chkaufmann 17 Posted July 30, 2023 I use TIdHTTP to make REST requests to my server. In order to avoid that somebody can analyze the traffic between my application and the server I would like to verify the certificate. Right now my code looks like this: sslIO := TIdSSLIOHandlerSocketOpenSSL.Create(Self); sslIO.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; sslIO.SSLOptions.Mode := sslmUnassigned; sslIO.SSLOptions.VerifyMode := []; sslIO.SSLOptions.VerifyDepth := 0; FHttp.IOHandler := sslIO; I found some examples and tried to add an OnVerifyPeer event. But this event is never called. Are there any more options I have to set? Can somebody point me to a working example? Thanks Regards Christian Share this post Link to post
Remy Lebeau 1436 Posted July 30, 2023 Have you tried enabling the sslvrfPeer flag in the sslIO.SSLOptions.VerifyMode property? Share this post Link to post
chkaufmann 17 Posted July 30, 2023 47 minutes ago, Remy Lebeau said: Have you tried enabling the sslvrfPeer flag in the sslIO.SSLOptions.VerifyMode property? Yes. But I just set a break point in DoVerifyPeer without event assigned to OnVerifyPeer. Now I added an event and it works. What I don't understand, how I can verify that it is really the original certificate from my server. The Url is https://www.swimrankings.net/. The event is called two times. Both times AOk=False, once AError is 20, the second time it is 21. When I set AOk to true, the request works, if I do nothing in the event, the request doesn't work at all. With my limited knowledge about encryption I'm a bit lost here. Christian Share this post Link to post
Remy Lebeau 1436 Posted July 30, 2023 (edited) 1 hour ago, chkaufmann said: What I don't understand, how I can verify that it is really the original certificate from my server. You have to analyze the certificate provided, and check whether or not its attributes match your desired criteria. 1 hour ago, chkaufmann said: The Url is https://www.swimrankings.net/. The event is called two times. Both times AOk=False, once AError is 20, the second time it is 21. Error 20 is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: Quote unable to get local issuer certificate the issuer certificate of a locally looked up certificate could not be found. This normally means the list of trusted certificates is not complete. Error 21 is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: Quote unable to verify the first certificate no signatures could be verified because the chain contains only one certificate and it is not self signed. See: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_verify.html https://www.openssl.org/docs/man1.0.2/man3/X509_STORE_CTX_get_error.html 1 hour ago, chkaufmann said: When I set AOk to true, the request works Sure, because you are telling OpenSSL that you deemed the certificate OK to use, even if OpenSSL thinks otherwise. 1 hour ago, chkaufmann said: if I do nothing in the event, the request doesn't work at all. Because OpenSSL pre-checks the certificate before letting you do your own checks on it. So, if OpenSSL doesn't think the certificate is OK, and you do nothing to override that decision, then the certificate is not usable and the handshake fails. 1 hour ago, chkaufmann said: With my limited knowledge about encryption I'm a bit lost here. Verifying the peer's identity is a separate operation from encryption. The peers have to trust each other before they exchange encryption keys with each other. Edited July 30, 2023 by Remy Lebeau Share this post Link to post