SSL Pinning or HPKP

[cychia 0]

Hi,

 

May I know how to enable SSL Pinning using ics TsslHTTPCli? Is there a demo to do so?

 

I found an option in TsslContext, SSLVerifyPeer, is this for SSL pinnnig purpose?

 

Thanks.

[Angus Robertson 526]

ICS does not provide any built-in support for HTTP Public Key Pinning (HPKP), which is now deprecated in favour of Certificate Transparency.  

 

Most client applications should set SSLVerifyPeer since this causes the server certificate chain to be checked against the roots you supply, with the onHandshakeDone event being called, you can then check your pinning public key hashes or Certificate Transparency server in that event. 

 

Support for Certificate Transparency is on the ICS wish list, it involves checking the SSL certificate received from the server for the URL of the CT server, then doing another HTTPS request to that server and checking the response, so can cause a significant overhead in performance unless a local database is used to cache results, and then periodically updated.  But no-one has ever asked for Certificate Transparency or HPKP support before, so not done anything.

 

Angus

 

[cychia 0]

I am following the example provided in Samples\Delphi\SSLInternet with this filename > OverbyteIcsHttpsTst1.pas

 

I have a few confusing part on how to configure it properly.

1. I have done a checking in the onHandshakeDone event and check if the PeerCert.Sha1Hex is equal to a value hardcoded in my app, it will let go else set disconnect to True. I only manage to test if the cert is correct one, so not yet verify if I got a invalid cert. Before that just wanted to confirm if am doing the right way?

2. SslVerifyPeer must be turned on in order to get the PeerCert value right?

3. Is this method consider SSL Pinning?

4. What does ICS do internally when I set SslVerifyPeer to true? making any external call to get certificate?

 

Thanks

[cychia 0]

Another question:

 

If I want to avoid to bind the client app to the specific certificate, instead I just need to verify whether it is a trusted cert, how can I do that?

 

Thanks.

[Angus Robertson 526]

You would be better starting with the OverbyteIcsHttpRestTst.dpr sample, even if you don't actually make use of the REST features. 

 

The TSslHttpRest component is a high level version of THttpCli that bundles all the extra components for extra functionality, including SSL configuration and certificate validation with a  root bundle, SSL session caching, content compression, content code page decoding, persistent cookies, Json handling, logging, client SSL certificate.

 

You ignore SslContext and SslVerifyPeer, and just set CertVerMethod to CertVerBundle or CertVerWinStore and all the chain checking is done for you. 

 

You still need to implement your SSL pinning in your own onHandshakeDone event, checking whatever aspect of the server certificate you have been given.  My very brief reading about HPKP suggests you hard code a hash of the public key, not a hash of the certificate, so you will need to calculate that yourself, ICS does not have a method to get that hash. 

 

But all browsers have abandoned HPKP so I'm not sure what you are trying to achieve. 

 

If you are trying to ensure your SSL connection has not been intercepted by an SSL proxy or firewall that has generated a fake local SSL certificate, you can check the server certificate is signed by the expected root authority, although the chain should fail verify anyway if you are using CertVerBundle with the ICS built-in bundles since they won't include the private root certificate used to fake the SSL certificates in the proxy or firewall. 

 

Beware this is my understanding of how SSL certificates are faked, I've no direct experience of such corporate environments.

 

Angus