[fpc-devel] certificate verify issue of tfphttpclient with openssl
baldzhang at 163.com
Fri Aug 21 23:06:12 CEST 2020
certificate verify issue of tfphttpclient with openssl
from wiki page, https client as easy as:
in TOpenSSLSocketHandler, the VerifyPeerCert is False by default
when check the TSSL.VerifyResult, will got one of following:
1) X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18;
when https server use a self-signed cert
2) X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 19;
when server use a cert signed by internal CA
3) X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20;
when connect to a real *signed* server, ex: https://www.kernel.org
if set TSSL.VerifyResult to True, the connect will fail and exception raised.
even set Handler.CertificateData.CertCA.FileName to a valid cert file.
finally found in opensslsockets.pas: TOpenSSLSocketHandler.Connect: Boolean
if Result and VerifyPeerCert then
Result:=(FSSL.VerifyResult<>0) or (not DoVerifyCert);
in first Result and VerifyPeerCert both are True
the second line, if I'm not wrong understanding, is totally reverse
FSSL.VerifyResult is 0 here, and DoVerifyCert always return True,
so the Result changed to False, and then the connect became fail.
in a real prog, we want to check the VerifyResult, and still allow the connection in some conditions.
after some modify, things changed to:
1) when VerifyPeerCert is True
if Handler.CertificateData.CertCA.FileName set to a valid cert,
VerifyResult will be 0, and https request passed
2) when it's False
assign a OnVerifyCertificate handler, check SSL infos, to allow or deny the connect.
*** tested fpc 3.2.0, openssl 1.0.2j(copied from lazarus), windows 10 64-bit, client side of https transmition.
patch file attached,
the TVerifyCertificateEvent shall allow to modify the "Allow" param, for compatibility reason,
function DoVerifyCert: Boolean may change to virtual
FingerPrint always genarate by MD5, can be SHA1 or SHA256
export SSL: TSSL for more lower level control
Result and VerifyPeerCert check are duplicated
alway give a chance to let user do the certificate verifing.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3035 bytes
Desc: not available
More information about the fpc-devel