PowerTCP SSL for ActiveX
Imap Security

Overview

The Imap control can be used to communicate securely with servers using SSL 2.0, SSL 3.0, TLS, or PCT by setting the Privacy property.  Handle server certificate authentication (whether or not to accept the certificate the server sends) in the Authenticate event, or using the Security property in scripted environments with no events.  Handle client certificate authentication (when the server requests the client authenticate itself using a certificate) in the Certificate event and using the Certificate property.


Using basic security with the Imap control

The simplest way the Imap control could be used to communicate securely is to set the Security property to secureIgnoreCertificate (which will cause the control to automatically accept any certificate the server sends) and connect to a secure server. This technique, while simple, has obvious security holes that are addressed in the remainder of this topic.  Incidentally, for environments that lack events such as ASP, the Security property should always be used to dictate how the control should handle the server's certificate.

Example
Copy Code
Private Sub SecurityTest1()
    ' Accept any certificate the server sends, valid or invalid.
    Imap1.Security = secureIgnoreCertificate

    ' Set the SSL privacy to use - privacyImplicitAuto works in most cases
    Imap1.Privacy = privacyImplicitAuto

    ' Connect and login to a secure Imap server on the standard secure Imap port 993.
    Imap1.Login "myImapServer", "myAccount", "myPassword", 993
End Sub

Customizing certificate handling with the Imap control

As stated above, disabling security checks is the easiest way to use connect to a secure server but has massive security drawbacks. To remedy this, set the Security property back to secureNormal to perform all certificate checks within the Authenticate event.

Example
Copy Code
Private Sub SecurityTest2()
    ' Perform all checks in the Authenticate event
    Imap1.Security = secureNormal
 
    ' Set the SSL privacy to use - privacyImplicitAuto works in most cases
    Imap1.Privacy = privacyImplicitAuto
   
    ' Connect and login to a secure Imap server on the standard secure Imap port 993.
    Imap1.Login "myImapServer", "myAccount", "myPassword", 993
End Sub
 
Private Sub Imap1_Authenticate(ByVal RemoteCertificate As DartMailCtl.ICertificate, ByVal TrustedRoot As Boolean, ByVal ValidDate As Boolean, ByVal ValidSignature As Boolean, Valid As Boolean)
    ' The server's certificate has been received.
    Dim Msg As String
   
    ' Check to see if it passed all the checks.
    If Not Valid Then
        ' It didn't, so check everything and give the user the option to accept/reject.
        If Not ValidDate Then Msg = Msg + "- Certificate date is invalid" + vbCrLf
        If Not TrustedRoot Then Msg = Msg + "- Certificate Authority is not trusted" + vbCrLf
        If Not ValidSignature Then Msg = Msg + "- Certificate does not contain a valid signature" + vbCrLf
   
        Msg = "The following conditions are true:" + vbCrLf + vbCrLf + Msg + vbCrLf + vbCrLf
        Msg = Msg + "Do you still wish to authenticate?"
        If MsgBox(Msg, vbYesNo + vbExclamation, "Security Alert") = vbYes Then
            ' User still wants to accept so accept it (by setting Valid to true)
            Valid = True
        End If
    End If
End Sub

Using client authentication with the Imap control

Occasionally, a server may require a client authenticate itself to the server by sending a certificate. If this happens, the Certificate event will fire and the Certificate property must be set to a valid Certificate object.  In environments that do not support events, the property can be set before logging in.

The following code demonstrates using a CertificateStore object to select a certificate, although the CertificateList control is useful for this purpose as well (and is demonstrated in most of the installed sample applications).

Note, in order for a client to authenticate themselves, the local machine must have an installed certificate. See the Certificate Manager topic for information on obtaining a certificate.

Example
Copy Code
Private Sub Imap1_Certificate()
    ' The server has requested a certificate from the client.
    Dim Store As New CertificateStore

    'Get the certificates in "MY" certificate store located in the
    'current user registry key.
    Store.Name = "MY"
    Store.Location = locationCurrentUser
    Store.Refresh

    ' Check to see if any certificates were found in this store.
    If Store.Certificates.Count > 0 Then
        ' Yep. Just use the first one.
        SecureTcp1.Certificate = Store.Certificates.Item(1)
    Else
        ' Uh oh. No client certificate. Authentication will fail.
    End If
End Sub

Using Explicit Security (STARTTLS)

In addition to establishing implicitly secure connections to servers on port 993 as demonstrated in the examples above, the control can make explicitly secure connections, if the server supports the STARTTLS command.  With explicit security, the control first connects non-securely, then switches to a secure connection. This can be accomplished by setting the Privacy property to privacyExplicitTLS.

Example
Copy Code
Private Sub ExplicitLogin()
    ' Accept any certificate the server sends, valid or invalid.
    Imap1.Security = secureIgnoreCertificate

    ' Connect non-securely, then switch to TLS
    Imap1.Privacy = privacyExplicitTLS

    ' Connect and login to an Imap server on the standard port.
    Imap1.Login "myImapServer", "myAccount", "myPassword", 143
End Sub

PowerTCP SSL for ActiveX Documentation Version 2.2.1
© 2018 Dart Communications. All Rights Reserved.
Send comments on this topic