8 supports OpenSSL 1.0.2a which was released one week ago, there is
nothing newer, you can get v8 and the OpenSSL DLLs from:

http://wiki.overbyte.be/wiki/index.php/ICS_Download

Angus
0
Angus
3/26/2015 2:03:59 PM
Hi Angus,

strange how i could miss that. I was using that version from October 2013 and thought that was the latest. Thank you very much for that link

greetings!
0
Marcel
3/26/2015 3:24:27 PM
Hi Remy,

i was able to do as you recommended but i needed to set the "IsPeer" property of the ioHandler to true additionally. After that, the SSL connection was established. Thanks for your help

greetings!

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Marcel wrote:
> 
> > i have tried to get this done with Indy, but it seems that the
> > Servercomponents actually cannot initiate TCP/IP (just listen/accept).
> 
> You are thinking about this the wrong way.  You would not use a server *component* 
> in this scenario, you need a client *component* that handles SSL in a server 
> *mode*.
> 
> Use TIdTCPClient (or descendant) with a TIdSSLIOHandlerSocketOpenSSL assigned 
> to its IOHandler property.  Set the IOHandler's SSLOptions.Mode property 
> to sslmServer, and set its PassThrough property to false before before calling 
> TIdTCPClient.Connect().  That way, the SSL handshake will be accepted immediately 
> when the TCP/IP connection is established, before Connect() exits.  If the 
> handshake fails, Connect() will close the connection automatically before 
> raising the exception into your code.
> 
> -- 
> Remy Lebeau (TeamB)
0
Marcel
3/30/2015 12:04:25 PM
Marcel wrote:

> i was able to do as you recommended but i needed to set
> the "IsPeer" property of the ioHandler to true additionally.

Yes, good catch.  The IOHandler needs that in order to call SSL_accept() 
instead of ssl_connect().

However, you do need to be careful with setting IsPeer manually.  IsPeer 
is primarily intended to be True only on a server-side (TIdTCPServer) IOHandler, 
not a client-side (TIdTCPClient) IOHandler.  There are some internal resources 
that are not released when IsPeer is True because they are owned by something 
other than the IOHandler.  On the other hand, the more I think of it, it 
might actually be a bug that the IOHandler is calling SSL_accept() vs SSL_connect() 
based on IsPeer rather than SSLOptions.Mode, at least for sslmClient and 
sslmServer (I suppose sslmBoth would have to still rely on IsPeer).

So, to avoid any leaks on a client-side IOHandler, you might need to set 
PassThrough to True initially and leave IsPeer as False, then establish the 
underlying TCP connection, then set IsPeer to True before setting PassThrough 
to False and reset IsPeer back to False afterwards.  Not sure if that would 
work, I have never used an SSLIOHandler in this manner before.

I'm very curious why the device, being a TCP server, is initiating the handshake 
as an SSL client instead of acting as an SSL server like most TCP servers 
do.  Do you know why the device is backwards like that?

-- 
Remy Lebeau (TeamB)
0
Remy
3/30/2015 6:00:38 PM
Hi Remy,

i will try what you have recommended and give the results here, but for now: The hardware company that is building the device only had access to a SSL Client hardware component. Therefore we decided to set up the PC as SSL Server. The device itself is some kind of passive data storage and the PC Software shall access the data actively. Therefore the device listens for incoming connection attempts and thus is the TCP Server.

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Marcel wrote:
> 
> > i was able to do as you recommended but i needed to set
> > the "IsPeer" property of the ioHandler to true additionally.
> 
> Yes, good catch.  The IOHandler needs that in order to call SSL_accept() 
> instead of ssl_connect().
> 
> However, you do need to be careful with setting IsPeer manually.  IsPeer 
> is primarily intended to be True only on a server-side (TIdTCPServer) IOHandler, 
> not a client-side (TIdTCPClient) IOHandler.  There are some internal resources 
> that are not released when IsPeer is True because they are owned by something 
> other than the IOHandler.  On the other hand, the more I think of it, it 
> might actually be a bug that the IOHandler is calling SSL_accept() vs SSL_connect() 
> based on IsPeer rather than SSLOptions.Mode, at least for sslmClient and 
> sslmServer (I suppose sslmBoth would have to still rely on IsPeer).
> 
> So, to avoid any leaks on a client-side IOHandler, you might need to set 
> PassThrough to True initially and leave IsPeer as False, then establish the 
> underlying TCP connection, then set IsPeer to True before setting PassThrough 
> to False and reset IsPeer back to False afterwards.  Not sure if that would 
> work, I have never used an SSLIOHandler in this manner before.
> 
> I'm very curious why the device, being a TCP server, is initiating the handshake 
> as an SSL client instead of acting as an SSL server like most TCP servers 
> do.  Do you know why the device is backwards like that?
> 
> -- 
> Remy Lebeau (TeamB)
0
Marcel
4/2/2015 11:58:22 AM
Hi remy,

