How to ignore self-signed SSL certificate errors for HTTPS connections
Daniel Ardelian
Windows).
If you try to connect to a web service through SSL (https://...) and you
use self signed certificates (manually generated with OpenSSL) you get
an error even if you set soIgnoreInvalidCerts in
THTTPRIO.HTTPWebNode.InvokeOptions to true. By default, this flag only
ignores expired certificates (Invalid Date) or Invalid Common Name
(probably the server's actual URL and the URL stated in the certificate
don't match).
To use self-signed certificates (not signed by a trusted authority), you
have the following options:
1) Manually install the certificate on Windows (right click on the .crt
file in Windows Explorer)
2) Use a THTTPRIO component and assign the following event handler to
THTTPRIO.HTTPWebNode.OnBeforePost:
//---------------------------------------------------------------
procedure TForm1.HTTPRIO1HTTPWebNode1BeforePost(const HTTPReqResp:
THTTPReqResp; Data: Pointer);
var
SecurityFlags: DWord;
SecurityFlagsLen: DWord;
Request: HINTERNET;
begin
Request := Data;
if soIgnoreInvalidCerts in HTTPRIO1.HTTPWebNode.InvokeOptions then
begin
SecurityFlagsLen := SizeOf(SecurityFlags);
InternetQueryOption(Request, INTERNET_OPTION_SECURITY_FLAGS,
Pointer(@SecurityFlags), SecurityFlagsLen);
SecurityFlags := SecurityFlags or SECURITY_FLAG_IGNORE_UNKNOWN_CA;
InternetSetOption(Request, INTERNET_OPTION_SECURITY_FLAGS,
Pointer(@SecurityFlags), SecurityFlagsLen);
end;
end;
//---------------------------------------------------------------
The problem is also adressed at
http://qc.borland.com/wc/qcmain.aspx?d=10823
but I think the solution I suggested above is clear, simple and does not
require any changes to the Delphi standard units.
