Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10


This question is not answered. Helpful answers available: 1. Correct answers available: 1.


Permlink Replies: 4 - Last Post: Dec 2, 2014 3:37 AM Last Post By: Pierre-François...
Pierre-François...

Posts: 13
Registered: 10/26/12
How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 28, 2014 9:46 AM
I'm completely new to SSL and these ciphering stuff but I need to make communicate client and server Delphi XE6 apps running on mobile devices. The TCP communication has to be safely ciphered.

To start, I simply wrote the Delphi/Indy TIdTCPServer/TIdTCPClient based Win32 client and server exchanging strings. (Issued from the indy10clieservr demos found on SourceForge: svn://svn.code.sf.net/p/indy10clieservr/code/1_sample Simple String Exchange)

I tried to modify them to cipher the communication by adding a TIdServerIOHandlerSSLOpenSSL component on the Server, and a TIdSSLIOHandlerSocketOpenSSL on the Client, attaching them respectively to the TIdTCPServer and TIdTCPClient.

I set their following properties on both sides:
- SSLOptions.Method = sslvSSSv23
- SSLOptions.Mode = sslmServer / sslmClient (respectively)
- SSLOptions.VerifyDepth = 2

And I added an OnGetPassword Event handler setting the Password parameter to 'password' on both sides too.
(What is the role of this password ? Is it critical for the privacy of the communication ? What if it is found by analysing/reverse enginering the binary file ?)

Finaly, in the server's OnConnect event handler I set the TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough property to false.

But what about the 3 SSLOptions certificate properties ??
- CertFile
- KeyFile
- RootCertFile

How to generate and deploy them on my target devices to make run my SSL layer on the client and server ?

Moreover, is there something special to do or to take into acount if I intend to deploy later my server and/or clients on IOS or Android mobile device.

I'm aware that I have few knowledge on this SSL topic. Sorry if I ask something trivial. Any basic documentation explaining all of this tricky stuff to a newbie would be greatly appreciated.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to get SSL certificates for a SSL-TCP Client/Server link with Indy10
Helpful
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 28, 2014 3:07 PM   in response to: Pierre-François... in response to: Pierre-François...
Pierre-François wrote:

I'm completely new to SSL and these ciphering stuff but I need to
make communicate client and server Delphi XE6 apps running on
mobile devices. The TCP communication has to be safely ciphered.

Certificates are optional. They are used to allow peers to validate each
other's identities, not for encryption.

I tried to modify them to cipher the communication by adding a
TIdServerIOHandlerSSLOpenSSL component on the Server, and a
TIdSSLIOHandlerSocketOpenSSL on the Client, attaching them
respectively to the TIdTCPServer and TIdTCPClient.

I set their following properties on both sides:
- SSLOptions.Method = sslvSSSv23

SSLv23 is a wildcard that allows dynamic version negotiation in cases where
client and server support different SSL/TLS versions. SSLv23 allows them
to figure out and use the highest version common to both parties. If a server
needs to support a wide range of clients, it makes sense to use SSLv23 on
the server side. Not so much on the client side. Since you control both
client and server, you should use use a specific version instead, preferrably
TLSv1 or higher.

And I added an OnGetPassword Event handler setting the Password
parameter to 'password' on both sides too.

(What is the role of this password ?

Certificates can be password-protected. You have to provide the correct
password for the certificate you are using.

Is it critical for the privacy of the communication ?

Certificates help avoid man-in-the-middle attacks, by allowing a client to
verify it is connected to the correct server it is expecting to be connected
to, and vice versa. It is not common for a client to have a certificates,
expect when making a proprietary system where only authorized clients are
allowed to connect. But it is pretty common for servers to have certificates,
at least.

What if it is found by analysing/reverse enginering the binary file ?)

It can't be. But if an attacker gains access to your certificate files,
you have bigger issues to deal with anyway.

But what about the 3 SSLOptions certificate properties ??
- CertFile
- KeyFile
- RootCertFile

Optional, if you are only interested in encrypting the connection.

--
Remy Lebeau (TeamB)
Pierre-François...

Posts: 13
Registered: 10/26/12
Re: How to get SSL certificates for a SSL-TCP Client/Server link with Indy10  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Nov 29, 2014 1:22 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Ok, thanks. I understand a bit better now...

