weabow 6 Posted March 10, 2021 Hi there, I need to request my server using its IP, not a domain name. The problem is that an IP can't have a SSL certificate. So I have an error about the need of a certificate with this code : Quote procedure TForm1.Button1Click(Sender: TObject); var serveur: THTTPClient; serveur_reponse: IHTTPResponse; post_param: TMultiPartFormData; begin serveur := THTTPClient.Create; post_param := TMultiPartFormData.Create; serveur_reponse := serveur.post('https://123.123.123.123/index.php', post_param); if serveur_reponse.StatusCode = 200 then showmessage(serveur_reponse.ContentAsString(tencoding.UTF8)) else showmessage(serveur_reponse.StatusCode.ToString); freeandnil(post_param); freeandnil(serveur); end; Tghis code runs fine with a classic URL, but not with the IP. How can I use THTTPClient and say it not to check certificates ? Share this post Link to post
KodeZwerg 54 Posted March 10, 2021 have you tried "serveur_reponse := serveur.post('http://123.123.123.123/index.php', post_param)" ? Share this post Link to post
Arnaud Bouchez 407 Posted March 10, 2021 What is the error? I guess you have in fact an https/TLS error: the certificate is for the domain name, and you use the IP which doesn't match the certificate. So the request is rejected. Try to relax the HTTPS certification validation. Share this post Link to post
weabow 6 Posted March 10, 2021 Yes it's exactly that. But how can I do, then, to address my server with its IP ???? What do you mean with : Try to relax the HTTPS certification validation. Share this post Link to post
Guest Posted March 10, 2021 (edited) @weabow the Indy suite is @Remy Lebeau area, then, he can help for sure. find it here on forum members. Note: same that THTTPclient is not from Indy suite. hug Edited March 10, 2021 by Guest Share this post Link to post
Remy Lebeau 1396 Posted March 10, 2021 In general, I could see this working if you connect the underlying TCP socket to the desired IP address, and then have the TLS handshake use the SNI extension to specify the desired domain name as the target for the certificate, and also have HTTP send a "Host" header specifying the same domain name. But I don't know if/how this can be done with THTTPClient, though. It is not doable with Indy's TIdHTTP (without hacking its source code) since everything uses the same hostname/IP specified in the URL. Share this post Link to post
Fr0sT.Brutal 900 Posted March 11, 2021 (edited) Disable server verification. IDK how to do it with THTTPClient but you have the subject to search for. With Windows secure sockets I done this https://github.com/Fr0sT-Brutal/Delphi_SChannelTLS/ // starting TLS handshake if sfNoServerVerify in SessionData.Flags then dwSSPIFlags := dwSSPIFlags or ISC_REQ_MANUAL_CRED_VALIDATION; ... // before starting TLS if FAddrIsIP then begin SChannelLog(loSslInfo, Format(S_Msg_AddrIsIP, [Addr])); Include(FSessionData.Flags, sfNoServerVerify); end; ... // after successful handshake // Don't pass host addr if it's IP otherwise verification would fail if FAddrIsIP then CheckServerCert(FhContext, '') else CheckServerCert(FhContext, Addr); In cURL this option is called "insecure" -k, --insecure (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure. The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store. See this online resource for further details: https://curl.haxx.se/docs/sslcerts.html See also --proxy-insecure and --cacert. Edited March 11, 2021 by Fr0sT.Brutal Share this post Link to post