View Issue Details

IDProjectCategoryView StatusLast Update
0037980FPCPackagespublic2020-11-08 14:08
ReporterBenito van der Zander Assigned ToMichael Van Canneyt  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platformamd64OSlinux 
Product Version3.3.1 
Summary0037980: openssl socket accepts invalid certificates
DescriptionWith the default settings TFPHttpClient opens these pages, which it must not do:

https://expired.badssl.com/
https://wrong.host.badssl.com/
https://self-signed.badssl.com/
https://untrusted-root.badssl.com/

Even after enabling VerifyPeerCert, it still accepts wrong.host.badssl.com
Steps To Reproduce
Enabling VerifyPeerCert (which seems to be a rather convoluted way):

type TSecureOpenSSLSocketHandler = class(TOpenSSLSocketHandler)
  constructor create; override;
end;

constructor TSecureOpenSSLSocketHandler.create;
begin
  inherited create;
  VerifyPeerCert := true;
  CertCA.FileName := '/etc/ssl/certs/ca-certificates.crt';
end;

TSSLSocketHandler.SetDefaultHandlerClass(TSecureOpenSSLSocketHandler);
Additional InformationOnly OpenSSL 1.0.2+ can check whether the host name is correct, for older versions the certificate needs to be parsed manually: https://wiki.openssl.org/index.php/Hostname_validation
TagsNo tags attached.
Fixed in Revision
FPCOldBugId
FPCTarget-
Attached Files

Activities

Michael Van Canneyt

2020-11-08 14:08

administrator   ~0126791

Fixed.
I added VerifySSlCertificate (boolean) and OnVerifySSLCertificate (event) properties to TFPHTTPClient.
CertificateData now has a TrustedCertsDir property (in addition to CertsCA.Filename) because openSSL can have either a file or a dir.
You can set this (and other) property up in the AfterSocketHandlerCreate event of TFPHTTPClient.
(example httpget shows how)

Tested with OpenSSL and GNUTLS: All mentioned sites now fail, www.freepascal.org works.

Issue History

Date Modified Username Field Change
2020-10-24 17:26 Benito van der Zander New Issue
2020-10-24 18:06 Michael Van Canneyt Assigned To => Michael Van Canneyt
2020-10-24 18:06 Michael Van Canneyt Status new => assigned
2020-11-08 14:08 Michael Van Canneyt Status assigned => resolved
2020-11-08 14:08 Michael Van Canneyt Resolution open => fixed
2020-11-08 14:08 Michael Van Canneyt FPCTarget => -
2020-11-08 14:08 Michael Van Canneyt Note Added: 0126791