Hi
I am trying to create a SSL client (in Delphi) that can connect to Astaro Security Gateway (free for small users !). The SSL-part in the Gateway is based on OpenVPN. I tried to create a ssl client as explained in the SecureBridge pdf manual, page 35. However, I am stuck with the error 'if a certificate is specified, it must have a private key'. As I am completely lost with certificate stuff, I hope someone can help me.
The Gateway has a user portal in which a user can download its ssl certificates. The certificates consist of four files: astaro.ca.crt, astaro.user.crt, astaro.user.key and [email protected]
I use ScFileStorage to hold the certificates. Both the *.crt files are immediately visible when double-clicking on ScFileStorage. In ScSSLClient I set CACertName=astaro.ca.crt, CertName=astaro.user.crt. All other settings as described op page 35.
if I set property IsSecure = True, the result is the 'must have private key'-error. I guess I need the *.key file as well, but no other import and/or settings I tried solved the error.
SSL client for Astaro Security Gateway (OpenVPN)
The client certificate is used to authenticate a client by the server and it should have a private key.
To solve it you can use the following code in the TScSSLClient.BeforeConnect event handler:
To solve it you can use the following code in the TScSSLClient.BeforeConnect event handler:
Code: Select all
var
Cert: TScCertificate;
begin
Cert := ScFileStorage.Certificates.CertificateByName(ScSSLClient.CertName);
Cert.Ready := True;
Cert.Key.ImportFrom('astaro.user.key');
end;Hi Dimon
Thank you for the suggestion. I added the code, but then I get another error: 'wrong certificate context'...
To me it seems the certificates to not match together. But they should as I once again copied them from the original (a downloaded zip file for this user).
Maybe you have an idea what the error means and how I could solve it ?
I copied the Astaro log below. Maybe that gives more relevant info. At the end it says 'Non-OpenVPN client protocol detected':
2009:12:08-11:09:58 astaro openvpn[30119]: MULTI: multi_create_instance called
2009:12:08-11:09:58 astaro openvpn[30119]: Re-using SSL/TLS context
2009:12:08-11:09:58 astaro openvpn[30119]: LZO compression initialized
2009:12:08-11:09:58 astaro openvpn[30119]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
2009:12:08-11:09:58 astaro openvpn[30119]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
2009:12:08-11:09:58 astaro openvpn[30119]: Local Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-server'
2009:12:08-11:09:58 astaro openvpn[30119]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client'
2009:12:08-11:09:58 astaro openvpn[30119]: Local Options hash (VER=V4): 'a4f12474'
2009:12:08-11:09:58 astaro openvpn[30119]: Expected Remote Options hash (VER=V4): '619088b2'
2009:12:08-11:09:58 astaro openvpn[30119]: TCP connection established with 192.168.1.4:2052
2009:12:08-11:09:58 astaro openvpn[30119]: Socket Buffers: R=[131072->131072] S=[131072->131072]
2009:12:08-11:09:58 astaro openvpn[30119]: TCPv4_SERVER link local: [undef]
2009:12:08-11:09:58 astaro openvpn[30119]: TCPv4_SERVER link remote: 192.168.1.4:2052
2009:12:08-11:09:58 astaro openvpn[30119]: 192.168.1.4:2052 Non-OpenVPN client protocol detected
2009:12:08-11:09:58 astaro openvpn[30119]: 192.168.1.4:2052 SIGTERM[soft,port-share-redirect] received, client-instance exiting
2009:12:08-11:09:58 astaro openvpn[30119]: TCP/UDP: Closing socket
Thank you for the suggestion. I added the code, but then I get another error: 'wrong certificate context'...
To me it seems the certificates to not match together. But they should as I once again copied them from the original (a downloaded zip file for this user).
Maybe you have an idea what the error means and how I could solve it ?
I copied the Astaro log below. Maybe that gives more relevant info. At the end it says 'Non-OpenVPN client protocol detected':
2009:12:08-11:09:58 astaro openvpn[30119]: MULTI: multi_create_instance called
2009:12:08-11:09:58 astaro openvpn[30119]: Re-using SSL/TLS context
2009:12:08-11:09:58 astaro openvpn[30119]: LZO compression initialized
2009:12:08-11:09:58 astaro openvpn[30119]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
2009:12:08-11:09:58 astaro openvpn[30119]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
2009:12:08-11:09:58 astaro openvpn[30119]: Local Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-server'
2009:12:08-11:09:58 astaro openvpn[30119]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1556,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-128-CBC,auth MD5,keysize 128,key-method 2,tls-client'
2009:12:08-11:09:58 astaro openvpn[30119]: Local Options hash (VER=V4): 'a4f12474'
2009:12:08-11:09:58 astaro openvpn[30119]: Expected Remote Options hash (VER=V4): '619088b2'
2009:12:08-11:09:58 astaro openvpn[30119]: TCP connection established with 192.168.1.4:2052
2009:12:08-11:09:58 astaro openvpn[30119]: Socket Buffers: R=[131072->131072] S=[131072->131072]
2009:12:08-11:09:58 astaro openvpn[30119]: TCPv4_SERVER link local: [undef]
2009:12:08-11:09:58 astaro openvpn[30119]: TCPv4_SERVER link remote: 192.168.1.4:2052
2009:12:08-11:09:58 astaro openvpn[30119]: 192.168.1.4:2052 Non-OpenVPN client protocol detected
2009:12:08-11:09:58 astaro openvpn[30119]: 192.168.1.4:2052 SIGTERM[soft,port-share-redirect] received, client-instance exiting
2009:12:08-11:09:58 astaro openvpn[30119]: TCP/UDP: Closing socket