Forum > Networking and Web Programming

How to disable ssl certificate verification in LazAutoUpdate

(1/3) > >>

johnkirt:
Hello, I want to use the LazAutoUpdate to update from a site with a self-signed ssl certificate. Everything works over http, but nothing works over https (only with a self-signed certificate). I Know that using a self-signed certificate is not safe but I want to make it work. After studying the source code of this module, I found the function responsible for providing https

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---function TFPCustomHTTPClient.GetSocketHandler(const UseSSL: Boolean): TSocketHandler; begin  Result:=Nil;  if Assigned(FonGetSocketHandler) then    FOnGetSocketHandler(Self,UseSSL,Result);  if (Result=Nil) then  {$if not defined(HASAMIGA)}    If UseSSL then      Result:=TSSLSocketHandler.Create    else  {$endif}      Result:=TSocketHandler.Create;end; Full code: http://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/lazautoupdate_httpclient.pas

In turn, this function uses sslsockets (TSSLSocketHandler). Having studied sslsockets source and tried different solutions, I could not solve this problem. Is it possible to disable ssl certificate verification to work with a server with a self-signed certificate?

Thaddy:
If your receiver certificate vault contains your certificate it should work. You can add it manually.
Note that I have experience with that, but any certificate as such is signed by my own CA as root.
Once you add the root certificate on the user side, everything should be OK for any certificate which is signed by your root.
It needs to be installed specifically, though, and by hand. There is no way around that.
Both on Windows and Unixes it requires elevated privilages. ( not after the installation)

johnkirt:
I know If you add a certificate locally, it works, but I need it to work regardless of whether it is added by a local CA or not. I have encountered such a problem in C# and you can turn off ssl verification there.

Thaddy:

--- Quote from: johnkirt on March 05, 2023, 05:18:31 pm ---I know If you add a certificate locally, it works, but I need it to work regardless of whether it is added by a local CA or not. I have encountered such a problem in C# and you can turn off ssl verification there.

--- End quote ---
Only on developer level. On customer machines that should not be possible. You are manipulating the truth. (and that is nicely written, plain wrong)
You can not turn off ssl verification except locally, or finding a victim that installs your certificate.....

PierceNg:

--- Quote from: johnkirt on March 05, 2023, 02:19:05 pm ---In turn, this function uses sslsockets (TSSLSocketHandler). Having studied sslsockets source and tried different solutions, I could not solve this problem. Is it possible to disable ssl certificate verification to work with a server with a self-signed certificate?

--- End quote ---

TSSLSocketHandler has this property:


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---    property VerifyPeerCert: Boolean read FVerifyPeerCert Write FVerifyPeerCert; 
Try setting it to false. If that doesn't work, then the class also has:


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---    property RemoteHostName : String Index 2 read GetString write SetString; deprecated 'use CertificateData instead';    property Certificate : TSSLData Index 0 Read GetSSLData Write SetSSLData; deprecated 'use CertificateData instead';    property TrustedCertificate : TSSLData Index 1 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';    property PrivateKey : TSSLData Index 2 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';    property PFX: TSSLData Index 3 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';    property CertCA: TSSLData Index 4 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';    property OnVerifyCertificate: TVerifyCertificateEvent read FOnVerifyCertificate write FOnVerifyCertificate; 
Try setting the CertCA property to your self-signed / private CA cert. Or implement a handler for the OnVerifyCertificate event.

One of these ought to do it.

Navigation

[0] Message Index

[#] Next page

Go to full version