Debugging with TWinHTTP and SSL certificates

ab · 2014-10-21 13:42:48

This is an EMartin's post I deleted in a today's thread.

The source code of a whole SynCrtSock.pas unit was posted in the message!
This made our forum just unstable.
Please do not post such huge piece of code in the forum.
The easiest is to use either a PasteBin server, or a public GoogleDrive storage, or send an email to me.
Or even better, the best way in Open Source is to fork our repository e.g. on https://github.com/synopse/mORMot and push your patch.

Original message:

EMartin wrote:

Hi Arnaud,
For high load testing I developed an application using TWinHTTP on the client side, when implementing SSL in TSQLRestServer I found a problem with TWinHTTP and SSL for my untrusted certificate (WinHTTP error 12175=Secure Failure). In browsers this can be added as exception, but with TWinHTTP I had touch the SynCrtSock.pas. The following code is the modified SynCrtSock.pas, my modifications are between "//>>EMartin" (open) and "//<<EMartin" (close). If you feel that serves, can you add this modifications to the SynCrtSock.pas?. Or letting me know that otherwise I can arrive the same result.
I used {$define IGNORESSLCERT} but TWinHTTP property may be best place or as parameter for requests (but the options can be to sesion level).
Based on revision [228f62000f]

I modified the supplied patch, to http://synopse.info/fossil/info/3d7ebe536a

Thanks for the idea and feedback, EMartin!

EMartin · 2014-10-21 13:47:02

Pardon and my sincerest apologies.

I'll have into account its recommendations.

Thanks.

ab · 2014-10-21 13:47:38

No problem!

I hope the new TWinHTTP.IgnoreSSLCertificates property works as expected for you.

EMartin · 2014-10-21 15:21:24

Is not working because IgnoreSSLCertificates is a property of an object and is not transferred to created instance in class functions. I did make for my testing purpose in SynCrtSock.pas. The same is a dirty trick, I change the object property IgnoreSSLCertificates to class property.

  TWinHTTP = class(TWinHttpAPI)
  private
    class function GetIgnoreSSLCertificates: Boolean;
    class procedure SetIgnoreSSLCertificates(const Value: Boolean);
  ...
    /// allows to ignore untrusted SSL certificates
    // - similar to adding a security exception for a domain in the browser
    property IgnoreSSLCertificates: boolean
      read GetIgnoreSSLCertificates write SetIgnoreSSLCertificates;
end;

after implementation (line 1350):

threadvar
  TWinHTTP_IgnoreSSLCertificates: Boolean;

...

class function TWinHTTP.GetIgnoreSSLCertificates: Boolean;
begin
  Result := TWinHTTP_IgnoreSSLCertificates;
end;

...

procedure TWinHTTP.InternalSendRequest(const aData: RawByteString);
var L: integer;
begin
  if fHTTPS and GetIgnoreSSLCertificates then 
    if not WinHttpSetOption(fRequest, WINHTTP_OPTION_SECURITY_FLAGS,
       @SECURITY_FLAT_IGNORE_CERTIFICATES, SizeOf(SECURITY_FLAT_IGNORE_CERTIFICATES)) then
      RaiseLastModuleError(winhttpdll,EWinHTTP);
  L := length(aData);
  if not WinHttpSendRequest(fRequest, nil, 0, pointer(aData), L, L, 0) or
     not WinHttpReceiveResponse(fRequest,nil) then
    RaiseLastModuleError(winhttpdll,EWinHTTP);
end;

...

class procedure TWinHTTP.SetIgnoreSSLCertificates(const Value: Boolean);
begin
  TWinHTTP_IgnoreSSLCertificates := Value;
end;

...

And I removed the fIgnoreSSLCertificates.

I am sure that you will implement the best solution.

Thanks.

ab · 2014-10-21 16:51:43

In my implementation, you just have to set the TWinHttp.IgnoreSSLCertificates property just after create, and before using it.

I do not see any problem with that.
This is how we usually set timeout parameters and so on for a TSQLHTTPClient instance.

EMartin · 2014-10-21 17:23:28

I did that, but en class function TWinHTTPAPI.Get/Post ... call to class function TWinHTTPAPI.InternalRest:

class function TWinHttpAPI.InternalREST(const url,method,data,header: RawByteString): RawByteString;
var URI: TURI;
    outHeaders: RawByteString;
begin
  result := '';
  with URI do
  if From(url) then
  try                                      //*****************************************************
    with self.Create(Server,Port,Https) do // --> new instance and fIgnoreSSLCertificates if False
    try                                    //*****************************************************
      Request(Address,method,0,header,data,'',outHeaders,result);
    finally
      Free;
    end;
  except
    result := '';
  end;
end;

By this I implemented the pseudo class property. I hope can you understand me.

Thanks.

ab · 2014-10-21 20:09:53

Just add the missing parameter in InternalREST() method.

But a global variable to set a per-connection property is IMHO a very wrong idea.

EMartin · 2014-10-21 20:35:03

I know that is bad idea the global variable. Just I didn't want to have my own version of SynCrtSock.pas. I will add the parameter to TWinHTTP constructor and the class functions GET/POST/InternalRest/etc, if you want I put this in GitHub.

Bye.

EMartin · 2014-10-21 22:01:55

Hi Arnaud, I put the SynCrtSock.pas modified in GitHub and the pull request is https://github.com/synopse/mORMot/pull/5

Check and merge if you consider that modifications are right.

Best regards.

mORMot Open Source

#1 2014-10-21 13:42:48

Debugging with TWinHTTP and SSL certificates

#2 2014-10-21 13:47:02

Re: Debugging with TWinHTTP and SSL certificates

#3 2014-10-21 13:47:38

Re: Debugging with TWinHTTP and SSL certificates

#4 2014-10-21 15:21:24

Re: Debugging with TWinHTTP and SSL certificates

#5 2014-10-21 16:51:43

Re: Debugging with TWinHTTP and SSL certificates

#6 2014-10-21 17:23:28

Re: Debugging with TWinHTTP and SSL certificates

#7 2014-10-21 20:09:53

Re: Debugging with TWinHTTP and SSL certificates

#8 2014-10-21 20:35:03

Re: Debugging with TWinHTTP and SSL certificates

#9 2014-10-21 22:01:55

Re: Debugging with TWinHTTP and SSL certificates

Board footer