openssl socket accepts invalid certificates
Original Reporter info from Mantis: BeniBela @benibela
-
Reporter name: Benito van der Zander
Original Reporter info from Mantis: BeniBela @benibela
- Reporter name: Benito van der Zander
Description:
With the default settings TFPHttpClient opens these pages, which it must not do:
https://expired.badssl.com/
https://wrong.host.badssl.com/
https://self-signed.badssl.com/
https://untrusted-root.badssl.com/
Even after enabling VerifyPeerCert, it still accepts wrong.host.badssl.com
Steps to reproduce:
Enabling VerifyPeerCert (which seems to be a rather convoluted way):
type TSecureOpenSSLSocketHandler = class(TOpenSSLSocketHandler)
constructor create; override;
end;
constructor TSecureOpenSSLSocketHandler.create;
begin
inherited create;
VerifyPeerCert := true;
CertCA.FileName := '/etc/ssl/certs/ca-certificates.crt';
end;
TSSLSocketHandler.SetDefaultHandlerClass(TSecureOpenSSLSocketHandler);
Additional information:
Only OpenSSL 1.0.2+ can check whether the host name is correct, for older versions the certificate needs to be parsed manually: https://wiki.openssl.org/index.php/Hostname_validation
Mantis conversion info:
- Mantis ID: 37980
- OS: linux
- OS Build: opensuse
- Build: r47006
- Platform: amd64
- Version: 3.3.1
- Fixed in revision: 47340 (#5ec7ffa8)