[Synalist] [HttpSend] How to verifyserver'scertificate? PATCH

Ludo Brands Thu, 24 Feb 2011 02:18:24 -0800

Hi Simon, Lukas,

Attached a patch to blcksock.pas and ssl_openssl.pas that implements the
OnVerifyCert handler in TCustomSSL. The handler is called in ssl_openssl
just after completing succesfully GetVerifyCert. OnVerifyCert uses a boolean
result that indicates success (continue the connection) or failure (abort
connection). The patch is against the latest svn. 
I had a look at the other ssl libraries but didn't find an obvious location
to call the OnVerifyCert handler. FVerifyCert doesn't seem to do anything
for these libraries in client mode. I don't have enough experience with
these libraries to make more significant modifcations neither.


My earlier suggestion for an TTCPBlockSocket.OnBeforeDisconnect handler
wouldn't have blocked the download of the data from the server. The server
CN check wouldn't have been possible until after downloading all data.

The test program becomes:

////
function TForm1.VerifyCert(Sender: TObject):boolean;

var
  peer:string;

begin
with Sender as TSSLOpenSSL do
  peer:=GetPeerName;
//your CN/url verification here
result:=peer='suivi.orange.fr';
end;

procedure TForm1.Button1Click(Sender: TObject);
var
 HTTP:THTTPSend;
 res:boolean;
 s:string;
begin
  HTTP := THTTPSend.Create;
  HTTP.Sock.SSL.VerifyCert:=true;
  HTTP.Sock.SSL.CertCAFile:='CAcert.pem';
  HTTP.Sock.SSL.OnVerifyCert:=Form1.VerifyCert;
  s:='nothing';
  try
    res := HTTP.HTTPMethod('GET', 'https://suivi.orange.fr');
    if res then
      begin
      setlength(s,HTTP.Document.size);
      HTTP.Document.Position:=0;
      HTTP.Document.Read(s[1],HTTP.Document.size);
      end
    else
      s:= HTTP.Sock.SSL.LastErrorDesc;
  finally
    HTTP.Free;
    Memo1.Text:=s;
  end;

end;

////

Note that SSL.LastError and SSL.LastErrorDesc do not reflect DoVerifyCert
failure. 

Ludo



-----Message d'origine-----
De : Ludo Brands [mailto:ludo.bra...@free.fr] 
Envoyé : mercredi 23 février 2011 18:02
À : 'Ararat Synapse'
Objet : [Synalist] RE : RE : RE : RE : [HttpSend] How to
verifyserver'scertificate?


Hi Simon,

Openssl certificate verification only verifies the CA chain up to the root
CA to check if they are not tampered with. It does not verify if the CN in
the server certificate matches the domain name in the URL used. That is up
to the application. This is a limitation in openssl, not a bug in synapse.

HTTP.Sock.SSL.GetPeerName corresponds indeed with CN in the certificate. But
... HTTP.HTTPMethod closes the socket (and the link to openssl) per default
and GetPeerName returns an empty string. You can set HTTP.Protocol:='1.1';
to not close the connection per default. This will work for
https://65.55.12.249 but not for https://suivi.orange.fr who sends a
connection close in the header. 

I'm afraid this needs some changes in Synapse. Adding a
TTCPBlockSocket.OnBeforeDisconnect handler would be an elegant solution.

Perhaps somebody else on the mailinglist has another idea??
 
Ludo


-----Message d'origine-----
De : Simon L [mailto:sim...@gmail.com] 
Envoyé : mercredi 23 février 2011 14:34
À : Ararat Synapse
Objet : Re: [Synalist] RE : RE : RE : [HttpSend] How to verify
server'scertificate?


Hi Ludo,

I noticed a problem with the certificate verification process:  even if the
certificate doesn't match the website, HTTPSend won't complain as long as
the root CA of the certificate is found in the CertCAFile.

For example, in C:\Windows\System32\drivers\etc\hosts, if you change the IP
of suivi.orange.fr to point to 65.55.12.249  (Microsoft's website), your
code still succeeds.

Is this a bug, or should we manually compare and check the value in
HTTP.Sock.SSL.GetPeerName?

Thank you.

