Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Where to place SSL cert file to refererence



Permlink Replies: 15 - Last Post: Jan 4, 2017 2:33 PM Last Post By: steven chesser Threads: [ Previous | Next ]
steven chesser

Posts: 401
Registered: 4/13/09
Where to place SSL cert file to refererence
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 12:03 PM
Using Berlin update 2

I have a root cert file to include.

Works with win32/ios/ios simulator/android currently.

Now I need to add this to OSX to access a web service with Indy.

Indy SSL doesn't appear anything special is needed for OpenSSL usages, such as include lib files or specify paths or anything?

But for the cert file I was hoping this would maybe work

{$IFDEF MacOS}
  fSSL.SSLOptions.VerifyDirs := TPath.GetDirectoryName(paramstr(0));
  fSSL.SSLOptions.RootCertFile := TPath.Combine(TPath.GetDirectoryName(paramstr(0)), 'ca.cert.pem');
{$ENDIF}


But it appears not to work correctly. I am having problems getting debugger to run so I can't quite step through it yet but
I assume I must be missing some steps for SSL usage in OSX and where to place and how to reference the cert file.
Dave Nottage

Posts: 1,850
Registered: 1/7/00
Re: Where to place SSL cert file to refererence
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 12:23 PM   in response to: steven chesser in response to: steven chesser
steven chesser wrote:

Indy SSL doesn't appear anything special is needed for OpenSSL usages, such as include lib files or specify paths or
anything?

You'd be better off asking this in the .internet.winsock group. I expect Remy may know

--
Dave Nottage [MVP, TeamB]
Hints, tips and tricks at: http://www.delphiworlds.com/blog
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 12:27 PM   in response to: Dave Nottage in response to: Dave Nottage
Dave Nottage wrote:
steven chesser wrote:

Indy SSL doesn't appear anything special is needed for OpenSSL usages, such as include lib files or specify paths or
anything?

You'd be better off asking this in the .internet.winsock group. I expect Remy may know

Thought that, but was hoping maybe just OSX deployment issue and lack of knowing what paths to use.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 12:44 PM   in response to: steven chesser in response to: steven chesser
steven wrote:

Indy SSL doesn't appear anything special is needed for OpenSSL usages,
such as include lib files or specify paths or anything?

Indy uses OpenSSL dynamic libs on all OSes other than iOS devices. So make
sure you have OpenSSL dylibs in your app's installation folder or on your
system path. If the libs exist in a different folder than your app, you
might need to use the IdOpenSSLSetLibPath() function in the IdSSLOpenSSLHeaders
unit to tell Indy where to look for them.

But for the cert file I was hoping this would maybe work

{$IFDEF MacOS}
fSSL.SSLOptions.VerifyDirs := TPath.GetDirectoryName(paramstr(0));
fSSL.SSLOptions.RootCertFile :=
TPath.Combine(TPath.GetDirectoryName(paramstr(0)), 'ca.cert.pem');
{$ENDIF}


But it appears not to work correctly.

In what way exactly?

The VerifyDirs and RootCertFile strings are passed to OpenSSL's SSL_CTX_load_verify_locations()
function (actually, on Unix platforms, to X509_STORE_load_locations() directly,
which is what SSL_CTX_load_verify_locations() calls) after being converted
to UTF-8. You might consider asking in the OpenSSL community whether there
are any issues with those functions on OSX.

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 1:19 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
steven wrote:

Indy SSL doesn't appear anything special is needed for OpenSSL usages,
such as include lib files or specify paths or anything?

Indy uses OpenSSL dynamic libs on all OSes other than iOS devices. So make
sure you have OpenSSL dylibs in your app's installation folder or on your
system path. If the libs exist in a different folder than your app, you
might need to use the IdOpenSSLSetLibPath() function in the IdSSLOpenSSLHeaders
unit to tell Indy where to look for them.

But for the cert file I was hoping this would maybe work

{$IFDEF MacOS}
fSSL.SSLOptions.VerifyDirs := TPath.GetDirectoryName(paramstr(0));
fSSL.SSLOptions.RootCertFile :=
TPath.Combine(TPath.GetDirectoryName(paramstr(0)), 'ca.cert.pem');
{$ENDIF}


But it appears not to work correctly.

In what way exactly?

