Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
understanding TCP TLS/SSL Security
#1
i am trying to understand the usage of TLS / ssl with idtcpserver and client

i am running my server on ubuntu using winehq

i am trying to make the client to communicate only through my client application,  and prevent bad guys from communicating to my tcpserver from client they make .

i read and search about this matter and all results refers to using TLS/ssl

how could i do that using idtcpserver properly / do i need ssl certificate ?

what is the correct dll's to use  ?

just trying to understand how to do that properly
Reply
#2
(10-08-2018, 09:09 AM)Madammar Wrote: i am trying to understand the usage of TLS / ssl with idtcpserver and client

That is kind of a broad topic.

(10-08-2018, 09:09 AM)Madammar Wrote: i am trying to make the client to communicate only through my client application,  and prevent bad guys from communicating to my tcpserver from client they make .

To do that, you would have to issue a certificate to each of your authorized clients, and then make the server validate a client's certificate when it connects to your server.  If you don't do this, then any SSL/TLS-enabled client will be able to communicate with your server, and the only validation the server will be able to do is either checking for known/allowed client IP addresses, or require clients to submit user credentials for the server to authenticate (which you should probably do anyway even with validated certificates).

(10-08-2018, 09:09 AM)Madammar Wrote: i read and search about this matter and all results refers to using TLS/ssl

Yes.

(10-08-2018, 09:09 AM)Madammar Wrote: how could i do that using idtcpserver properly

Before activating the server at runtime, assign a TIdServerIOHandlerSSLOpenSSL to the TIdTCPServer.IOHandler property, and configure it as needed.

Among its available options are sslvrfPeer, sslvrfFailIfNoPeerCert, and sslvrfClientOnce flag.  On the server side, you will likely want to use all of them.  There is also an OnVerifyPeer event available, if you want to perform custom validation of any particular details of a client's certificate data.

Once a client has connected, in the TIdTCPServer.OnConnect or TIdTCPServer.OnExecute event, you can type-cast the AContext.Connection.IOHandler to TIdSSLIOHandlerSocketOpenSSL (or at least to TIdSSLIOHandlerSocketBase) and set its PassThrough property to False when you are ready to initiate an SSL/TLS handshake with the client (PassThrough is True by default to allow initially unencrypted communications, for protocols that support STARTTLS-like functionality).  If the handshake fails, an exception will be raised, and if you let TIdTCPServer handle it than the client will be disconnected.

(10-08-2018, 09:09 AM)Madammar Wrote: do i need ssl certificate ?

If you want to validate identities, yes.  The server should have a certificate, so clients can validate they are connected to the correct/legitimate server and not to a man-in-the-middle attacker.  Clients may have certificates too, so the server can validate they are who they claim to be.

(10-08-2018, 09:09 AM)Madammar Wrote: what is the correct dll's to use  ?

ssleay32.dll and libeay32.dll, which are available for Indy at https://indy.fulgan.com/SSL/.

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)