Delphi Indy验证服务器证书SSL [英] Delphi Indy verify server certificate SSL
问题描述
我已经浏览了互联网,并且没有找到解决方案或方法来通过使用TIdHTTP通过HTTPS连接来验证证书。
我已经连接了IdSSLIOHandlerSocketOpenSSL组件作为IOHandler,设置SSLModes等,但是当我浏览到 https://s3.amazonaws.com 时,它无法验证证书。
OpenSSL(Indy)给出
与SSL连接时出错SSL3_GET_SERVER_CERTIFICATE:证书验证失败
OpenSSL库已成功加载(使用WhichFailedToLoad检查)。 OnStatusInfo事件写入以下内容:
SSL状态:之前/连接初始化
SSL状态:之前/连接初始化
SSL状态:SSLv2 / v3写客户端hello A
SSL状态: SSLv3读服务器你好A
SSL状态:SSLv3读服务器证书B
SSL状态: SSLv3读服务器证书B
SSL状态:SSLv3读服务器证书B
And OnVerifyPeer, AOk = False。
如何正确验证?发生了什么?
感谢阅读,
Adrian
您必须为您的TIdSSLIOHandlerSocketOpenSSL组件的OnVerifyPeer事件实施事件处理程序。
从IdSSLOpenSSL.pas:
请注意,您真的应该始终使用
实现OnVerifyPeer,否则您将连接到
的对等体的证书未被检查,以确保其有效。
如果您只想考虑有效的图书馆认为相同的证书也是有效的,那么您只需要这样实现:
函数TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate:TIdX509;
AOk:Boolean; ADepth,AError:Integer):Boolean;
begin
结果:= AOk;
结束
由于Indy首先检查证书的有效性,如果在 AOK参数。最后一个字是在您的代码中,因为您可能希望通过某些类型的次要验证错误,例如过时,甚至询问用户是否接受该证书,以防发生任何错误(较小或不小)。
要了解为什么它以这种方式工作,您可能还想阅读IdSSLOpenSSL.pas文件顶部的所有评论:
{
关于OnVerifyPeer的重要信息:
版本1.39 2005年2月故意打破了OnVerifyPeer界面,
(显然?)只影响实现该回调
的程序,作为SSL协商的一部分。请注意,您真的应该始终使用
实现OnVerifyPeer,否则您连接的
的对等体的证书未被检查以确保其有效。
在此之前,如果SSL库检测到证书
或深度不足(即VerifyCallback中的Ok参数
为0 / FALSE),则无论OnVerifyPeer是否返回True
或False,SSL连接将故意失败。
这造成了一个问题,即使只有一个非常小的
问题在链中的一个证书(OnVerifyPeer对于证书链中的每个证书称为
一次),用户可能
已经乐意接受,SSL协商将失败。然而,
更改代码以允许用户为OnVerifyPeer返回True
时的SSL连接意味着依赖于
自动拒绝无效证书的现有代码将接受
无效的证书,这将是不可接受的安全性
更改。
因此,OnVerifyPeer已更改为故意破坏现有代码
,通过添加AOk参数。要保留以前的功能,您的
OnVerifyPeer事件应该执行Result:= AOk;。如果您希望考虑
接受SSL库认为无效的证书,那么您的OnVerifyPeer中的
确保您确认证书
真正有效,然后将Result设置为True。实际上,除了
检查AOk之外,您应该始终执行代码,确保您只接受
接受有效的证书(至少从您的观点来看)。
Ciaran Costelloe,ccostelloe [_a_t_] flogas.ie
}
{ / p>
RLebeau 1/12/2011:再次打破OnVerifyPeer事件,这次添加一个额外的
AError参数(补丁由jvlad提供,dmda @ yandex。 ru)。这个
帮助用户代码区分自签名和无效的
证书。
}
I have scoured the internet and haven't found a solution or method on how to verify the certificate when connecting over HTTPS using TIdHTTP.
I have hooked up a IdSSLIOHandlerSocketOpenSSL component as the IOHandler, set the SSLModes, etc. but when I browse to https://s3.amazonaws.com it cannot verify the certificate.
OpenSSL (Indy) gives
"Error connecting with SSL. SSL3_GET_SERVER_CERTIFICATE: Certificate verify failed"
The OpenSSL libraries have successfully loaded (checked with WhichFailedToLoad). The OnStatusInfo event writes the following:
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate B"
SSL status: "SSLv3 read server certificate B"
SSL status: "SSLv3 read server certificate B"
And OnVerifyPeer, AOk = False.
How can I get it to verify correctly. What's going on?
Thanks for reading, Adrian
You have to implement a event handler for the OnVerifyPeer event of your TIdSSLIOHandlerSocketOpenSSL component.
From IdSSLOpenSSL.pas:
Note that you really should always implement OnVerifyPeer, otherwise the certificate of the peer you are connecting to is NOT checked to ensure it is valid.
If you just want to consider valid the same certificates the Library considers also valid, you just have to implement it this way:
function TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
Result := AOk;
end;
As Indy first checks for the validity of the certificate and pass you if it is Ok or not in the AOk parameter. The last word is in your code, as you may want to let pass some kinds of minor validation errors, like being out of date, or even ask the user if the certificate is accepted or not in case of any error (minor or not).
To understand why it works this way, you may also want to read all the comments at the top of the IdSSLOpenSSL.pas file:
{
Important information concerning OnVerifyPeer: Rev 1.39 of February 2005 deliberately broke the OnVerifyPeer interface, which (obviously?) only affects programs that implemented that callback as part of the SSL negotiation. Note that you really should always implement OnVerifyPeer, otherwise the certificate of the peer you are connecting to is NOT checked to ensure it is valid.
Prior to this, if the SSL library detected a problem with a certificate or the Depth was insufficient (i.e. the "Ok" parameter in VerifyCallback is 0 / FALSE), then irrespective of whether your OnVerifyPeer returned True or False, the SSL connection would be deliberately failed.
This created a problem in that even if there was only a very minor problem with one of the certificates in the chain (OnVerifyPeer is called once for each certificate in the certificate chain), which the user may have been happy to accept, the SSL negotiation would be failed. However, changing the code to allow the SSL connection when a user returned True for OnVerifyPeer would have meant that existing code which depended on automatic rejection of invalid certificates would then be accepting invalid certificates, which would have been an unacceptable security change.
Consequently, OnVerifyPeer was changed to deliberately break existing code by adding an AOk parameter. To preserve the previous functionality, your OnVerifyPeer event should do "Result := AOk;". If you wish to consider accepting certificates that the SSL library has considered invalid, then in your OnVerifyPeer, make sure you satisfy yourself that the certificate really is valid and then set Result to True. In reality, in addition to checking AOk, you should always implement code that ensures you are only accepting certificates which are valid (at least from your point of view).
Ciaran Costelloe, ccostelloe[_a_t_]flogas.ie
}
{
RLebeau 1/12/2011: Breaking OnVerifyPeer event again, this time to add an additional AError parameter (patch courtesy of "jvlad", dmda@yandex.ru). This helps user code distinquish between Self-signed and invalid certificates.
}
这篇关于Delphi Indy验证服务器证书SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
