* * *

Author Topic: Check SSL Certificate on HTTPs Connection  (Read 1136 times)

PhilmacFLy

  • New member
  • *
  • Posts: 9
Check SSL Certificate on HTTPs Connection
« on: May 03, 2017, 11:36:04 am »
I'm developing a small app which communicates with a backend on my server.
In order to make sure that the app does indeed communicate with my server and not to someone else, I'm trying to implement a check on the fingerprint of the ssl certificate of the server.

Now with TFPHttpClient I can pretty easily access the server and send https requests, but I get no info about the cert itself. It even accepts self signed certs.

Is there a way to check the certificate of the server?

PhilmacFLy

  • New member
  • *
  • Posts: 9
Re: Check SSL Certificate on HTTPs Connection
« Reply #1 on: May 03, 2017, 03:19:24 pm »
Well not quite, imagine a man-in-the-middle attack where the attacker is (in which way ever) provide a valid cert for my domain. If I could check the fingerprint of said cert I would know that they are not the same (also known as certificate pinning)

Edit: Seems like someone deleted their post after I made mine  :-X
« Last Edit: May 03, 2017, 03:26:19 pm by PhilmacFLy »

Thaddy

  • Hero Member
  • *****
  • Posts: 4439
Re: Check SSL Certificate on HTTPs Connection
« Reply #2 on: May 03, 2017, 04:03:25 pm »
Yes, I did, because I am preparing a better response.
But you seem to understand it.
What you need is not certification (that's done like in the deleted post and still valid for self signed certificates that's why you should not use those in real life) but a means of root-certification.
Any way of other certification is fruitless.
"Logically, no number of positive outcomes at the level of experimental testing can confirm a scientific theory, but a single counterexample is logically decisive."

PhilmacFLy

  • New member
  • *
  • Posts: 9
Re: Check SSL Certificate on HTTPs Connection
« Reply #3 on: May 04, 2017, 11:29:49 am »
But isnt the root certificate part of the certification chain of my own certificate? So if I can retrieve the certificate I can go along the tree and check the fingerprints and issuers for the one I'm searching. The Problem is just, that this leaves me with the problem described that I dont know how to access the cert presented to me.

PhilmacFLy

  • New member
  • *
  • Posts: 9
Re: Check SSL Certificate on HTTPs Connection
« Reply #4 on: May 04, 2017, 05:21:06 pm »
Ok it turns out in the end its a lot easier than thought, you just have to utilize the TTCPBlockSocket from synapse as well as the TSSLOpenSSL from the synapse openssl implementation. I made a little showcase to post it here
Code: Pascal  [Select]
  1. procedure TForm1.Button2Click(Sender: TObject);
  2. var
  3.   sock: TTCPBlockSocket;
  4.   ssl: TSSLOpenSSL;
  5.   s: string;
  6. begin
  7.   sock := ttcpblocksocket.Create;
  8.   sock.Connect('10.146.206.15', '3791');
  9.   if sock.LastError <> 0 then begin
  10.     memo1.Lines.Add(sock.LastErrorDesc);
  11.  
  12.     Exit;
  13.   end;
  14.   ssl := TSSLOpenSSL.Create(sock);
  15.   if ssl.LastError <> 0 then begin
  16.     memo1.Lines.Add(ssl.LastErrorDesc);
  17.  
  18.     Exit;
  19.   end;
  20.   ssl.Connect;
  21.   if ssl.LastError <> 0 then begin
  22.     memo1.Lines.Add(ssl.LastErrorDesc);
  23.  
  24.     Exit;
  25.   end;
  26.   memo1.Lines.Add(ssl.GetPeerIssuer);
  27.   memo1.Lines.Add(ssl.GetPeerFingerprint);
  28.   memo1.Lines.Add(ssl.GetCertInfo);
  29. end;

Now you can use the TSSLOpenSSL to access all infos that you want/need

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus