StreamSec 2.1 with RealThinClient: The connection is untrusted

[WilliamY]

HI,

Since I'm a newbie, and not sure how to make these 2 tools work together, so I'm testing:

1) your App server with StreamSec 2.1, but I got 'The connection is untrusted' message from the Browser,  I then used TLSDemoCert to create new cer and pix file, to use them instead, but still got the same message, Is this something that you could help me to figure out or I should ask StreamSec for the help?

2) When I'm testing your RTCWebForumTLS project, and used the new created cer and pix from TLSDemoCert from StreamSec, I got 'Could not open server.pix, Either the file is damaged or not a valid PKCS#12 file or the password is incorrect',  BTW, The password I used for creating the new cer and pix is 'abc'.  Can you help?

Regards,

William

[D.Tkalcec (RTC)]

As far as I know, for a Web Browser to see an encrypted connection as "trusted", you either need to manually add your SSL Certificate to your Web Browsers list of trusted certificates, or use SSL certificates created by entities trusted by the Web Browser (for example, buy them from VeriSign). Certificates you are creating with free tools are NOT trusted by WebBrowsers by default, but they can be used for communication between RTC Clients and Servers.

If you need more information, please contact the component vendor whose components you are using for SSL encryption (StreamSec?).

Best Regards,
Danijel Tkalcec

[WilliamY]

Hi,

Thanks for the clarification. What if a web application/3rd party websites/softwares send a https URL to my app server?

Regards,

William

[Henrick (StreamSec)]

#1. Danijel is correct, but it should be noted that you don't necessarily have to add the SSL server certificate itself to your browser certificate store, but rather the root CA certificate it chains to. In the case of the TLSDemoCert output, this would be the root.cer file. Either approach will work, and which one is best for you depends on if you want, or don't want, any other certificate you issue using the same root CA to also verify.

#2. The RTCWebForumTLS project uses a hard code PFX password. You find it in unit HTTP_Module_TLS, method THTTPS_Server.DataModuleCreate.

  SimpleTLSInternalServer1.ImportFromPFX('Server.pfx',TSecretKey.CreateBMPStr('123456789012',12));

You may change it to

  SimpleTLSInternalServer1.ImportFromPFX('Server.pfx',TSecretKey.CreateBMPStr('abc',3));

[WilliamY]

Hi, Henrick

#1. ..., but rather the root CA certificate it chains to. In the case of the TLSDemoCert output, this would be the root.cer file. Either approach will work, and which one is best for you depends on if you want, or don't want, any other certificate you issue using the same root CA to also verify.

Could you please give me more details about this? I'm really a newbie to this. Are you saying to give the root.cer to the 3rd party web application/software venders?

#2. The RTCWebForumTLS project uses a hard code PFX password. You find it in unit HTTP_Module_TLS, method THTTPS_Server.DataModuleCreate.

  SimpleTLSInternalServer1.ImportFromPFX('Server.pfx',TSecretKey.CreateBMPStr('123456789012',12));

You may change it to

  SimpleTLSInternalServer1.ImportFromPFX('Server.pfx',TSecretKey.CreateBMPStr('abc',3));

It worked like charm. BTW, Whats your CertMgr application for?

Thanks,

William

[WilliamY]

Hi,

Is there any reason for not loading root.cer when RTCWebForumTLS is running?  I thought that for any SSL servers, the root.cer must be loaded?  Correct me if I'm wrong.

Thanks,

William

[D.Tkalcec (RTC)]

Please note that these forums are NOT monitored by 3rd-party component vendors. Henrick has replied to your last post because I've contacted him yesterday and asked him to check my response. If you have more questions about SSL/TLS encryption, please contact the encryption component vendor directly (StreamSec).

Best Regards,
Danijel Tkalcec

[WilliamY]

Hi,

I don't see any response from Henrick regarding why not loading root.cer when RTCWebForumTLS is running. I will ask him directly.

Thanks

William