it works as you suggested. I wonder if there is some sort of timing problem though. Is it possible that the SSL Handshake can be initiated before i set the IsPeer property to true ?

greetings

> {quote:title=Marcel Uhlich wrote:}{quote}
> Hi Remy,
> 
> i will try what you have recommended and give the results here, but for now: The hardware company that is building the device only had access to a SSL Client hardware component. Therefore we decided to set up the PC as SSL Server. The device itself is some kind of passive data storage and the PC Software shall access the data actively. Therefore the device listens for incoming connection attempts and thus is the TCP Server.
> 
> > {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> > Marcel wrote:
> > 
> > > i was able to do as you recommended but i needed to set
> > > the "IsPeer" property of the ioHandler to true additionally.
> > 
> > Yes, good catch.  The IOHandler needs that in order to call SSL_accept() 
> > instead of ssl_connect().
> > 
> > However, you do need to be careful with setting IsPeer manually.  IsPeer 
> > is primarily intended to be True only on a server-side (TIdTCPServer) IOHandler, 
> > not a client-side (TIdTCPClient) IOHandler.  There are some internal resources 
> > that are not released when IsPeer is True because they are owned by something 
> > other than the IOHandler.  On the other hand, the more I think of it, it 
> > might actually be a bug that the IOHandler is calling SSL_accept() vs SSL_connect() 
> > based on IsPeer rather than SSLOptions.Mode, at least for sslmClient and 
> > sslmServer (I suppose sslmBoth would have to still rely on IsPeer).
> > 
> > So, to avoid any leaks on a client-side IOHandler, you might need to set 
> > PassThrough to True initially and leave IsPeer as False, then establish the 
> > underlying TCP connection, then set IsPeer to True before setting PassThrough 
> > to False and reset IsPeer back to False afterwards.  Not sure if that would 
> > work, I have never used an SSLIOHandler in this manner before.
> > 
> > I'm very curious why the device, being a TCP server, is initiating the handshake 
> > as an SSL client instead of acting as an SSL server like most TCP servers 
> > do.  Do you know why the device is backwards like that?
> > 
> > -- 
> > Remy Lebeau (TeamB)
0
Marcel
4/16/2015 8:22:50 AM
Marcel wrote:

> Is it possible that the SSL Handshake can be initiated
> before i set the IsPeer property to true ?

On the device side, it will.  But if PassThrough is still True on your client 
side when you assign IsPeer, the handshake has not been read by your client 
yet, as TIdSSLIOHandlerSocketOpenSSL.OpenEncodedConnection() is not called 
until you set PassThrough to False.

-- 
Remy Lebeau (TeamB)
0
Remy
4/16/2015 5:35:10 PM
Reply:

Similar Artilces:

PB9.0 connect to IMS via IMS connect v9 and TCP/IP
Hello, has anyone experience connecting IMS via IMS connect V9 using TCP/IP from Powerbuilder.? How do I have to do it??? Any help would be appreciated! Thanks! -- Freundliche Gr��e P. Scheibel-Lang ...

Connecting an ASE via TCP/IP
I have a application working in a Radio Frequency environment where we put the OC-12.0 in a box making the application server function, it receives the RF requests (SQL strings, such as INSERTS,UPDATES...) and executes them using just that OC-12.0. Technically I�m not using OCs at the RF equipments, but they are accessing the ASE through one OCS. * The question is .. the app is running, the environment is ok, but should I pay for the others (each RF equipments accesing the app server via telnet) ? How does the Sybase agreement works on this situation ? * Can I have an app working like ...

