#1 2014-10-21 13:42:48

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Debugging with TWinHTTP and SSL certificates

This is an EMartin's post I deleted in a today's thread.
sad

The source code of a whole SynCrtSock.pas unit was posted in the message!
This made our forum just unstable.
Please do not post such huge piece of code in the forum.
The easiest is to use either a PasteBin server, or a public GoogleDrive storage, or send an email to me.
Or even better, the best way in Open Source is to fork our repository e.g. on https://github.com/synopse/mORMot and push your patch.

Original message:

EMartin wrote:

Hi Arnaud,
   For high load testing I developed an application using TWinHTTP on the client side, when implementing SSL in TSQLRestServer I found a problem with TWinHTTP and SSL for my untrusted certificate (WinHTTP error 12175=Secure Failure). In browsers this can be  added as exception, but with TWinHTTP I had touch the SynCrtSock.pas. The following code is the modified SynCrtSock.pas, my modifications are between "//>>EMartin" (open) and "//<<EMartin" (close). If you feel that serves, can you add this modifications to the SynCrtSock.pas?. Or letting me know that otherwise I can arrive the same result.
I used {$define IGNORESSLCERT} but TWinHTTP property may be best place or as parameter for requests (but the options can be to sesion level).
Based on revision [228f62000f]

I modified the supplied patch, to http://synopse.info/fossil/info/3d7ebe536a

Thanks for the idea and feedback, EMartin!
smile

Offline

#2 2014-10-21 13:47:02

EMartin
Member
From: Buenos Aires - Argentina
Registered: 2013-01-09
Posts: 337

Re: Debugging with TWinHTTP and SSL certificates

Pardon and my sincerest apologies.

I'll have into account its recommendations.

Thanks.


Esteban

Offline

#3 2014-10-21 13:47:38

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Debugging with TWinHTTP and SSL certificates

No problem!
smile

I hope the new TWinHTTP.IgnoreSSLCertificates property works as expected for you.

Offline

#4 2014-10-21 15:21:24

EMartin
Member
From: Buenos Aires - Argentina
Registered: 2013-01-09
Posts: 337

Re: Debugging with TWinHTTP and SSL certificates

Is not working because IgnoreSSLCertificates is a property of an object and is not transferred to created instance in class functions. I did make  for my testing purpose in SynCrtSock.pas. The same is a dirty trick, I change the object property IgnoreSSLCertificates to class property.

  TWinHTTP = class(TWinHttpAPI)
  private
    class function GetIgnoreSSLCertificates: Boolean;
    class procedure SetIgnoreSSLCertificates(const Value: Boolean);
  ...
    /// allows to ignore untrusted SSL certificates
    // - similar to adding a security exception for a domain in the browser
    property IgnoreSSLCertificates: boolean
      read GetIgnoreSSLCertificates write SetIgnoreSSLCertificates;
end;

after implementation (line 1350):

threadvar
  TWinHTTP_IgnoreSSLCertificates: Boolean;

...

class function TWinHTTP.GetIgnoreSSLCertificates: Boolean;
begin
  Result := TWinHTTP_IgnoreSSLCertificates;
end;

...

procedure TWinHTTP.InternalSendRequest(const aData: RawByteString);
var L: integer;
begin
  if fHTTPS and GetIgnoreSSLCertificates then 
    if not WinHttpSetOption(fRequest, WINHTTP_OPTION_SECURITY_FLAGS,
       @SECURITY_FLAT_IGNORE_CERTIFICATES, SizeOf(SECURITY_FLAT_IGNORE_CERTIFICATES)) then
      RaiseLastModuleError(winhttpdll,EWinHTTP);
  L := length(aData);
  if not WinHttpSendRequest(fRequest, nil, 0, pointer(aData), L, L, 0) or
     not WinHttpReceiveResponse(fRequest,nil) then
    RaiseLastModuleError(winhttpdll,EWinHTTP);
end;

...

class procedure TWinHTTP.SetIgnoreSSLCertificates(const Value: Boolean);
begin
  TWinHTTP_IgnoreSSLCertificates := Value;
end;

...

And I removed the fIgnoreSSLCertificates.

I am sure that you will implement the best solution.

Thanks.


Esteban

Offline

#5 2014-10-21 16:51:43

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Debugging with TWinHTTP and SSL certificates

In my implementation, you just have to set the TWinHttp.IgnoreSSLCertificates property just after create, and before using it.

I do not see any problem with that.
This is how we usually set timeout parameters and so on for a TSQLHTTPClient instance.

Offline

#6 2014-10-21 17:23:28

EMartin
Member
From: Buenos Aires - Argentina
Registered: 2013-01-09
Posts: 337

Re: Debugging with TWinHTTP and SSL certificates

I did that, but en class function TWinHTTPAPI.Get/Post ... call to class function TWinHTTPAPI.InternalRest:

class function TWinHttpAPI.InternalREST(const url,method,data,header: RawByteString): RawByteString;
var URI: TURI;
    outHeaders: RawByteString;
begin
  result := '';
  with URI do
  if From(url) then
  try                                      //*****************************************************
    with self.Create(Server,Port,Https) do // --> new instance and fIgnoreSSLCertificates if False
    try                                    //*****************************************************
      Request(Address,method,0,header,data,'',outHeaders,result);
    finally
      Free;
    end;
  except
    result := '';
  end;
end;

By this I implemented the pseudo class property. I hope can you understand me.

Thanks.


Esteban

Offline

#7 2014-10-21 20:09:53

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Debugging with TWinHTTP and SSL certificates

Just add the missing parameter in InternalREST() method.

But a global variable to set a per-connection property is IMHO a very wrong idea.

Offline

#8 2014-10-21 20:35:03

EMartin
Member
From: Buenos Aires - Argentina
Registered: 2013-01-09
Posts: 337

Re: Debugging with TWinHTTP and SSL certificates

I know that is bad idea the global variable. Just I didn't want to have my own version of SynCrtSock.pas. I will add the parameter to TWinHTTP constructor and the class functions GET/POST/InternalRest/etc, if you want I put this in GitHub.

Bye.


Esteban

Offline

#9 2014-10-21 22:01:55

EMartin
Member
From: Buenos Aires - Argentina
Registered: 2013-01-09
Posts: 337

Re: Debugging with TWinHTTP and SSL certificates

Hi Arnaud, I put the SynCrtSock.pas modified in GitHub and the pull request is https://github.com/synopse/mORMot/pull/5

Check and merge if you consider that modifications are right.

Best regards.


Esteban

Offline

Board footer

Powered by FluxBB