The VerifyDirs and RootCertFile strings are passed to OpenSSL's SSL_CTX_load_verify_locations()
function (actually, on Unix platforms, to X509_STORE_load_locations() directly,
which is what SSL_CTX_load_verify_locations() calls) after being converted
to UTF-8. You might consider asking in the OpenSSL community whether there
are any issues with those functions on OSX.

OSX for me at least, had a very old version of openssl.

So, I used Brew to update which installed a 1.0.2j build.

I then tried to point the path to where that got dumped.

Then was able to update the sym links to point everything to that new path so hopefully using it now.

This is the error making the HTTPS call

"Error connecting with SSL. error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"


honestly, dont think its using the latest SSL I installed... so not a fan of OSX

Edited by: steven chesser on Jan 3, 2017 1:34 PM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 2:19 PM   in response to: steven chesser in response to: steven chesser
steven wrote:

OSX for me at least, had a very old version of openssl.

Then it is possible that Indy was failing to load OpenSSL because some functions
did not exist in the libs. Indy has a WhichFailedToLoad() function in the
IdSSLOpenSSLHeaders unit, which will report any errors after Indy attempts
to dynamically load OpenSSL for the first time.

So, I used Brew to update which installed a 1.0.2j build.

That version should work fine with Indy.

This is the error making the HTTPS call

 
"Error connecting with SSL. error:1407742E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"
 

That means you are trying to connect to the HTTPS server using the wrong
SSL/TLS version. By default, Indy uses TLS v1.0 only, so the server must
be using TLS v1.0 specifically to match, or else the SSL/TLS handshake will
fail. You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.TLSVersions
property to enable additional SSL/TLS versions, like SSL 3.0 and TLS 1.1+.
If multiple versions are enabled, Indy will configure OpenSSL to perform
dynamic version negotiation during the SSL/TLS handshake.

honestly, dont think its using the latest SSL I installed...

Actually, it most likely is. But you can use Indy's OpenSSLVersion() function
in the IdSSLOpenSSL unit to verify.

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 2:33 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
steven wrote:

OSX for me at least, had a very old version of openssl.

Then it is possible that Indy was failing to load OpenSSL because some functions
did not exist in the libs. Indy has a WhichFailedToLoad() function in the
IdSSLOpenSSLHeaders unit, which will report any errors after Indy attempts
to dynamically load OpenSSL for the first time.

So, I used Brew to update which installed a 1.0.2j build.

That version should work fine with Indy.

This is the error making the HTTPS call

 
"Error connecting with SSL. error:1407742E:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"
 

That means you are trying to connect to the HTTPS server using the wrong
SSL/TLS version. By default, Indy uses TLS v1.0 only, so the server must
be using TLS v1.0 specifically to match, or else the SSL/TLS handshake will
fail. You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.TLSVersions
property to enable additional SSL/TLS versions, like SSL 3.0 and TLS 1.1+.
If multiple versions are enabled, Indy will configure OpenSSL to perform
dynamic version negotiation during the SSL/TLS handshake.

honestly, dont think its using the latest SSL I installed...

Actually, it most likely is. But you can use Indy's OpenSSLVersion() function
in the IdSSLOpenSSL unit to verify.

OpenSSLVersion shows 0.9.8zh , so not using the latest installed still.
But if i use OpenSSL version in command line it shows 1.0.2j ...

The code hasn't changed in forever on server side or client side on this, other than adding the 4 lines above for MACOS compile.

And they all connect fine to the server via SSL other than this MacOS compiled version of the client.

So not exactly sure what is up. Pretty much giving up for now. Wasted a whole day on it. Will just respond back with "MacOS not supported" :)

Edited by: steven chesser on Jan 3, 2017 2:45 PM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence [Edit] [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 3:00 PM   in response to: steven chesser in response to: steven chesser
steven wrote:

OpenSSLVersion shows 0.9.8zh , so not using the latest installed
still.

Then you probably did not set up the symlinks correctly.

