Board index » delphi » Re: HTTPS connection

Re: HTTPS connection


2005-12-01 06:36:11 PM
delphi244
Hello!
You wrote on Thu, 1 Dec 2005 10:35:07 -0000:
CN>Assume I am a normal user. Assume i have some settings in my internet
CN>explorer in regards to certificates. Could you please be so kind and
CN>tell me if OpenSSL and Synapse are going to consider my settings?
No. You would need to implement certificate validation yourself.
One of the options can be use of SSLBlackbox ( www.eldos.com/sbb/delphi-ssl.php)
with Indy or ICS. SSLBlackbox lets you access Windows Certificate Storage
for certificate validation and management. Also, SSLBlackbox doesn't require
that you use any DLLs.
With best regards,
Eugene Mayevski
 
 

Re: HTTPS connection

I know SSLBlackbox and i can confirm it works like a charm ;) Really nice
design btw.
However, few years ago I have spent few hours on WinInet and never looked
back - at least for http/https .. I had never used OpenSSL with any of the
delphi libraries and I am really curious to know about how they work. Mr
Caduto seems to be pretty informed in that matter - so i thought I will take a
chance to pester him about it and find out some quick answer ;)
Kind regards,
Cristian Nicola
"Eugene Mayevski" <XXXX@XXXXX.COM>writes
Quote
No. You would need to implement certificate validation yourself.

One of the options can be use of SSLBlackbox (
www.eldos.com/sbb/delphi-ssl.php)
with Indy or ICS. SSLBlackbox lets you access Windows Certificate Storage
for certificate validation and management. Also, SSLBlackbox doesn't
require
that you use any DLLs.

With best regards,
Eugene Mayevski

 

Re: HTTPS connection

Tim writes:
Quote

"Tony Caduto" <XXXX@XXXXX.COM>writes
news:438e45a6$XXXX@XXXXX.COM...
>
>Like I said I can post a complete example tomorrow of how to do a
>URL post to a CGI with Synapse.
>

Thanks. However, I realise I am missing something here as to the
whole SSL concept.

From a CGI connecting to the credit card web site, I simply use
something like:

<FORM METHOD="POST"
ACTION="https://www....../param1=xxx¶m2=yyy etc.
</FORM>

I assume that Internet Exporer handles the SSL business and I do not
have to worry about certificates and private keys etc. (other than
two of the parameters are username and password).

However, looking at various application based components, including
Synapse, it looks like I need to know all about the certificates and
private keys used by the credit card company.

Can you explain how this all works? Thanks.
Here is how to do this with Synapse
first get synapse and add it is source location to your library path.
synapse.ararat.cz/
Then add the following to your uses:
httpsend,
blcksock,
ssl_openssl
(make sure you have the openssl DLLS in the same dir as your exe or in
the system dir)
create a stream to hold the result and a stringlist for the field
params:
var
result_stream:tmemorytream;
formfields:tstringlist;
begin
result_stream:=tmemorystream.create;
formfields:= tstringlist.create;
try
//set field values to send
formfields.Values['user']:='bob';
formfields.Values['pass']:='12345567';
formfields.Values['coid']:='1001';
if
httpsend.HttpPostURL('https://yourCGI',formfields.Text,result_stream)
then
begin
//see what's in the result
//note your CGI may return text or binary.
//my cgi returns a zip file, so I use VCLzip to load the stream
//and process,here we assume text and reuse
//the formfields strignlist
formfields.clear;
formfields.loadfromstream(result_stream);
showmessage(formfields.text);
end;
finally
freeandnil(result_stream);
freeandnil(formfields);
end;
end;
You might also want to take a look at the synapse source for
httpPostURL as it has some instructions on how to encode values that
have spaces.
Also check out the synapse wiki documentation project:
synapse.ararat.cz/wiki/
and the online help file where you can lookup the httpPostURL method.
synapse.ararat.cz/docs/help/index.html
Hope this helps.
Tony Caduto
--
 

Re: HTTPS connection

Cristian Nicola writes:
Quote
Assume I am a normal user. Assume i have some settings in my internet
explorer in regards to certificates. Could you please be so kind and
tell me if OpenSSL and Synapse are going to consider my settings?

Thank you very much,
Cristian Nicola
You only need to compare certs if you are using self signed or if they
are not in the certificate bundle.
When you connect via a browser to a https site that uses a verisign
certificate you don't have to do anything.
That's how synpase works as well, you have the option of inspecting the
cert if you want to.
All I can say is check it out, it works well for me.
Synapse has a cert bundle and it has worked well for me:
synapse.ararat.cz/files/synacert.zip
It also includes a self signed testing cert, but you should always
generate your own with openSSL.
Later,
Tony Caduto
--
 

Re: HTTPS connection

Lukas Gebauer writes:
Quote
>However, looking at various application based components, including
>Synapse, it looks like I need to know all about the certificates
>and private keys used by the credit card company.

You are wrong. For client side of HTTPS you not need any key or
certificate in Synapse. It is really pretty easy. All is like you are
using unencrypted HTTP, just use 'https://...' in URL and add SSL
plugin unit to your project uses. (and add DLLs to your project
executacble, when your selected plugin need it.)

It is all!
Hi Lukas,
Glad to see you chiming in :-)
hopefully my example will help Tim out.
later,
Tony
--
 

Re: HTTPS connection

tony caduto writes:
Quote
I just think OpenSSL and Synapse is the way to go. You can also do SSH
with Synapse(a big plus in my book).

The code you write with Synapse can also be used on Linux or other Unix
like systems with Kylix or FreePascal/Lazarus.

