davornik 4 Posted November 29, 2022 (edited) I am trying to connect with web-browser to Indy HTTP server runing on https://127.0.0.1:4567. I have read many tutorials and some of them are interesting, like: 1. https://mikejustin.wordpress.com/2019/06/14/how-to-lets-encrypt-certificates-with-indy-http-server/ 2. https://synaptica.info/en/2016/09/21/build-your-own-https-server-with-delphi/ I have created self signed certificates with help of this example tutorial: https://github.com/glenkleidon/DelphiCertAuth As a passphrase for testing I used "123456". After that I have installed newly generated file root_cert.crt in Trusted Root CA in Windows (using "WinKey+R" and certmgr.msc) In my code I have set: ... // create IOHandler for OpenSSL IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := 'mycomputerCertificate.pem'; IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := 'mycomputerPrivateKey.pem'; IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := 'certificateAuthorityCertificate.pem'; IdServerIOHandlerSSLOpenSSL1.SSLOptions.Mode := sslmServer; IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; ... procedure TForm1.IdServerIOHandlerSSLOpenSSL1GetPassword(var Password: string); begin Password := '123456'; end; ... procedure TForm1.IdHTTPServer1QuerySSLPort(APort: Word; var VUseSSL: Boolean); // This will not be called when the request is a HTTPS request // It facilitates the use of the server for testing via HTTP://localhost:8080 (i.e. without SSL) begin VUseSSL := (APort <> 8080); end; ... function TForm1.IdServerIOHandlerSSLOpenSSL1VerifyPeer(Certificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean; begin if ADepth = 0 then Result := AOk else Result := True; end; ... Unfortunately, when I try to connect to https://127.0.0.1:4567 I get an warning (check image). In application I can see messages and exception raised: IdServerIOHandlerSSLOpenSSL1StatusInfo(const AMsg: string); AMsg := SSL status: "before/accept initialization"; AMsg := SSL status: "before/accept initialization"; AMsg := SSL status: "SSLv3 read client hello A"; AMsg := SSL status: "SSLv3 write server hello A"; AMsg := SSL status: "SSLv3 write certificate A"; AMsg := SSL status: "SSLv3 write server done A"; AMsg := SSL status: "SSLv3 flush data"; AMsg := SSL status: "SSLv3 read client certificate A"; AMsg := SSL status: "SSLv3 read client key exchange A"; AMsg := SSL status: "error"; 127.0.0.1:55810 Stat Disconnected. IdHTTPServer1Exception(AContext: TIdContext; AException: Exception); EIdOSSLUnderlyingCryptoError: Error accepting connection with SSL. error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown Am I doing something wrong or I am missing something? Why I can't connect to IP address without warning? Edited November 29, 2022 by davornik Share this post Link to post
Remy Lebeau 1436 Posted November 29, 2022 As the browser's error message says, your server's certificate doesn't prove that 127.0.0.1 and mycomputer are the same entity, so the browser fails the handshake. Did you try connecting to https://mycomputer:4567 instead? The certificate you have is registered to a hostname, so that hostname must be specified in the URL used to access the server. See: Is it possible to have SSL certificate for IP address, not domain name? 1 Share this post Link to post