Jump to content
AllanF

Only default ICS sample SSL certificate is working

Recommended Posts

I am using ICS TSslFTPServer (FtpSslType=ftpAuthTls,ftpAuthSsl) and TSslWSocketServer (SslEnable=True) on my Server side application along with TSslContext wherein I am pointing to SslPrivKeyFile and SslCertFile to your sample 01key.pem and 01cert.pem respectively. My Client Application connects and all is well.

 

problem-1) If I try to change the certificates to another of your provided examples or If I build with OpenSSL it gives error 

'Can't read certificate file ... error:0909006C:PEM routines:get_name:no start line'

 

problem-2) Using SSL I lose compatibility with WinXP and probably with Vista too. Is there a workaround ?

 

(Angus has suggested me to use the IcsHosts property instead of SslContext but I will need to do more work to get it working for me, hope I am using above mentioned components properly to begin with SSL)

 

(How I generated my own PEM files

openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out 01key.pem

openssl pkey -in 01key.pem -out 01cert.pem -pubout)

Share this post


Link to post

As I said before, you don't need to use OpenSSL command line tools to create certificates, ICS has functions to do that.  ICS has a lot of really old examples untested for 10 years, really should be removed. 

 

You should build the OverbyteIcsPemTool.dpr sample which has numerous facilities for creating, testing, converting and viewing X509 certificates, in various formats.  Then open your certificate files which will immediately tell you whether ICS can read them, and display all the content.  There are several Wiki FAQs on certificates I previously suggested you read that explain this all in detail.

 

ICS with OpenSSL applications work perfectly on Vista and Windows 2008, two of my public servers are 2008, closed down last week due to Microsoft support ending after 12 years.  I believe ICS applications still work on Windows XP but that has been out of support for years so no longer tested. The latest version 1.1.1 of  OpenSSL no longer supports Windows XP, you need to use 1.0.2 or 1.1.0, both of which are now out of support so no security fixes.  OpenSSL and Microsoft do offer paid support for XP and 1.0.2 for large organisations that really can not upgrade, but not for home users.

 

Angus

 

  • Thanks 1

Share this post


Link to post

I did create the PEM files and they are working fine but comments says they will expire by 20/01/2020 even if I put days 365 or 3650

I changed went into debug mode and changed days run time but same comment

Share this post


Link to post

Created PEM files how, which applications or which functions with what parameters.  Generally public certificates can no longer be issued with an expiry beyond one year and certain ICS tools do limit that. 

 

Angus

 

Share this post


Link to post
21 hours ago, Angus Robertson said:

ICS has a lot of really old examples untested for 10 years, really should be removed. 

Please, don't remove "old examples" validate your code against them and update the examples if needed. For me it is very hard to use anything without a near complete set of examples.

Share this post


Link to post

By old files, I meant long expired SSL certificates and job files that are no longer needed since ICS samples can now do everything they did.  People try to use them and wonder why they don't work. 

 

Angus

Share this post


Link to post
15 hours ago, AllanF said:

With OverbyteIcsPemTool.exe Menu item Create a self-signed certificate. 

Sorry, seems the CreateSelfSignedCert function in OverbyteIcsSslX509Utils.pas got broken while being modernised, you need to add a missing line:

 

 MySslCertTools.ExpireDays     := Days;   { V8.64 got lost }

 

and it will work properly again.  Sorry, did not test that old function properly. 

 

The modern way to create a self signed certificate is using fields and buttons on the New Certificate Properties and Create Certificates tabs.  First click 'Generate Key Pair', complete the various New Certificate Request Properties, previous tab, click 'Create Self Signed Cert from Properties', then at the bottom of the tab specify the file names for the formats you want to save, tick if you want the private key in the same file, then click the buttons to save in PEM, PKCS12, DER, etc.  Finally on the List Certificate tab, click View Single File to double check the certificate is created properly. 

 

Those three tabs perform most of the common certificate functions of the OpenSSL command line tool.

 

Angus


 

 

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×