There are more web servers out there that use OpenSSL than the MS
solution and many many of these sites/applications handle credit cards.
Synapse must not use OpenSSL only!
Programmer can use OpenStrSecII plugin, it is totally free too and you
not need any external DLL. (Why pay a big money for SecureBlackBox?
Maybe when someone get crazy! ;-))
Or programmer can use CryptLib plugin, it using smaller DLL, but it is
not good as OpenSSL. (but have another goodies, of course!)
In all cases proxy support is not a problem.
 

Re: HTTPS connection

Quote
However, looking at various application based components, including Synapse,
it looks like I need to know all about the certificates and private keys
used by the credit card company.
You are wrong. For client side of HTTPS you not need any key or
certificate in Synapse. It is really pretty easy. All is like you are
using unencrypted HTTP, just use 'https://...' in URL and add SSL plugin
unit to your project uses. (and add DLLs to your project executacble,
when your selected plugin need it.)
It is all!
 

Re: HTTPS connection

Hello!
You wrote on Thu, 01 Dec 2005 20:36:22 +0100:
LG>Programmer can use OpenStrSecII plugin, it is totally free too and you
LG>not need any external DLL. (Why pay a big money for SecureBlackBox?
LG>Maybe when someone get crazy! ;-))
To get timely support, free upgrades and compliance with the latest
standards, probably.
With best regards,
Eugene Mayevski
 

Re: HTTPS connection

Eugene Mayevski writes:
Quote
LG>Programmer can use OpenStrSecII plugin, it is totally free too and you
LG>not need any external DLL. (Why pay a big money for SecureBlackBox?
LG>Maybe when someone get crazy! ;-))

To get timely support, free upgrades and compliance with the latest
standards, probably.
What did you think?
Synapse have not timely support? Free support, and when you need more,
then you can buy commercional support too. And Synapse is not supported
by develpers only, here is good community around what can help you freely!
Synapse have not free upgrades? Synapse is fully free, include upgrades.
And compliance with latest standards? Synapse is not compliant? Synapse
not have new features by new standards?
I still not see difference. All what you can get by buying of
SecureBlackBox you can have same and free. (And opensourced, not as
'blackbox'.)
You are from SecureBlackBox, right? Your propositions are good for
managers. ;-)))
 

Re: HTTPS connection

Hello!
You wrote on Fri, 02 Dec 2005 21:32:30 +0100:
LG>Synapse have not timely support? Free support, and when you need more,
... lots of Synapse advertising skipped ...
SecureBlackbox isn't a protocol suite, but security suite. So your post not
applicable.
With best regards,
Eugene Mayevski
 

Re: HTTPS connection

"tony" <XXXX@XXXXX.COM>writes
Quote

first get synapse and add it is source location to your library path.
synapse.ararat.cz/

Then add ....
Tony,
I have downloaded Synapse, and tried your code on a web site of my own,
created in Delphi as a CGI, as a test. It does not use SSL, but it should
test the principal.
On the web page is
<form name="form1" method="post" action="/cgi-bin/text.exe/login?">
and a user name and password are sent as parameters, which if correct,
direct you to a new page.
If I now use formfields.Values['user']:='test' and
formfields.Values['pass']:='password':
httpsend.HttpPostUrl('mywebsite.co.uk/cgi-bin/text.exe/login?',formfi
elds.Text,result_stream)
then it returns 'true', but result_stream appears to hold nothing. On the
web site, a WebModule1LoginAction sets the Response to a new page and I
assume that the result_stream should hold the script for this page.
Am I using this correctly? Thanks for all your help.
Tim
 

Re: HTTPS connection

Tim writes:
Quote

"tony" <XXXX@XXXXX.COM>writes
news:XXXX@XXXXX.COM...
>
>first get synapse and add it is source location to your library path.
>synapse.ararat.cz/
>
>Then add ....

Tony,

I have downloaded Synapse, and tried your code on a web site of my
own, created in Delphi as a CGI, as a test. It does not use SSL, but
it should test the principal.

On the web page is

<form name="form1" method="post" action="/cgi-bin/text.exe/login?">

and a user name and password are sent as parameters, which if correct,
direct you to a new page.

If I now use formfields.Values['user']:='test' and
formfields.Values['pass']:='password':

httpsend.HttpPostUrl('mywebsite.co.uk/cgi-bin/text.exe/login?',
formfi elds.Text,result_stream)

then it returns 'true', but result_stream appears to hold nothing. On
the web site, a WebModule1LoginAction sets the Response to a new page
and I assume that the result_stream should hold the script for this
page.

Am I using this correctly? Thanks for all your help.

Tim
Tim,
I forgot to add result_stream.position:=0;
Most functions won't set the position back to 0 for reading, so you
need to do it yourself after the function returns.
should go right above this line.
formfields.loadfromstream(result_stream);
--
 

Re: HTTPS connection

Hello, I am looking at converting some Java code into Delphi, and need
to communicate with a server using HTTPS.
Can anyone suggest open-source code or components that would implement
an https connection.
So far I have looked at libcurl
Any suggestions appreciated
 

Re: HTTPS connection

leehanken writes:
Quote
Hello, I am looking at converting some Java code into Delphi, and need
to communicate with a server using HTTPS.

Can anyone suggest open-source code or components that would implement
an https connection.

So far I have looked at libcurl

Any suggestions appreciated
I am now using Indy 9 with the TIdHttp control
I get the message 'Error connecting with SSL'
The server works okay when I connect to it from java.
I have created and signed my own certificate
I am wondering whether Java has anything built in, such as valid
development certificates, that Delphi doesn't?
My code is basically:-
IdSSLIOHandlerSocket1.SSLOptions.Method := sslvSSLv2;
HTTP.Request.ContentType := 'application/x-www-form-urlencoded';
with HTTP do begin
try
HTTP.Post('https://www.myserver.com/script', Params,aStream);
...