2

I state that I am not an expert.

I'm trying to create a TCP server / client encrypted. I have implemented SSL, and I created a key selfsigned and its certificate.

I realized, thanks to many post also read on this site that i do not need to use the certificate. I refer in particular to a user's response Remy Lebeau: Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10

Now I was wondering if you can, somehow, prevent attacks man in the middle.

Or rather, if I implement the code of the app the signature and fingerprint of the certificate and verify during event OnVerifyPeer is enough?

Community
  • 1
  • 1
user3703876
  • 174
  • 12
  • 2
    Certificates are how peers identify themselves to each other. Using a certificate allows the SSL/TLS library to perform certain validations automatically (make sure the connection has been established to the host/IP specified in the certificate, etc). But even then, MITM attacks are still possible if the MITM provides its own certificates. To avoid MITM attacks, the peers have to validate that the content of the provided certificates are expected values. It is not enough to just validate that the connected host/IP matches the peer's certificate but that the host belongs to the *expected* peer – Remy Lebeau Sep 28 '15 at 21:10
  • You can use `OnVerifyPeer` to perform custom validations, in addition to any validations OpenSSL performs internally (the internal result is passed to the `OnVerifyPeer` event as input). – Remy Lebeau Sep 28 '15 at 21:10
  • The way I think I got it right, even from your articles :), put it into practice will be a little more complicated! Thanks for the clarification. – user3703876 Sep 28 '15 at 21:49
  • Remy is possible using TLS-SRP with Indy? i see in indy code: {$EXTERNALSYM SRP_user_pwd} SRP_user_pwd = record id : PIdAnsiChar; s : PBIGNUM; v : PBIGNUM; g : PBIGNUM; N : PBIGNUM; info : PIdAnsiChar; end; {$EXTERNALSYM PSRP_user_pwd} PSRP_user_pwd = ^SRP_user_pwd; – user3703876 Oct 24 '15 at 10:32
  • Indy has no support for SRP at this time. There are a lot of things in Indy's imported OpenSSL API unit that Indy does not actually use. – Remy Lebeau Oct 24 '15 at 17:01

0 Answers0