In any case, when Indy is loading OpenSSL on OSX, it will look for the following
libs in the specified IdOpenSSLPath folder (or in the system path if IdOpenSSLPath
is blank):

'libcrypto.dylib'
'libcrypto.10.dylib'
'libcrypto.1.0.2.dylib'
'libcrypto.1.0.1.dylib'
'libcrypto.1.0.0.dylib'
'libcrypto0.9.9.dylib'
'libcrypto.0.9.8.dylib'
'libcrypto.0.9.7.dylib'
'libcrypto0.9.6.dylib'

'libssl.dylib'
'libssl.10.dylib'
'libssl.1.0.2.dylib'
'libssl.1.0.1.dylib'
'libssl.1.0.0.dylib'
'libssl0.9.9.dylib'
'libssl.0.9.8.dylib'
'libssl.0.9.7.dylib'
'libssl0.9.6.dylib'

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit] [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 3:05 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
steven wrote:

OpenSSLVersion shows 0.9.8zh , so not using the latest installed
still.

Then you probably did not set up the symlinks correctly.

In any case, when Indy is loading OpenSSL on OSX, it will look for the following
libs in the specified IdOpenSSLPath folder (or in the system path if IdOpenSSLPath
is blank):

'libcrypto.dylib'
'libcrypto.10.dylib'
'libcrypto.1.0.2.dylib'
'libcrypto.1.0.1.dylib'
'libcrypto.1.0.0.dylib'
'libcrypto0.9.9.dylib'
'libcrypto.0.9.8.dylib'
'libcrypto.0.9.7.dylib'
'libcrypto0.9.6.dylib'

'libssl.dylib'
'libssl.10.dylib'
'libssl.1.0.2.dylib'
'libssl.1.0.1.dylib'
'libssl.1.0.0.dylib'
'libssl0.9.9.dylib'
'libssl.0.9.8.dylib'
'libssl.0.9.7.dylib'
'libssl0.9.6.dylib'

That is probably true, but every article I read doesn't do anything for me :(

I don't know OSX enough for the tricks, but apparently their is 54 ways of this... i'm at only method 22 on trying to get it to work. So far no luck.

I tried to set the path to where the files are but that did not take either. I get the error about the SSL lib files not found (dont have exact wording in front of me)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit] [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 4:04 PM   in response to: steven chesser in response to: steven chesser
Made a small stand alone program.

Only code I typed was this

procedure TForm27.Button1Click(Sender: TObject);
begin
 {$IFDEF MACOS}
  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.RootCertFile := ExtractFilePath(paramstr(0))+'/ca.cert.pem';
 {$ENDIF}
 showmessage(idhttp1.Get('https://<MYSERVER>'));
end;


On the SSL Object, only thing I changed was Method Property to sslvTLSv1_2
and the RootCertFile was pre-set to ca.cert.pem.

Works in Windows just fine. I get my response back I expected. Cert file was in same folder as the .exe

On the Mac

"Error connecting with SSL. 
 error: 1409422E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version."


For my cert file, i originally goofed it. I got a nice error that the cert file could not be found. Changed it the above and
got past the cert file error. So I am pretty sure the cert file is no longer an issue on that front.

Now its just trying to figure out the alert protocol version.

Edited by: steven chesser on Jan 3, 2017 4:05 PM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence [Edit] [Edit] [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 4:36 PM   in response to: steven chesser in response to: steven chesser
Hello steven,

IdSSLIOHandlerSocketOpenSSL1.SSLOptions.RootCertFile :=
ExtractFilePath(paramstr(0))+'/ca.cert.pem';

ExtractFilePath() includes the trailing slash, so don't add another one.

Now its just trying to figure out the alert protocol version.

Since you are having problems even getting the latest OpenSSL version to
work correctly on OSX, it is possible that the older version is not supporting
TLS 1.2 and falling back to an earlier SSL/TLS version that the server does
not support. Using a packet sniffer, like Wireshark, you can view the actual
SSL/TLS handshake and see what version it is trying to use.

Also, is the SSLIOHandler's OnStatus... events giving any useful diagnostics?

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit] [Edit] [Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 7:14 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Hello steven,

IdSSLIOHandlerSocketOpenSSL1.SSLOptions.RootCertFile :=
ExtractFilePath(paramstr(0))+'/ca.cert.pem';

ExtractFilePath() includes the trailing slash, so don't add another one.

Now its just trying to figure out the alert protocol version.

Since you are having problems even getting the latest OpenSSL version to
work correctly on OSX, it is possible that the older version is not supporting
TLS 1.2 and falling back to an earlier SSL/TLS version that the server does
not support. Using a packet sniffer, like Wireshark, you can view the actual
SSL/TLS handshake and see what version it is trying to use.

Also, is the SSLIOHandler's OnStatus... events giving any useful diagnostics?

