2014-09-05 00:17:09 +02:00
|
|
|
About NetSSL_Win
|
|
|
|
================
|
|
|
|
|
|
|
|
NetSSL_Win is an implementation of the POCO NetSSL library based on Windows
|
|
|
|
Schannel. The original NetSSL implementation is based on OpenSSL and thus
|
|
|
|
has a few OpenSSL-isms in the interface. Generally, source code based
|
|
|
|
on NetSSL_OpenSSL can be easily ported to use NetSSL_Win. Just a few
|
|
|
|
minor code changes are required, due to differences in the API.
|
|
|
|
These are discussed below:
|
|
|
|
|
2014-09-05 07:27:49 +02:00
|
|
|
- Context: The Context constructor uses different arguments. While
|
2014-09-05 00:17:09 +02:00
|
|
|
the first argument is the same, all others are different.
|
|
|
|
Instead of a certificate file name, a certificate subject name is
|
2014-10-07 23:25:31 +02:00
|
|
|
specified. Certificates can be loaded from a Windows
|
|
|
|
certificate store, or from PKCS #12 files (.pfx, .p12) containing
|
|
|
|
certificate and private key pairs, if the OPT_LOAD_CERT_FROM_FILE
|
|
|
|
is specified. In the latter case, a private key passphrase handler
|
|
|
|
must be setup.
|
2014-09-05 00:17:09 +02:00
|
|
|
Please refer to the header file documentation for more information.
|
|
|
|
Furthermore, the following Context methods are not available in NetSSL_Win:
|
|
|
|
addChainCertificate(), disableStatelessSessionResumption(),
|
|
|
|
enableExtendedCertificateVerification(), enableSessionCache(),
|
|
|
|
extendedCertificateVerificationEnabled(), flushSessionCache(),
|
|
|
|
getSessionCacheSize(), getSessionTimeout(), sessionCacheEnabled(),
|
|
|
|
setSessionCacheSize(), setSessionTimeout(), sslContext(),
|
|
|
|
useCertificate(), usePrivateKey().
|
|
|
|
|
2014-09-05 07:27:49 +02:00
|
|
|
- SSLManager: The configuration properties used to configure the SSLManager
|
2014-09-05 00:17:09 +02:00
|
|
|
are different from the ones used in NetSSL_OpenSSL. Please see the
|
|
|
|
SSLManager header file for more information.
|
|
|
|
The isFIPSEnabled() method is not available.
|
|
|
|
|
2014-10-07 23:25:31 +02:00
|
|
|
- X509Certificate: Saving a certificate is not supported.
|
2014-09-05 07:27:49 +02:00
|
|
|
|
2014-09-05 00:17:09 +02:00
|
|
|
|
|
|
|
Certificate and Certificate Stores
|
|
|
|
----------------------------------
|
|
|
|
|
2014-10-07 23:25:31 +02:00
|
|
|
The test suite and samples expect a certificate/private key file named
|
|
|
|
any.pem, located in the current working directory. This can be changed
|
|
|
|
by editing the testrunner.xml/TestSuite.xml configuration files.
|
|
|
|
Alternatively, a certificate from the Windows certificate store can be used.
|
|
|
|
A suitable self-signed certificate can be created using the Windows
|
2014-09-05 00:17:09 +02:00
|
|
|
IIS administration console, then exported to a file, and re-imported into
|
|
|
|
the user's personal store.
|
|
|
|
|
|
|
|
To create the certificate, follow these steps:
|
|
|
|
|
|
|
|
1. Launch the Computer Management utility.
|
|
|
|
2. Go to Services and Applications > Internet Information Server.
|
|
|
|
3. Open the Server Certificates feature.
|
|
|
|
4. Under Actions, click "Create Self-Signed Certificate...".
|
|
|
|
5. Enter a user-friendly name for the certificate.
|
|
|
|
The certificate will be issued to the name of your computer.
|
|
|
|
6. Export the certificate by right-clicking it and chosing "Export...".
|
|
|
|
7. In Explorer, double-click the exported certificate file (.pfx)
|
|
|
|
to launch the Certificate Import Wizard.
|
|
|
|
8. Import the certificate into your personal store by
|
|
|
|
selecting "Place all certificates in the following store" and
|
|
|
|
selecting the "Personal" store in the import wizard.
|
|
|
|
|
|
|
|
|
|
|
|
Windows Embedded Compact
|
|
|
|
------------------------
|
|
|
|
|
|
|
|
Windows Embedded Compact does not support the following Schannel
|
|
|
|
features:
|
2014-09-05 07:27:49 +02:00
|
|
|
- certificate revocation checking (Context::OPT_PERFORM_REVOCATION_CHECK)
|
|
|
|
- TLS 1.1 and 1.2 (Context::TLSV1_1_CLIENT_USE, etc.)
|
|
|
|
- disabling weak security algorithms (Context::OPT_USE_STRONG_CRYPTO)
|