Hi Simon, Lukas, Attached a patch to blcksock.pas and ssl_openssl.pas that implements the OnVerifyCert handler in TCustomSSL. The handler is called in ssl_openssl just after completing succesfully GetVerifyCert. OnVerifyCert uses a boolean result that indicates success (continue the connection) or failure (abort connection). The patch is against the latest svn. I had a look at the other ssl libraries but didn't find an obvious location to call the OnVerifyCert handler. FVerifyCert doesn't seem to do anything for these libraries in client mode. I don't have enough experience with these libraries to make more significant modifcations neither.
My earlier suggestion for an TTCPBlockSocket.OnBeforeDisconnect handler wouldn't have blocked the download of the data from the server. The server CN check wouldn't have been possible until after downloading all data. The test program becomes: //// function TForm1.VerifyCert(Sender: TObject):boolean; var peer:string; begin with Sender as TSSLOpenSSL do peer:=GetPeerName; //your CN/url verification here result:=peer='suivi.orange.fr'; end; procedure TForm1.Button1Click(Sender: TObject); var HTTP:THTTPSend; res:boolean; s:string; begin HTTP := THTTPSend.Create; HTTP.Sock.SSL.VerifyCert:=true; HTTP.Sock.SSL.CertCAFile:='CAcert.pem'; HTTP.Sock.SSL.OnVerifyCert:=Form1.VerifyCert; s:='nothing'; try res := HTTP.HTTPMethod('GET', 'https://suivi.orange.fr'); if res then begin setlength(s,HTTP.Document.size); HTTP.Document.Position:=0; HTTP.Document.Read(s[1],HTTP.Document.size); end else s:= HTTP.Sock.SSL.LastErrorDesc; finally HTTP.Free; Memo1.Text:=s; end; end; //// Note that SSL.LastError and SSL.LastErrorDesc do not reflect DoVerifyCert failure. Ludo -----Message d'origine----- De : Ludo Brands [mailto:ludo.bra...@free.fr] Envoyé : mercredi 23 février 2011 18:02 À : 'Ararat Synapse' Objet : [Synalist] RE : RE : RE : RE : [HttpSend] How to verifyserver'scertificate? Hi Simon, Openssl certificate verification only verifies the CA chain up to the root CA to check if they are not tampered with. It does not verify if the CN in the server certificate matches the domain name in the URL used. That is up to the application. This is a limitation in openssl, not a bug in synapse. HTTP.Sock.SSL.GetPeerName corresponds indeed with CN in the certificate. But ... HTTP.HTTPMethod closes the socket (and the link to openssl) per default and GetPeerName returns an empty string. You can set HTTP.Protocol:='1.1'; to not close the connection per default. This will work for https://65.55.12.249 but not for https://suivi.orange.fr who sends a connection close in the header. I'm afraid this needs some changes in Synapse. Adding a TTCPBlockSocket.OnBeforeDisconnect handler would be an elegant solution. Perhaps somebody else on the mailinglist has another idea?? Ludo -----Message d'origine----- De : Simon L [mailto:sim...@gmail.com] Envoyé : mercredi 23 février 2011 14:34 À : Ararat Synapse Objet : Re: [Synalist] RE : RE : RE : [HttpSend] How to verify server'scertificate? Hi Ludo, I noticed a problem with the certificate verification process: even if the certificate doesn't match the website, HTTPSend won't complain as long as the root CA of the certificate is found in the CertCAFile. For example, in C:\Windows\System32\drivers\etc\hosts, if you change the IP of suivi.orange.fr to point to 65.55.12.249 (Microsoft's website), your code still succeeds. Is this a bug, or should we manually compare and check the value in HTTP.Sock.SSL.GetPeerName? Thank you. Simon On Tue, Feb 15, 2011 at 6:02 AM, Ludo Brands <ludo.bra...@free.fr> wrote: > Hi Simon, > > The trusted CA's to check against can be specified with > > HTTP.Sock.SSL.CertCAFile:='full.path.to.CAcert.pem'; > > You can find pem conversion of the Mozilla trusted CA's here: > http://curl.haxx.se/ca/cacert.pem > > > Here is a working example using above pem file(Form with Memo1 to > display result or error) > > procedure TForm1.FormCreate(Sender: TObject); > var HTTP:THTTPSend; > res:boolean; > s:string; > begin > HTTP := THTTPSend.Create; > HTTP.Sock.SSL.VerifyCert:=true; > HTTP.Sock.SSL.CertCAFile:='CAcert.pem'; > s:='nothing'; > try > res := HTTP.HTTPMethod('GET', 'https://suivi.orange.fr'); > if res then > begin > setlength(s,HTTP.Document.size); > HTTP.Document.Write(s[1],HTTP.Document.size); > end > else > s:= HTTP.Sock.SSL.LastErrorDesc; > finally > HTTP.Free; > Memo1.Text:=s; > end; > end; > > Ludo > > -----Message d'origine----- > De : Ludo Brands [mailto:ludo.bra...