COnnecting via tcp/ip from Sybase Central
Hi there, Is there any way I can connect from Sybase Central to an SQL Anywhere server over the net, when all I have is an IP number for the server and a user name and a password? Thanks in advance, Peter G. Peter- You can set-up a profile in the ODBC admin such that your connection to the database uses the dbclient. This is what you would do to connect to any network database server. If you look at the dbclient command line help, you can see the full details. You can add in parameters to tell dbclient to use tcp/ip, to look for a specific server, and a specific port. ...

Connecting to database via TCP/IP Address
This is a genaral question, and all that I am looking for is some type of guidance to where I can find reference manuals and/or literature regarding the following... PB 7.0.2 - Enterprise (have PB 8 but have yet to install the upgrade). My experience has been exclusively with C/S applications... This is not my everyday job. I have worked through the Jaguar example and I have developed an application that works great over the internet. Unfortunitly, I cannot convince our client to puchase a licensed version of Jaguar. Our client has an ORACLE 8i license and would like to utilize...

Unable to connect to SQLA server via TCP/IP
SQLA version 5.5.03 Build#1666. WIN95 workstation connecting to NT server obtaining IP address through DHCP. We have tried the following parameters and receive this result: 1: -x 2: tcpip{HOST=<ip address>;DOBROADCAST=NO;MYIP=none} 3: -Z 4: -o 5: C:\output.txt 6: <SERVER NAME> The end of the output file reads: Found server <SERVER NAME> on TCPIP link Liveness timeout 120, liveness retransmit period 30 started sending liveness packet sending liveness packet Shutting down listener thread: 0 Shutting down listener thread: 1 It appears to be f...

Remote client fails to connect via TCP/IP protocol?
I am trying to switch clients from IPX to TCP/IP via ODBC; it works on my 2 PCs (which are NOT remote). However, on the remote workstations it fails to startup / connect to the database. Does anyone have remote clients, or can offer any suggestions? I'm using Sybase SQL Anywhere 5.5.04, and my clients are NT 4.0 ; thanks for any input. Check out http://my.sybase.com/detail?id=1011225 -- Larry Cermak [Team Sybase] Corporate Technology Partners, Inc Coming soon: Web DataWindow Book Web DataWindow Articles: http://my.sybase.com/detail?id=1003371 <susiegrace>...

D7 Indy 9 SSL on TCP/IP connection issue
Goal: to get SSL working on a working combination of Delphi 7 TCP/IP client and server, using Indy 9 TCP/IP and SSL components. OpenSSL libraries: 0.9.6m. On server side: object IdTCPServer: TIdTCPServer Bindings = < item IP = '0.0.0.0' Port = 7 end item IP = '192.168.226.1' Port = 11 end item IP = '192.168.157.1' Port = 20 end> CommandHandlers = <> DefaultPort = 0 Greeting.NumericCode = 0 IOHandler = IdServerIOHandlerSSL1 MaxC...

Connecting ASP.NET Application to other server via tcp/ip
Hi, I have a little problem. My asp.net application whit ajax need to communicate whit separate server via tcp/ip whit callbacks (server will have to had posibility to raise event in that aplication) which soulution would be the best for that? Asynchronous tcp connections? Maybe webserices? thanks...

Can't connect to POA via TCP/IP
On my Small Business 6 server w/ the latest support packs on the server and Groupwise, when I try to connect to the post office via the TCP/IP address, it will not connect. I can ping and telnet to the server and connect on a Win98 machine via the path but that is not an option on my XP machines. Any ideas would be greatly appreciated. Chris Henderson Systems Engineer Enterprise Computing Services, LLC chenderson@ecs-net.com If you telnet to x.x.x.x<sp>1677 do you get a cursor or an error? Check the POA is set to client/server. Make sure the client is lloking at...

Using SSL HTTPS Site causing too many TCP/IP connections
I have a single web site that uses https protocol .I have used netstat to find out what is going on and I have over 25 TIME WAIT Connections and over 7 Established connections.In my opinion that is way over the amount of connections am I correct in thinking that.And how do you avoid that many conection tries.........

