Forum > Networking and Web Programming

How to disable ssl certificate verification in LazAutoUpdate

<< < (2/3) > >>

Thaddy:
That will only work one sided. (It is about the peer certificate)
If you are on a fixed or reasonably stable IPv4/v6, you can obtain a letsencrypt certificate for free.
That may solve your problem.
My home server is on a stable IP and works with letsencrypt. My other servers are either static and http or work with a commercial certificate (comodo).

But self-signed certificates are great for development, as are the properties that Pierceng mentioned.
They are not meant for production code, though.
Self-signed certificates are also great for secure connections withinn a lan/wan network over which you have full control. (where an administrator controls all keyrings).
But in principle it is a bad idea to ignore certificates.
1.: Get one for free
2.: Create a CA and derived certificates. Make sure the other side adds your CA public key to their Keyring.

Thaddy:
I did some tests. It seems that the suggestion by pierceng actually works on the client level.
Tested against one of my own websites, which has a self-signed certificate: https://thaddy.org
A browser would initialize refuse the connection with a 443 error, but a small fphttpclient will succeed when VerifySSLCertificate := false and fails when VerifySSLCertificate := true.
Code used is similar to my other post, but with exception handling.

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---{$mode objfpc}uses   classes,sysutils,fphttpclient,opensslsockets,fpJson,jsonparser; var  Client:TFpHttpClient;  List:TStringList;  URL:String = 'https://thaddy.org';begin  Randomize;  Client := TfpHttpClient.Create(nil);  try    // this is important    Client.AllowRedirect := true;     // optional    Client.RequestHeaders.Add('User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0');    Client.VerifySSLCertificate := Boolean(random(2)); // fails or succeeds based on true/false    List := TStringlist.Create;    try      try        List.Text := Client.Get(URL);        writeln(Client.ResponseStatusText, Client.ResponseStatusCode: 5);      except         On            E:Exception do             writeln(E.Message);      end;      writeln(List.Text);    finally      List.Free;    end;  finally    Client.Free;  end;end.

Response can be (true):
--- Code: ---Connect to thaddy.org:443 failed: SSL error code: 336134278: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
--- End code ---
Or (false):
--- Code: ---OK  200
<html>Apache is functioning normally</html>
--- End code ---

Don't worry about security here: apache is configured to only serve static pages.
(unless I am testing CGI delivered pages, but those pages are usually not publicly known and shortlived. There is also no database running on this one.)

Also note - logically - that if the client has the certificate installed it will always succeed! Also tested on a different laptop. The other way around seems to fail everytime, though (a small server, still testing)
This is all as expected. Does that help?

johnkirt:
I try this solution and it does not find such a property VerifySSLCertificate.
The goal is to make LazAutoUpdate work with self-signed certificates. The module uses its own unit based on the fphttpclient - lazautoupdate_httpclient. I have to refactor this module (lazautoupdate_httpclient - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/lazautoupdate_httpclient.pas) or the place where this one is called in  (ulazautoupdate - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/ulazautoupdate.pas)? I tried to add VerifySSLCertificate := false

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---procedure TDownloadThreadClass.Execute;begin  fHTTPClient := TFPHTTPClient.Create(nil);  fHTTPClient.VerifySSLCertificate := false; // ulazautoupdate.pas(2697,15) Error: identifier idents no member "VerifySSLCertificate"  // OnThreadDataEvent:=fHTTPClient.OnDataReceived;  // fHTTPClient.OnDataReceived:=@DoPercent;  // Start the download procedure  fDownloadSize := GetDownloadFileSize(fURL, fIsRepositoryURL);  if (fDownloadSize > 0) then  begin    fDownloadSize := 0;    DownloadHTTP(fURL, fFileName, fReturnCode, fDownloadSize,      fIsRepositoryURL, fDebugMode);  end  else    fLastError := 'Zero Size'; end;  in ulazautoupdate - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/ulazautoupdate.pas
but it does not find such a property VerifySSLCertificate.

TRon:

--- Quote from: johnkirt on March 06, 2023, 07:20:58 pm ---I try this solution and it does not find such a property VerifySSLCertificate.

--- End quote ---
Try Free Pascal trunk.

PierceNg:

--- Quote from: johnkirt on March 06, 2023, 07:20:58 pm ---I try this solution and it does not find such a property VerifySSLCertificate.

--- End quote ---

Thaddy is testing what I wrote using TFPHTTPClient. See my post earlier the relevant properties of TSSLSocketHandler.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version