Version : OpenSSL 0.9.8zh 14 Jan 2016
onStatus = Resolving hostname xxxxx
onStatus = Connecting to xxx.xxx.xxx.xxx.
onStatusInfo = SSL status: "before/connect initialization"
onStatusInfoEx = before/connect initialization
onStatusInfo = SSL status: "before/connect initialization"
onStatusInfoEx = before/connect initialization
onStatusInfo = SSL status: "SSLv3 write client hello A"
onStatusInfoEx = SSLv3 write client hello A
onStatusInfo = SSL status: "SSLv3 read server hello A"
onStatusInfoEx = protocol version
onStatusInfo = SSL status: "SSLv3 read server hello A"
onStatusInfoEx = SSLv3 read server hello A

I've tried to set path to 1.0.2j lib folder again but won't take. Can't load the SSL files.

but if i set it to /usr/lib the set path works, but its the 0.9.8 version

So wonky that it is a huge punch in the junk to try and upgrade openSSL in OSX. Yikes..

Edited by: steven chesser on Jan 3, 2017 7:14 PM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence [Edit] [Edit] [Edit][Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 7:24 PM   in response to: steven chesser in response to: steven chesser
steven wrote:

I've tried to set path to 1.0.2j lib folder again but won't take.
Can't load the SSL files.

But you still have not verified WHY it is not loading. I gave you the filenames
that Indy looks for. Do those files exist in the 1.0.2j lib folder? Is
Indy reporting a load error at runtime? Have you checked the output of Indy's
WhichFailedToLoad() function, like I suggested earlier?

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit] [Edit] [Edit][Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 3, 2017 7:45 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
steven wrote:

I've tried to set path to 1.0.2j lib folder again but won't take.
Can't load the SSL files.

But you still have not verified WHY it is not loading. I gave you the filenames
that Indy looks for. Do those files exist in the 1.0.2j lib folder? Is
Indy reporting a load error at runtime? Have you checked the output of Indy's
WhichFailedToLoad() function, like I suggested earlier?

1) libssl.1.0.0..dylib existed in folder
2) libcrypto.1.0.0.dylib existed in folder
3) WhichFailedToLoad = "Failed to load /usr/local/opt/openssl/lib/libcrypto.dylib."

Both 1 & 2 had the symlink to point to file names without the 1.0.0 on them. Verified the symlinks where good also and pointing to the right files.

Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Where to place SSL cert file to refererence [Edit] [Edit][Edit][Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 4, 2017 11:55 AM   in response to: steven chesser in response to: steven chesser
steven wrote:

1) libssl.1.0.0..dylib existed in folder
2) libcrypto.1.0.0.dylib existed in folder

Then it should be finding them.

3) WhichFailedToLoad = "Failed to load /usr/local/opt/openssl/lib/libcrypto.dylib."

And you are sure that is the correct folder?

Both 1 & 2 had the symlink to point to file names without the 1.0.0
on them.

IIRC, the files without the version numbers in their names (libssl.dylib,
libcrypto.dylib) are supposed to be symlinks pointing to the files with version
numbers in them (libssl.1.0.0.dylib, libcrypto.1.0.0.dylib).

Verified the symlinks where good also and pointing to the right files.

Which are what exactly?

--
Remy Lebeau (TeamB)
steven chesser

Posts: 401
Registered: 4/13/09
Re: Where to place SSL cert file to refererence [Edit] [Edit][Edit][Edit]
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 4, 2017 2:33 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
steven wrote:

1) libssl.1.0.0..dylib existed in folder
2) libcrypto.1.0.0.dylib existed in folder

Then it should be finding them.

3) WhichFailedToLoad = "Failed to load /usr/local/opt/openssl/lib/libcrypto.dylib."

And you are sure that is the correct folder?

Both 1 & 2 had the symlink to point to file names without the 1.0.0
on them.

IIRC, the files without the version numbers in their names (libssl.dylib,
libcrypto.dylib) are supposed to be symlinks pointing to the files with version
numbers in them (libssl.1.0.0.dylib, libcrypto.1.0.0.dylib).

Verified the symlinks where good also and pointing to the right files.

Which are what exactly?

In I look at the properties of the symlink files for libcrypto.dylib and libssl.dylib the file they
are pointing to are the full path to the libssl.1.0.0.dylib and libcrypto.1.0.0.dylib which all fo this going
on is in that same path.
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02