View Issue Details

IDProjectCategoryView StatusLast Update
0037980FPCPackagespublic2021-05-01 17:07
ReporterBenito van der Zander Assigned ToMichael Van Canneyt  
Status resolvedResolutionfixed 
Product Version3.3.1 
Summary0037980: openssl socket accepts invalid certificates
DescriptionWith the default settings TFPHttpClient opens these pages, which it must not do:

Even after enabling VerifyPeerCert, it still accepts
Steps To Reproduce
Enabling VerifyPeerCert (which seems to be a rather convoluted way):

type TSecureOpenSSLSocketHandler = class(TOpenSSLSocketHandler)
  constructor create; override;

constructor TSecureOpenSSLSocketHandler.create;
  inherited create;
  VerifyPeerCert := true;
  CertCA.FileName := '/etc/ssl/certs/ca-certificates.crt';

Additional InformationOnly OpenSSL 1.0.2+ can check whether the host name is correct, for older versions the certificate needs to be parsed manually:
TagsNo tags attached.
Fixed in Revision47340
Attached Files


Michael Van Canneyt

2020-11-08 14:08

administrator   ~0126791

I added VerifySSlCertificate (boolean) and OnVerifySSLCertificate (event) properties to TFPHTTPClient.
CertificateData now has a TrustedCertsDir property (in addition to CertsCA.Filename) because openSSL can have either a file or a dir.
You can set this (and other) property up in the AfterSocketHandlerCreate event of TFPHTTPClient.
(example httpget shows how)

Tested with OpenSSL and GNUTLS: All mentioned sites now fail, works.

Issue History

Date Modified Username Field Change
2020-10-24 17:26 Benito van der Zander New Issue
2020-10-24 18:06 Michael Van Canneyt Assigned To => Michael Van Canneyt
2020-10-24 18:06 Michael Van Canneyt Status new => assigned
2020-11-08 14:08 Michael Van Canneyt Status assigned => resolved
2020-11-08 14:08 Michael Van Canneyt Resolution open => fixed
2020-11-08 14:08 Michael Van Canneyt FPCTarget => -
2020-11-08 14:08 Michael Van Canneyt Note Added: 0126791
2021-05-01 17:07 Sven Barth Fixed in Revision => 47340