|
Author | Can not set AllowExpired |
Dany Marmur 2017-11-02 08:57:45 Registered user |
Hi,
I have a client whose certificate has expired. Someone missed to renew. They want to continue with the expired certificate meanwhile and that is their decision. So i add an BeforeImportTLSCert event handler to my TsmSimpleTLSInternalServer. /But the handler is never called./ I'm using StreamSec Tools 4.0.1.321 with RTC 9.01. I have checked that TsmCustomTLSInternalServer.SetBeforeImportTLSCert and TsmX509TrustedCertificates.SetBeforeImportTLSCert are both called during reading. I read the server certificate using ImportFromPFX. In TLSSetupServer i get the exception "All signature schemes are disabled". Looking at the rtcSecTest.pas unit (that i do not use) i cannot see what i have to do to be able to set "AllowExpired" server side. Any hints are greatly appreciated. Regards, /Dany |
Henrick Wibell Hellström 2017-11-02 21:59:52 Registered user |
They will have to set the system time of the server computer back to an earlier date. It is a quick and simple solution.
|
Henrick Wibell Hellström 2017-11-02 22:15:36 Registered user |
If you want to fix it with programming, the easiest solution is to make the tValidity.CheckValidity: Boolean method in StreamSec.DSI.PkixCert always return True. This will disable all certificate expiration checking in the entire program.
|
Dany Marmur 2017-11-03 13:16:01 Registered user |
OK!
So the BeforeImportTLSCert only triggers for CollectedCerts is by design? Thanks! |
Henrick Wibell Hellström 2017-11-03 21:13:15 Registered user |
BeforeImportTLSCert is triggered when the remote TLS peer sends a certificate. For clients, it is triggered once the server certificate has been received, but prior to comparing, chaining and verifying it. For servers, the event is only triggered if and when a remote client sends a certificate for client certificate authentication. The event is not triggered by local certificate loading.
Normally, it would be a bigger problem that server owners won't notice that their certificate has expired, until clients start to notify them that they can't connect without disturbing warnings. It is often better to use a valid non-expired in-house certificate, over an expired commercial certificate. Deliberately using expired commercial certificates is the exception. |
Dany Marmur 2017-11-09 08:56:59 Registered user |
Thank you, that sounds like good logical advice.
I'll implement some warning e-mail-thingies instead so as my clients won't fall into that pit again. /D |