@free.fr] > Envoyé : mardi 15 février 2011 10:32 > À : 'Ararat Synapse' > Objet : [Synalist] RE : RE : [HttpSend] How to verify server's > certificate? > > > Hi Simon, > > If HTTPMethod returns false then check HTTP.Sock.SSL.LastErrorDesc. > > When it says something like 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' and > the site opens correctly in your browser, then openssl probably hasn't > any root certificate authorities to compare with. As > www.openssl.org/support/faq.html > says: "The OpenSSL software is shipped without any root CA certificate as > the OpenSSL project does not have any policy on including or excluding any > specific CA and does not intend to set up such a policy. Deciding about > which CAs to support is up to application developers or administrators. " > > Ludo > > > -----Message d'origine----- > De : Simon L [mailto:sim...@gmail.com] > Envoyé : lundi 14 février 2011 22:46 > À : Ararat Synapse > Objet : Re: [Synalist] RE : [HttpSend] How to verify server's > certificate? > > > Hi Ludo, > > Unfortunately this doesn't seem to work. > > When HTTP.Sock.SSL.VerifyCert is true, HTTPMethod returns > immediately. Please advise. Thanks. > > > Simon > > On Sun, Feb 13, 2011 at 9:00 AM, Ludo Brands <ludo.bra...@free.fr> > wrote: >> Hi, >> >> HTTP := THTTPSend.Create; >> HTTP.Sock.SSL.VerifyCert:=true; >> .... >> >> does the certificate verification. Works apparently only with the >> openssl library. >> >> Ludo >> >> >> -----Message d'origine----- >> De : Simon L [mailto:sim...@gmail.com] >> Envoyé : dimanche 13 février 2011 12:06 >> À : synalist-public@lists.sourceforge.net >> Objet : [Synalist] [HttpSend] How to verify server's certificate? >> >> >> Before data is transfered over an HTTPS connection, I want to make >> sure that the website's certificate is genuine. >> >> How to do that? Thanks. >> >> Simon >> >> --------------------------------------------------------------------- >> - >> ------ >> -- >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio >> XE: Pinpoint memory and threading errors before they happen. Find and >> fix more than 250 security defects in the development cycle. Locate >> bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> synalist-public mailing list synalist-public@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/synalist-public >> >> >> --------------------------------------------------------------------- >> - >> -------- >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio >> XE: Pinpoint memory and threading errors before they happen. Find and >> fix more than 250 security defects in the development cycle. Locate >> bottlenecks in serial and parallel code that limit performance. >> http://p.sf.net/sfu/intel-dev2devfeb >> _______________________________________________ >> synalist-public mailing list synalist-public@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/synalist-public >> > > ---------------------------------------------------------------------- > ------ > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio > XE: Pinpoint memory and threading errors before they happen. Find and > fix more than 250 security defects in the development cycle. Locate > bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list synalist-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/synalist-public > > > ---------------------------------------------------------------------- > ------ > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio > XE: Pinpoint memory and threading errors before they happen. Find and > fix more than 250 security defects in the development cycle. Locate > bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list synalist-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/synalist-public > > > ---------------------------------------------------------------------- > -------- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio > XE: Pinpoint memory and threading errors before they happen. Find and > fix more than 250 security defects in the development cycle. Locate > bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > synalist-public mailing list synalist-public@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/synalist-public > ---------------------------------------------------------------------------- -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ synalist-public mailing list synalist-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synalist-public ---------------------------------------------------------------------------- -- Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ synalist-public mailing list synalist-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synalist-public
verifycert.patch
Description: Binary data
------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________ synalist-public mailing list synalist-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/synalist-public