SSL / TLS support | Using certificates | FTP + SSL | FTP + SSH
All protocol components from the Clever Internet Suite fully support the SSL / TLS negotiation mode: HTTPS, FTPS, SMTP, POP3, IMAP and NNTP.
For all these protocols (except for HTTPS) the Clever Internet Suite supports the explicit mode for establishing the secured connection. This means that the component will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS.
For specifying the used SSL / TLS communication mode, the UseTLS property is implemented.
In the client-side components, this property can accept the following values:
- ctAutomatic - If the Port property is set to the standard plaintext port of the protocol, the component will behave the same as if UseTLS is set to ctExplicit. In all other cases, SSL negotiation will be implicit (ctImplicit).
- ctImplicit - The SSL negotiation will start immediately after the connection is established.
- ctExplicit - The component will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS.
- ctNone - No SSL negotiation, no SSL security. All communication will be in plaintext mode.
The OnVerifyServer event occurs when the server presents its certificate to the client and the client can decide whether to continue with the connection process:
// [Delphi]
procedure TMainForm.clHTTPVerifyServer(Sender: TObject;
ACertificate: TclCertificate; const AStatusText: String;
AStatusCode: Integer; var AVerified: Boolean);
var
newInstance: TclCertificate;
begin
if not AVerified and (MessageDlg(AStatusText + #13#10' Do you wish to proceed ?',
mtWarning, [mbYes, mbNo], 0) = mrYes) then
begin
newInstance := clCertificateStore1.Items.AddFrom(ACertificate);
clCertificateStore1.StoreName := 'CA';
clCertificateStore1.Install(newInstance);
AVerified := True;
end;
end; |
Also the CertificateFlags client property allows you to resolve the problems concerned with an invalid certificate common name, expired certificate date and unknown authority. Currently the following flags are available: cfIgnoreCommonNameInvalid, cfIgnoreDateInvalid, cfIgnoreUnknownAuthority, cfIgnoreRevocation, cfIgnoreWrongUsage.
Using the StartTls client method, you can explicitly initiate the TLS / SSL negotiation and establish the secured Network communication with the server.
In the server-side components, the UseTLS property accepts other values:
- stNone - No SSL negotiation, no SSL security. All communication will be in plaintext mode.
- stImplicit - The SSL negotiation will start immediately after the connection is established.
- stExplicitAllow - The component will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS. The non-secured communication is allowed.
- stExplicitRequire - The component will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS. The non-secured communication is not allowed.
The OnGetCertificate server event allows you to specify a server certificate for establishing the secured connection. You can create your own self-signed certificate, as well as load any other certificate from a certificate store:
// [Delphi]
procedure TMainForm.clImap4Server1GetCertificate(Sender: TObject;
var ACertificate: TclCertificate;
AExtraCerts: TclCertificateList; var Handled: Boolean);
begin
if clCertificateStore1.Items.Count = 0 then
begin
clCertificateStore1.ValidFrom := Now();
clCertificateStore1.ValidTo := Now() + 365;
ACertificate := clCertificateStore1.CreateSelfSigned('CN=CleverTester,O=CleverComponents,E=CleverTester@company.mail', 0);
clCertificateStore1.Items.Add(ACertificate);
end;
ACertificate := clCertificateStore1.Items[0];
Handled := True;
end; |
// [Delphi]
procedure TMainForm.clImap4Server1GetCertificate(Sender: TObject;
var ACertificate: TclCertificate;
AExtraCerts: TclCertificateList; var Handled: Boolean);
begin
if clCertificateStore1.Count = 0 then
begin
clCertificateStore1.Open('MY', slLocalMachine);
end;
ACertificate := clCertificateStore1.CertificateByIssuedTo('John Doe');
Handled := True;
end; |
|