Home 
username password  
Welcome, Guest.
Your IP: 100.28.231.85
2024-11-04 23:41:35 
 Public Support
 Can not set AllowExpired
Bottom
 
Total posts: 6
 Author Can not set AllowExpired
Dany Marmur

2017-11-02 08:57:45
Registered user
Hi,

I have a client whose certificate has expired. Someone missed to renew. They want to continue with the expired certificate meanwhile and that is their decision.

So i add an BeforeImportTLSCert event handler to my TsmSimpleTLSInternalServer. /But the handler is never called./

I'm using StreamSec Tools 4.0.1.321 with RTC 9.01.

I have checked that TsmCustomTLSInternalServer.SetBeforeImportTLSCert and TsmX509TrustedCertificates.SetBeforeImportTLSCert are both called during reading.

I read the server certificate using ImportFromPFX.

In TLSSetupServer i get the exception "All signature schemes are disabled".

Looking at the rtcSecTest.pas unit (that i do not use) i cannot see what i have to do to be able to set "AllowExpired" server side.

Any hints are greatly appreciated.

Regards,

/Dany
Henrick Wibell Hellström

2017-11-02 21:59:52
Registered user
They will have to set the system time of the server computer back to an earlier date. It is a quick and simple solution.
Henrick Wibell Hellström

2017-11-02 22:15:36
Registered user
If you want to fix it with programming, the easiest solution is to make the tValidity.CheckValidity: Boolean method in StreamSec.DSI.PkixCert always return True. This will disable all certificate expiration checking in the entire program.
Dany Marmur

2017-11-03 13:16:01
Registered user
OK!

So the BeforeImportTLSCert only triggers for CollectedCerts is by design?

Thanks!
Henrick Wibell Hellström

2017-11-03 21:13:15
Registered user
BeforeImportTLSCert is triggered when the remote TLS peer sends a certificate. For clients, it is triggered once the server certificate has been received, but prior to comparing, chaining and verifying it. For servers, the event is only triggered if and when a remote client sends a certificate for client certificate authentication. The event is not triggered by local certificate loading.

Normally, it would be a bigger problem that server owners won't notice that their certificate has expired, until clients start to notify them that they can't connect without disturbing warnings. It is often better to use a valid non-expired in-house certificate, over an expired commercial certificate. Deliberately using expired commercial certificates is the exception.
Dany Marmur

2017-11-09 08:56:59
Registered user
Thank you, that sounds like good logical advice.
I'll implement some warning e-mail-thingies instead so as my clients won't fall into that pit again.

/D
Top

:: Written with and Powered by the RealThinClient SDK and StreamSec Tools 4.0::
Copyright (c) Danijel Tkalcec, StreamSec HB