SqlAnywhere 9.0 Connection Failed ODBC via network TCP/IP
This is a multi-part message in MIME format. ---=_forums-1-dub4aab6840 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Hi, I am currently developing a web using ASP.NET with the requirement to connect to a SqlAnywhere 9.0 database server via network, not LOCAL pc.The problem is i have write a simple test program in .NET, it work in Local pc but when i wish to connect to the other database server locate in other pc in the network, the connection could not establish. I have attached the print screen that i am using the ODBC connection, wh...

IIS with external IP and have an ASP.NET app running. How do I connect another server (has IIS installed) running another asp.net application, but it has internal IP only?
Hi,I have a web server, with IIS, and external IP, with a ASP.NET application running on it. Users hit the site with the external IP.Now, we have another asp.net application, but we do not want to put it in server 1 (b/c of the load), and we do not want to give another external IP to the 2nd server... how can I make a user, hit server#1, and then in there, setup a virtual directory, and have the virtual directory pointing to the starting folder on the 2nd server??I tried setting up a VD with a "shared folder on another server ", and then putting in the path like this, \\2ndServer\inetpub\www...

PB5 hangs while connecting to Sybase Sql Server 11 ( via TCP/IP from win95)
Hi, I am facing a typical problem in Powerbuilder 5.0 connectivity to Sybase Sql server 11.0.2 via TCP/IP . PB5 is on a WIN95 m/c and sybase on Sco Openserver 5.0.2c. In this machine the connectivity works fine for the following situation. --- after fresh installation on win95 and oc/c on win95 and pb5 Next we install say microsoft plus then it hangs while connecting. On another instance it hangs after setting up the internet service. Win 95 m/c configuration : Pentium 120 mhz with 16 Mb RAM. Urgent help required . Thanking you in advance Abhay Kumar Hi, ...

Connect MS SQL Server via Internret using TCP/IP in the client side
Can anyone show me the steps to connect MS SQL Server via Internet using TCP/IP protocol in the client side ? and How can I set the PB5 (Use native drive if possible) to connect this database. Please describe in details. Thanks Johnny Please reply to newsgroup directly or click the following email address. mailto://johnny@clarionsec.com Johnny, Here's what must be configured at the server: MS SQL Server is listening with the TCP/IP NetLib The server is connected to the Internet via a dial-up connection or router A firewall is not blocking SQL Server's TCP port ...

Web resources about - SSL via already running TCP/IP Connection - embarcadero.delphi.winsock

Connection - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

iMedia Connection: Interactive Marketing News, Features, Podcasts and Video - iMediaConnection.com
If you send more email, you might make more money. Then again, you might destroy your reputation and revenue stream. Here's how to know what ...

HTTP persistent connection - Wikipedia, the free encyclopedia
... tacked on to an existing protocol. If the browser supports keep-alive, it adds an additional header to the request: Following this, the connection ...

MOTHER’S DAY: Facebook Examines Connections Between Moms, Kids
With Mother’s Day on the calendar this coming Sunday, Facebook examined the relationships between mothers and their children on the social network, ...

Ben Garcia gives Penrith Panthers a new French connection
Should he jag a game in the NRL, Ben Garcia will become just the third genuine French import to do so.

Man Charged With Aggravated Arson In Connection To Columbus Warehouse Fire
Police have charged 30-year-old Robin Toms with aggravated arson.

Facebook becomes more adept at dealing with crappy connections
... to get a decent phone signal to allow you to post a photo of your meal. Joking aside, in countries where people are struggling with 2G connections ...

Adam Savage from 'MythBusters' has an incredible connection to the 'Star Wars' franchise
Adam Savage, co-host of the popular " MythBusters " television show, soured on the plot of "Interstellar." But when it comes to the newest films ...

Arrest made in connection with California mosque fire
CNN Arrest made in connection with California mosque fire CNN (CNN) A California man was arrested Saturday in connection with a fire at a ...

UK Police Make Arrest in Connection With VTech Hacking
British law enforcement officials arrest a 21-year-old man in connection with attack on toy maker VTech that exposed 6 million parents and children ...

Resources last updated: 12/21/2015 11:55:14 PM