Simon


On Tue, Feb 15, 2011 at 6:02 AM, Ludo Brands <ludo.bra...@free.fr> wrote:
> Hi Simon,
>
> The trusted CA's to check against can be specified with
>
> HTTP.Sock.SSL.CertCAFile:='full.path.to.CAcert.pem';
>
> You can find pem conversion of the Mozilla trusted CA's here:
> http://curl.haxx.se/ca/cacert.pem
>
>
> Here is a working example using above pem file(Form with Memo1 to
> display result or error)
>
> procedure TForm1.FormCreate(Sender: TObject);
> var HTTP:THTTPSend;
>  res:boolean;
>  s:string;
> begin
>  HTTP := THTTPSend.Create;
>  HTTP.Sock.SSL.VerifyCert:=true;
>  HTTP.Sock.SSL.CertCAFile:='CAcert.pem';
>  s:='nothing';
>  try
>    res := HTTP.HTTPMethod('GET', 'https://suivi.orange.fr');
>    if res then
>      begin
>      setlength(s,HTTP.Document.size);
>      HTTP.Document.Write(s[1],HTTP.Document.size);
>      end
>    else
>      s:= HTTP.Sock.SSL.LastErrorDesc;
>  finally
>    HTTP.Free;
>    Memo1.Text:=s;
>  end;
> end;
>
> Ludo
>
> -----Message d'origine-----
> De : Ludo Brands [mailto:ludo.bra...@free.fr]
> Envoyé : mardi 15 février 2011 10:32
> À : 'Ararat Synapse'
> Objet : [Synalist] RE : RE : [HttpSend] How to verify server's
> certificate?
>
>
> Hi Simon,
>
> If HTTPMethod returns false then check HTTP.Sock.SSL.LastErrorDesc.
>
> When it says something like 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' and 
> the site opens correctly in your browser, then openssl probably hasn't 
> any root certificate authorities to compare with. As 
> www.openssl.org/support/faq.html
> says: "The OpenSSL software is shipped without any root CA certificate as
> the OpenSSL project does not have any policy on including or excluding any
> specific CA and does not intend to set up such a policy. Deciding about
> which CAs to support is up to application developers or administrators. "
>
> Ludo
>
>
> -----Message d'origine-----
> De : Simon L [mailto:sim...@gmail.com]
> Envoyé : lundi 14 février 2011 22:46
> À : Ararat Synapse
> Objet : Re: [Synalist] RE : [HttpSend] How to verify server's
> certificate?
>
>
> Hi Ludo,
>
> Unfortunately this doesn't seem to work.
>
> When HTTP.Sock.SSL.VerifyCert is true,  HTTPMethod returns
> immediately. Please advise. Thanks.
>
>
> Simon
>
> On Sun, Feb 13, 2011 at 9:00 AM, Ludo Brands <ludo.bra...@free.fr>
> wrote:
>> Hi,
>>
>> HTTP := THTTPSend.Create;
>> HTTP.Sock.SSL.VerifyCert:=true;
>> ....
>>
>> does the certificate verification. Works apparently only with the
>> openssl library.
>>
>> Ludo
>>
>>
>> -----Message d'origine-----
>> De : Simon L [mailto:sim...@gmail.com]
>> Envoyé : dimanche 13 février 2011 12:06
>> À : synalist-public@lists.sourceforge.net
>> Objet : [Synalist] [HttpSend] How to verify server's certificate?
>>
>>
>> Before data is transfered over an HTTPS connection, I want to make
>> sure that the website's certificate is genuine.
>>
>> How to do that? Thanks.
>>
>> Simon
>>
>> ---------------------------------------------------------------------
>> -
>> ------
>> --
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
>> XE: Pinpoint memory and threading errors before they happen. Find and 
>> fix more than 250 security defects in the development cycle. Locate 
>> bottlenecks in serial and parallel code that limit performance. 
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> synalist-public mailing list synalist-public@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/synalist-public
>>
>>
>> ---------------------------------------------------------------------
>> -
>> --------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
>> XE: Pinpoint memory and threading errors before they happen. Find and 
>> fix more than 250 security defects in the development cycle. Locate 
>> bottlenecks in serial and parallel code that limit performance. 
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> synalist-public mailing list synalist-public@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/synalist-public
>>
>
> ----------------------------------------------------------------------
> ------
> --
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio 
> XE: Pinpoint memory and threading errors before they happen. Find and 
> fix more than 250 security defects in the development cycle. Locate 
> bottlenecks in serial and parallel code that limit performance. 
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> synalist-public mailing list synalist-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/synalist-public
>
>
> ----------------------------------------------------------------------
> ------
> --
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio 
> XE: Pinpoint memory and threading errors before they happen. Find and 
> fix more than 250 security defects in the development cycle. Locate 
> bottlenecks in serial and parallel code that limit performance. 
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> synalist-public mailing list synalist-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/synalist-public
>
>
> ----------------------------------------------------------------------
> --------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio 
> XE: Pinpoint memory and threading errors before they happen. Find and 
> fix more than 250 security defects in the development cycle. Locate 
> bottlenecks in serial and parallel code that limit performance. 
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> synalist-public mailing list synalist-public@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/synalist-public
>

----------------------------------------------------------------------------
--
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT
data 
generated by your applications, servers and devices whether physical,
virtual or in the cloud. Deliver compliance at lower cost and gain new
business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
synalist-public mailing list synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public


----------------------------------------------------------------------------
--
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT
data 
generated by your applications, servers and devices whether physical,
virtual or in the cloud. Deliver compliance at lower cost and gain new
business 
insights. http://p.sf.net/sfu/splunk-dev2dev 
_______________________________________________
synalist-public mailing list synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public

verifycert.patch
Description: Binary data

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in 
Real-Time with Splunk. Collect, index and harness all the fast moving IT data 
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business 
insights. http://p.sf.net/sfu/splunk-dev2dev

_______________________________________________
synalist-public mailing list
synalist-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/synalist-public

[Synalist] [HttpSend] How to verifyserver'scertificate? PATCH

Reply via email to