Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Indy SMTP Server TLS Change Certificates while Active?
#1
Running Indy 10.6.2.0

It seems like I can’t change the certificate files after setting
IdSMTPServer1->Active = true;

I have my test certificate loaded before that call and that domain works fine but when I try to do after that does not reload/work


What I am trying do is add STARTTLS support based on bound IP then find the right domain certificate based on the IP to load.

Trying doing this in IdSMTPServer1Connect(TIdContext *AContext)
Where I find the AContext->Connection->Socket->Binding->IP; 

Which I hoped would then allow me to load the certificate file that was needed used the following:
Code:
IdServerIOHandlerSSLOpenSSL1->SSLOptions->CertFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-chain.pem";
IdServerIOHandlerSSLOpenSSL1->SSLOptions->KeyFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-key.pem";

Added logging to IdSMTPServerOnBeforeCommandHandler
And the CertFile and KeyFile were still set correctly. It seems like the certificates were not reloaded.

Been using https://www.checktls.com to test with as well.
Reply
#2
(08-23-2019, 08:47 PM)vbgamer45 Wrote: It seems like I can’t change the certificate files after setting
IdSMTPServer1->Active = true;

Yes, you can. You are simply loading the certificate into the wrong SSLIOHandler object.

(08-23-2019, 08:47 PM)vbgamer45 Wrote: What I am trying do is add STARTTLS support based on bound IP then find the right domain certificate based on the IP to load.

Trying doing this in IdSMTPServer1Connect(TIdContext *AContext)
Where I find the AContext->Connection->Socket->Binding->IP; 

That is the local IP that the server is listening on, is that what you really want? The client's remote IP is in the Binding->PeerIP property instead.

Also, just an FYI, TIdContext has its own Binding property as a shortcut for accessing the Connection->Socket->Binding property:

Code:
AContext->Binding->(Peer)IP

(08-23-2019, 08:47 PM)vbgamer45 Wrote: Which I hoped would then allow me to load the certificate file that was needed used the following:
Code:
IdServerIOHandlerSSLOpenSSL1->SSLOptions->CertFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-chain.pem";
IdServerIOHandlerSSLOpenSSL1->SSLOptions->KeyFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-key.pem";

You need to load the certificate into the SSLIOHandler that is associated with the particular client connection, not with the server itself, eg:

Code:
TIdSSLIOHandlerSocketOpenSSL *SSL = static_cast<TIdSSLIOHandlerSocketOpenSSL*>(AContext->Connection->IOHandler);
SSL->SSLOptions->CertFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-chain.pem";
SSL->SSLOptions->KeyFile = aSystemDrive + "\\cert\\" + asBannerDomain + "-key.pem";

You will have to do that before the STARTTLS command is actually processed by the server. Once the client context's SSLIOHandler is activated, it is too late to change the certificate. So you will have to set the certificate in the server's OnConnect or OnBeforeCommand event.

(08-23-2019, 08:47 PM)vbgamer45 Wrote: Added logging to IdSMTPServerOnBeforeCommandHandler
And the CertFile and KeyFile were still set correctly. It seems like the certificates were not reloaded.

Not in the server's SSLIOHandler, no. That certificate gets loaded only once when the server is activated. The server's SSLIOHandler holds global defaults that are applied to each new SSLIOHandler that gets created when a client is accepted. You need to configure the SSLIOHandler that actually communicates with each client.

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)