SSL SOAP Request - Certificates but No Key

[Tim]

I am writing a SOAP request to a server which requires SSL. I receive this error when posting the request: error number -53 which means Open Timeout or Failure error - [SSL Error = 11]. I gather there is an SSL authentication issue.

We are connected to the host via a VPN. My counterpart at the host site said there is no cert key. But that we have to have the certs loaded to the keystore on the server. She provided 3 certificate files: 1 file with the URL.cer, RootCA.cer, and Chain.cer. She also said there is a root certificate, and an intermediate certificate, the Root certificate is required, at a minimum; however, depending on my system the URL cert may also need to be installed.

The following is my SSL code. However, I tried every permuation of the following settings that I can think of.

    Web.SSL = 1
    Web.SSLCertificateOptions.CertificateFile = ''
    Web.SSLCertificateOptions.PrivateKeyFile = ''   
    Web.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 0
    Web.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 0
    Web.SSLCertificateOptions.CARootFile = '.\RootCA.cer'

Any help would be greatly appreciated.

[Bruce]

Hi Tim,

Web.SSLCertificateOptions.CARootFile = '.\RootCA.cer'
this line is wrong. Should likely be
Web.SSLCertificateOptions.CARootFile = 'ca_roots.pem''


test first with

   Web.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
    Web.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1

and report back.

[update - changed the properties from 0 to 1 above.]

Cheers
Bruce

[Tim]

Hi Bruce,

Thank you for the reply.

I saw CA_Roots.pem commented in the example, but the host did not provide a file with a .pem extension. I only have files with .cer extensions: Their URL .cer, RootCA.cer, and Chain.cer.

I did try:
(1) renaming the RootCA.cer file to CA_Roots.pem
(2) changed code to Web.SSLCertificateOptions.CARootFile = 'CA_Roots.pem'
(3) Kept as-is:
Web.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 0
Web.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 0

The above didn't work. SSL Error 11.

Any other ideas please.

Thanks,

Tim

[Bruce]

They don't supply the CS_Roots.Pem.
the CaRoots is a list of certificate authorities that "you trust". If you got it from the service you are connecting to that would defeat it's purpose.

you can find one in
examples\NetTalk\Demo\certs\CA Roots

>> (3) Kept as-is:
Web.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 0
Web.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 0

These 2 lines are telling the engine to _use_ the Ca_Root to validate the client-side certificate. (Note the word Dont in the property names). That's why it's easiest to set these to 1 for testing [update - there was a typo in my earlier post - I thought I was telling you to set them to 1, not 0 - I'll update there as well]

Cheers
Bruce

[Tim]

All is good now.

BTW, for those that may need this in the future, in my case I had to add the following too:
Web.SSLMethod = NET:SSLMethodSSLv23

Thank you for your help.

[Bruce]

Hi Tim,

>> Web.SSLMethod = NET:SSLMethodSSLv23

depending on your server you may need to set the SSLMethod. But be aware that the server can change it if they like. So you may want to allow for this when coding - maybe make this a setting or something.

Ideally use one of

Web.SSLMethod = NET:SSLMethodSSLv3
or
Web.SSLMethod = NET:SSLMethodTLSv1
(or higher)

NET:SSLMethodSSLv23 is little less secure (although probably not terribly applicable to your situation.)

cheers
Bruce