You are not logged in.
Pages: 1
THttpRequest helper methods Get, Post, Put and Delete uses a IgnoreSSLCertificateErrors=true by default in both mORMot1 & 2
This can cause a very dangerous security issues (we can retrieve some data from a fake server etc.)
I understand what for testing purpose it is useful to use a self-signed certificates etc, but it's easy to forgot to change a IgnoreSSLCertificateErrors value to true before going to production (today I found what I did it in one of my deployment)
@ab - I propose to sets it to false by default in mORMot2 (or may in introduce some ifdef DANGAROUS_SSL_ERROR_IGNORE)
Cyber security is very important in today's era
Offline
Hi,
I would like also to be able to retrieve server certificate info. Is there a way to do so?
Having this, I can check whenever there is a proxifier and/or fiddler between the App and the Server to sniff https traffic.
Offline
You do not need server certificate info for this - if anybody uses MITM (replace a real server sertificate by self signed one), then server certificate will not match domain you request, so in strictSSL mode you got an error.
This not happens only in case MITM's CA certificate is injected into trusted certificates (on OS level for WinHTTP / SSL level for Curl) for your operation system - this is what Chaina done or Kazakhstan tries to do, or Fortinet in corporate environment did
As far as I know TLS certificate info can be obtained using openssl, at last form command line you can
```
echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text
```
Last edited by mpv (2021-03-02 17:03:21)
Offline
IgnoreSSLCertificateErrors is now set to false for mORMot 2.
I didn't change it for mORMot 1 because it would break existing code.
Note that TCrtSocket has by default IgnoreSSLCertificateErrors=false for its SChannel/OpenSSL TLS layer.
Offline
Where can I set IgnoreSSLCertificateErrors to true for MongoClient?
Offline
TMongoConnection.Open were the right place, but constructor hasn't a param for it.
Offline
I have added new TMongoClient.ConnectionTlsContext and ConnectionTunnel parameters to unit mormot.db.nosql.mongodb.
It would allow to set all TLS and Proxy needed configuration, including IgnoreSSLCertificateErrors.
Offline
Thank you!
Offline
Pages: 1