Nevertheless I still cannot make communicate my proprietary Client(s) and Server across an SSL ciphered link between them:

According to your kind explanations, I changed the SSLOptions.Method to sslvTLSv1, reset the SSLOptions.VerifyDepth to 0 (supposed it is related to the length of the unnexessary Certificat trust chain ??). I also removed the OnGetPassword Event handler. (And Cert/Key File properties stay empty). Thus on both side of course. (All other properties to their default values)

But when launching the server and trying to connect a client, I got an exception on both side:
- Server connected the client and immediately disconnected it threwing the exception "Error when acceptating the connexion with SSL. error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
- Client threw "Error when acceptating the connexion with SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure."

Let me explain a bit deeper what is important for my application:

I control the server and the client side as proprietary applications. They both will communicate on a Wifi LAN.

It's critical that information sent by the server to each client to be ciphered and not available to another client or a spy sniffing the Wifi LAN TCP exchanges.

I understand from your answer that I don't care to protect my server with a certificate since clients know the local IP adress of the server and know they are really communicating with it.

What am I still doing wrong ?

Thanks again for your help.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to get SSL certificates for a SSL-TCP Client/Server link withIndy10  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 1, 2014 11:15 PM   in response to: Pierre-François... in response to: Pierre-François...
Pierre-François wrote:

I changed the SSLOptions.Method to sslvTLSv1, reset the
SSLOptions.VerifyDepth to 0 (supposed it is related to the length of
the unnexessary Certificat trust chain ??).

Yes. It specifies how far down the chain to validate certificates, which
can be nested depending on how many layers of certificate authorities were
used to create the chain.

If you really want to disable certificate verification, you can clear the
IOHandler's SSLOptions.VerifyMode property.

But when launching the server and trying to connect a client, I got an
exception on both side:

I was able to reproduce that. I don't have a solution, other than adding
a certificate to the server side, at least.

I control the server and the client side as proprietary applications.
They both will communicate on a Wifi LAN.

It's critical that information sent by the server to each client to be
ciphered and not available to another client or a spy sniffing the
Wifi LAN TCP exchanges.

Then you should invest in certificates. That allows the server to validate
the client is really your proprietary client and not some other client, and
vice versa, thus avoiding MITM attackers from injecting in between your client
and server and using their own certificates (or lack of).

I understand from your answer that I don't care to protect my server
with a certificate since clients know the local IP adress of the server
and know they are really communicating with it.

That is not good enough to avoid MITM attacks. A MITM could re-route your
client to its own SSL server, and then make its own connection to your real
server, thus enabling it to decrypt packets back and forth since the client
and server are not using each other's encryption keys or verifying each other's
certificates. If you re-read my earlier reply, I said that you can omit
certificates IF you do not want identity verification. However, your "critical"
requirement seems to require that verification.

--
Remy Lebeau (TeamB)
Pierre-François...

Posts: 13
Registered: 10/26/12
Re: How to get SSL certificates for a SSL-TCP Client/Server link withIndy10  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Dec 2, 2014 3:37 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...

I was able to reproduce that. I don't have a solution, other than adding
a certificate to the server side, at least.

I control the server and the client side as proprietary applications.
They both will communicate on a Wifi LAN.

It's critical that information sent by the server to each client to be
ciphered and not available to another client or a spy sniffing the
Wifi LAN TCP exchanges.

Then you should invest in certificates. That allows the server to validate
the client is really your proprietary client and not some other client, and
vice versa, thus avoiding MITM attackers from injecting in between your client
and server and using their own certificates (or lack of).

I understand from your answer that I don't care to protect my server
with a certificate since clients know the local IP adress of the server
and know they are really communicating with it.

That is not good enough to avoid MITM attacks. A MITM could re-route your
client to its own SSL server, and then make its own connection to your real
server, thus enabling it to decrypt packets back and forth since the client
and server are not using each other's encryption keys or verifying each other's
certificates. If you re-read my earlier reply, I said that you can omit
certificates IF you do not want identity verification. However, your "critical"
requirement seems to require that verification.

So this reenable my first question:

But what about the 3 SSLOptions certificate properties ??
- CertFile
- KeyFile
- RootCertFile

How to generate and deploy them on my target devices to make run my SSL layer on the client and server ?

Moreover, is there something special to do or to take into acount if I intend to deploy later my server and/or clients on IOS or Android mobile device.

The Server and the Client apps will be distributed on AppleStore and Google Play, will the customers have to do something theirselves to get the certificates or is that possible to distribute them with the app ?

A certificate on the Server side is that enough in the context I described Or do I need certificates on the client side as well ? (Only the data sent to the clients is confidential)

Does a certificate cost something ?

I really get confused about this SSL/Cerificate stuff, I would be gratefull if you could explain in detail to me the way to implement such a secure Client/Server link in the context of mobile apps.
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02