Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Indy SSL client: How to verify server certificate?

3,500 views
Skip to first unread message

Andrew Fiddian-Green

unread,
May 24, 2005, 7:20:47 AM5/24/05
to
Does anyone have any examples how to certify the server certificate when
using an Indy HTTP SSL client?

(In google there is some mention of an Intelicom forum but all the links are
broken).

Regards,
AndrewFG


Ciaran Costelloe

unread,
May 24, 2005, 9:56:06 AM5/24/05
to
"Andrew Fiddian-Green" <nn@dd> wrote in message
news:42930e0e$1...@newsgroups.borland.com...

> Does anyone have any examples how to certify the server certificate when
> using an Indy HTTP SSL client?

The following is what I use (this uses the latest Indy 10, the prototype of
TheSSLIOHandler.OnVerifyPeer was changed):

TheSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create;
TheHttp := TIdHttp.Create;
TheHttp.HandleRedirects := False;
TheSSLIOHandler.SSLOptions.Mode := sslmUnassigned;
TheSSLIOHandler.OnGetPassword := SSLIOHandlerGetPassword;
TheSSLIOHandler.OnVerifyPeer := SSLIOHandlerVerifyPeer;
TheSSLIOHandler.SSLOptions.VerifyMode := [sslvrfPeer];
//TheSSLIOHandler.SSLOptions.RootCertFile := sRootCertFile;
//TheSSLIOHandler.SSLOptions.CertFile := sCertFile;
//TheSSLIOHandler.SSLOptions.KeyFile := sKeyFile;
TheSSLIOHandler.SSLOptions.Method := sslvSSLv23;
TheSSLIOHandler.SSLOptions.VerifyDepth := 2;
TheHttp.IOHandler := TheSSLIOHandler;

function TMyHttp.SSLIOHandlerVerifyPeer(ThePeerCert: TIdX509; AOk: Boolean):
Boolean;
var
sTemp: string;
begin
//Note this is called MULTIPLE times, one for each cert in the chain,
starting
//with the CA cert & ending with the user cert.
Result := True;
if AOk = True then begin
sTemp := 'SSLIOHandlerVerifyPeer called with AOk = TRUE';
end else begin
sTemp := 'SSLIOHandlerVerifyPeer called with AOk = FALSE';
end;
TheHttpLog.LogWriteString(sTemp+#13#10);
sActualPeerName := ThePeerCert.Issuer.OneLine;
TheHttpLog.LogWriteString('Peer certificate issuer name:
'+sActualPeerName+#13#10);
sActualPeerName := ThePeerCert.Subject.OneLine;
TheHttpLog.LogWriteString('Peer certificate subject name:
'+sActualPeerName+#13#10);
TheHttpLog.LogWriteString('Peer certificate fingerprint:
'+ThePeerCert.FingerprintAsString+#13#10);
TheHttpLog.LogWriteString('Peer certificate valid from
'+DateToStr(ThePeerCert.notBefore)+' to
'+DateToStr(ThePeerCert.notAfter)+#13#10);
if Pos(UpperCase(sRequiredPeerName), UpperCase(sActualPeerName)) > 0
then begin
TheHttpLog.LogWriteString(sRequiredPeerName+' found in
'+sActualPeerName+#13#10);
bVerifiedPeer := True;
end else begin
TheHttpLog.LogWriteString(sRequiredPeerName+' NOT found in
'+sActualPeerName+#13#10);
//Result := False;
end;
end;


Ciaran


Andrew Fiddian-Green

unread,
May 25, 2005, 1:49:12 AM5/25/05
to
Thanks!

AndrewFG

"Ciaran Costelloe" <ccost...@flogas.ie> wrote in message
news:42933273$2...@newsgroups.borland.com...

Andrew Fiddian-Green

unread,
May 25, 2005, 3:07:46 PM5/25/05
to
From browsing the Indy code it looks like Indy/OpenSSL does a validation of
the certificate trust chain before it calls OnVerifyPeer. However it is not
clear if this default validation also includes checks a) for matching the
certificate subject with the server URL, and b) validating the not-before
and not-after dates.

=> Can I rely on Indy to do these checks, or do I have to do it explicitly
in OnVerifyPeer?

Regards,
AndrewFG

"Ciaran Costelloe" <ccost...@flogas.ie> wrote in message
news:42933273$2...@newsgroups.borland.com...

Ciaran Costelloe

unread,
May 26, 2005, 7:38:32 AM5/26/05
to

"Andrew Fiddian-Green" <nn@dd> wrote in message
news:4294...@newsgroups.borland.com...

> From browsing the Indy code it looks like Indy/OpenSSL does a validation
> of
> the certificate trust chain before it calls OnVerifyPeer. However it is
> not
> clear if this default validation also includes checks a) for matching the
> certificate subject with the server URL, and b) validating the not-before
> and not-after dates.
>
> => Can I rely on Indy to do these checks, or do I have to do it explicitly
> in OnVerifyPeer?

The OK parameter passed to your function tells you the result of the OpenSSL
validation and if it rejects one of the certificates, you need to be very
careful about effectively overriding that in your return value from your
OnVerifyPeer. Also, unless you are going through the OpenSSL code for every
version, you need to implement all the checks you can in your own
OnVerifyPeer.

This should be in the comments at the top of the Indy
TIdSSLIOHandlerSocketOpenSSL .pas file, if you have the current version.

Ciaran


Andrew Fiddian-Green

unread,
May 26, 2005, 6:43:08 PM5/26/05
to
> you need to be very
> careful about effectively overriding that in your return value from your
> OnVerifyPeer.

If aOk is passed in as false then I certainly do not intend to override it
in OnVerifyPeer. Question is, will Indy always provide aOK = false when the
certificate is a) out of date (or not yet valid), or b) not matching the
server URL? Or do I have to make these extra checks on top of what Indy is
already validating?

AndrewFG

"Ciaran Costelloe" <ccost...@flogas.ie> wrote in message

news:4295...@newsgroups.borland.com...

0 new messages