Jump to content
Leszek

RESTClient.OnNeedClientCertificate event does not execute

Recommended Posts

Hello everyone
Let me join in on this problem

 

I am working on a Delphi (12.1) 
I am creating a rest client with TOAuth2Authenticator (client_credentials) and authorization with client certificates.
The certificate is located in the windows certificate store in the right place,

my problem is that the RESTClient.OnNeedClientCertificate event does not execute.

 

I tried setting the properties ClientCertificatePath and ClientCertificatePassword in RESTClient but without any effects.

 

Embarcadero reports that
    TRestClient supports using certificates from the local machine list and not only from the current user list.

 

Do you have any idea how to solve this problem?

Share this post


Link to post

@Leszek Ref. your report - unless the context/conditions are identical, it is always wise to start a new topic instead of adding your question to an existing topic.
I split off this question for you, as it seems to be a different problem.

Share this post


Link to post
Posted (edited)

Which service are you trying to reach? Cause (long time ago for me) i think that it depends on the server settings if a ClientCert is needed.

See for examplle "IdServerIOHandlerSSLOpenSSL1.SSLOptions.Mode :"  property.

Could be that this also has to be set in the client

 

Edited by mvanrijnen

Share this post


Link to post

@Lars Fosdal You're right, sorry, I'll improve

This is a government service, it works in a separate network, without external access.

 

I don't use Indy, I use REST Client Library and components TRESTClient, TRESTRequest, TRESTResponse, TRESTResponseDataSetAdapter, TOAuth2Autenticator

grant_type is set to client_credentials and I have to use a certificate.

I can't use REST_Debugger because it doesn't deal with client_credentials.

I get an error when connecting

ERESTException

REST request failed: Error sending data: (12175)

which means a security error has occurred

 

During the connection, the RESTClient.OnNeedClientCertificate event in which you specify the certificate is not executed.

I do not know why.

Share this post


Link to post
Posted (edited)
9 hours ago, mvanrijnen said:

Cause (long time ago for me) i think that it depends on the server settings if a ClientCert is needed.

See for examplle "IdServerIOHandlerSSLOpenSSL1.SSLOptions.Mode :"  property.

You are thinking of the SSLOptions.VerifyMode property instead, which has sslvrfPeer and sslvrfFailIfNoPeerCert flags.

In any case...

6 hours ago, Leszek said:

During the connection, the RESTClient.OnNeedClientCertificate event in which you specify the certificate is not executed.

One reason the OnNeedClientCertificate event might not fire on Windows is if TRESTClient does not find any usable issuers in WinHTTP's client certificate issuer list:

https://learn.microsoft.com/en-us/windows/win32/winhttp/ssl-in-winhttp#issuer-list-retrieval-for-ssl-client-authentication

 

A 12175 error on the client side typically implies that there is a problem with the certificate that the server sent.  Perhaps WinHTTP is not able to validate the servers certificate, because its issuing authority is not known to the client (ie, the server's signing certificate is not installed on the client).

Edited by Remy Lebeau

Share this post


Link to post

There was indeed a lack of parent certificates. I installed these certificates but the problem still persists

While debugging, I noticed that when I enter the DoNeedClientCertificate method in System.Net.HttpClient, the condition is checked


if Assigned(FNeedClientCertificateCallback) or Assigned(FNeedClientCertificateEvent) then
 begin
 DoGetClientCertificates(LRequest, LClientCertificateList);
 ...
end;

 

but
FNeedClientCertificateCallback is nil
FNeedClientCertificateEvent is nil


so the DoGetClientCertificates method does not read the certificate list

I will continue to debug the issue.
 

Share this post


Link to post

The matter has been clarified.

I used help The Embarcadero Support Customer Portal, rest client need to be changed.

TOAuth2Authenticator uses its own client connection.

He does not have access to the OnNeedClientCertificate event.

Share this post


Link to post
Posted (edited)

So unusable 🙂

Thats the EMB way, big mouth, big blogs, moving fancy blog posts, but not complete components or working IDE 

 

(i also hacked a few of the Rest.BackEnd.* units because they do not complete support all properties of the TRestRequest etc)

 

Edited by mvanrijnen

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×