Re: [Synalist] RE : RE : RE : [HttpSend] How to verify server's certificate?
Pascal TCP/IP Library
Brought to you by:
geby
From: Simon L <si...@gm...> - 2011-02-23 13:39:06
|
Hi Ludo, I noticed a problem with the certificate verification process: even if the certificate doesn't match the website, HTTPSend won't complain as long as the root CA of the certificate is found in the CertCAFile. For example, in C:\Windows\System32\drivers\etc\hosts, if you change the IP of suivi.orange.fr to point to 65.55.12.249 (Microsoft's website), your code still succeeds. Is this a bug, or should we manually compare and check the value in HTTP.Sock.SSL.GetPeerName? Thank you. Simon On Tue, Feb 15, 2011 at 6:02 AM, Ludo Brands <lud...@fr...> wrote: > Hi Simon, > > The trusted CA's to check against can be specified with > > HTTP.Sock.SSL.CertCAFile:='full.path.to.CAcert.pem'; > > You can find pem conversion of the Mozilla trusted CA's here: > http://curl.haxx.se/ca/cacert.pem > > > Here is a working example using above pem file(Form with Memo1 to display > result or error) > > procedure TForm1.FormCreate(Sender: TObject); > var HTTP:THTTPSend; > res:boolean; > s:string; > begin > HTTP := THTTPSend.Create; > HTTP.Sock.SSL.VerifyCert:=true; > HTTP.Sock.SSL.CertCAFile:='CAcert.pem'; > s:='nothing'; > try > res := HTTP.HTTPMethod('GET', 'https://suivi.orange.fr'); > if res then > begin > setlength(s,HTTP.Document.size); > HTTP.Document.Write(s[1],HTTP.Document.size); > end > else > s:= HTTP.Sock.SSL.LastErrorDesc; > finally > HTTP.Free; > Memo1.Text:=s; > end; > end; > > Ludo > > -----Message d'origine----- > De : Ludo Brands [mailto:lud...@fr...] > Envoyé : mardi 15 février 2011 10:32 > À : 'Ararat Synapse' > Objet : [Synalist] RE : RE : [HttpSend] How to verify server's certificate? > > > Hi Simon, > > If HTTPMethod returns false then check HTTP.Sock.SSL.LastErrorDesc. > > When it says something like 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' and the site > opens correctly in your browser, then openssl probably hasn't any root > certificate authorities to compare with. As www.openssl.org/support/faq.html > says: "The OpenSSL software is shipped without any root CA certificate as > the OpenSSL project does not have any policy on including or excluding any > specific CA and does not intend to set up such a policy. Deciding about > which CAs to support is up to application developers or administrators. " > > Ludo > > > -----Message d'origine----- > De : Simon L [mailto:si...@gm...] > Envoyé : lundi 14 février 2011 22:46 > À : Ararat Synapse > Objet : Re: [Synalist] RE : [HttpSend] How to verify server's certificate? > > > Hi Ludo, > > Unfortunately this doesn't seem to work. > > When HTTP.Sock.SSL.VerifyCert is true, HTTPMethod returns immediately. > Please advise. Thanks. > > > Simon > > On Sun, Feb 13, 2011 at 9:00 AM, Ludo Brands <lud...@fr...> wrote: >> Hi, >> >> HTTP := THTTPSend.Create; >> HTTP.Sock.SSL.VerifyCert:=true; >> .... >> >> does the certificate verification. Works apparently only with the >> openssl library. >> >> Ludo >> >> >> -----Message d'origine----- >> De : Simon L [mailto:si...@gm...] >> Envoyé : dimanche 13 février 2011 12:06 >> À : syn...@li... >> Objet : [Synalist] [HttpSend] How to verify server's certificate? >> >> >> Before data is transfered over an HTTPS connection, I want to make >> sure that the website's certificate is genuine. >> >> How to do that? Thanks. >> >> Simon >> >> ---------------------------------------------------------------------- >> ------ >> -- >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio >> XE: Pinpoint memory and threading errors before they happen. Find and >> fix more than 250 security defects in the development cycle. Locate >> bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> synalist-public mailing list syn...@li... >> https://lists.sourceforge.net/lists/listinfo/synalist-public >> >> >> ---------------------------------------------------------------------- >> -------- >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio >> XE: Pinpoint memory and threading errors before they happen. Find and >> fix more than 250 security defects in the development cycle. Locate >> bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> synalist-public mailing list syn...@li... >> https://lists.sourceforge.net/lists/listinfo/synalist-public >> > > ---------------------------------------------------------------------------- > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. Find and fix more > than 250 security defects in the development cycle. Locate bottlenecks in > serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list syn...@li... > https://lists.sourceforge.net/lists/listinfo/synalist-public > > > ---------------------------------------------------------------------------- > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. Find and fix more > than 250 security defects in the development cycle. Locate bottlenecks in > serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list syn...@li... > https://lists.sourceforge.net/lists/listinfo/synalist-public > > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list > syn...@li... > https://lists.sourceforge.net/lists/listinfo/synalist-public > |