How to disable ssl certificate verification in LazAutoUpdate

[johnkirt]

Hello, I want to use the LazAutoUpdate to update from a site with a self-signed ssl certificate. Everything works over http, but nothing works over https (only with a self-signed certificate). I Know that using a self-signed certificate is not safe but I want to make it work. After studying the source code of this module, I found the function responsible for providing https

Code: Pascal  [Select][+][-]

1. function TFPCustomHTTPClient.GetSocketHandler(const UseSSL: Boolean): TSocketHandler;
2.  
3. begin
4.   Result:=Nil;
5.   if Assigned(FonGetSocketHandler) then
6.     FOnGetSocketHandler(Self,UseSSL,Result);
7.   if (Result=Nil) then
8.   {$if not defined(HASAMIGA)}
9.     If UseSSL then
10.       Result:=TSSLSocketHandler.Create
11.     else
12.   {$endif}
13.       Result:=TSocketHandler.Create;
14. end;
15.  

Full code: http://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/lazautoupdate_httpclient.pas

In turn, this function uses sslsockets (TSSLSocketHandler). Having studied sslsockets source and tried different solutions, I could not solve this problem. Is it possible to disable ssl certificate verification to work with a server with a self-signed certificate?

[Thaddy]

If your receiver certificate vault contains your certificate it should work. You can add it manually.
Note that I have experience with that, but any certificate as such is signed by my own CA as root.
Once you add the root certificate on the user side, everything should be OK for any certificate which is signed by your root.
It needs to be installed specifically, though, and by hand. There is no way around that.
Both on Windows and Unixes it requires elevated privilages. ( not after the installation)

[johnkirt]

I know If you add a certificate locally, it works, but I need it to work regardless of whether it is added by a local CA or not. I have encountered such a problem in C# and you can turn off ssl verification there.

[Thaddy]

I know If you add a certificate locally, it works, but I need it to work regardless of whether it is added by a local CA or not. I have encountered such a problem in C# and you can turn off ssl verification there.

Only on developer level. On customer machines that should not be possible. You are manipulating the truth. (and that is nicely written, plain wrong)
You can not turn off ssl verification except locally, or finding a victim that installs your certificate.....

[PierceNg]

In turn, this function uses sslsockets (TSSLSocketHandler). Having studied sslsockets source and tried different solutions, I could not solve this problem. Is it possible to disable ssl certificate verification to work with a server with a self-signed certificate?

TSSLSocketHandler has this property:

Code: Pascal  [Select][+][-]

1.     property VerifyPeerCert: Boolean read FVerifyPeerCert Write FVerifyPeerCert;
2.  

Try setting it to false. If that doesn't work, then the class also has:

Code: Pascal  [Select][+][-]

1.     property RemoteHostName : String Index 2 read GetString write SetString; deprecated 'use CertificateData instead';
2.     property Certificate : TSSLData Index 0 Read GetSSLData Write SetSSLData; deprecated 'use CertificateData instead';
3.     property TrustedCertificate : TSSLData Index 1 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';
4.     property PrivateKey : TSSLData Index 2 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';
5.     property PFX: TSSLData Index 3 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';
6.     property CertCA: TSSLData Index 4 Read GetSSLData Write SetSSLData;deprecated 'use CertificateData instead';
7.     property OnVerifyCertificate: TVerifyCertificateEvent read FOnVerifyCertificate write FOnVerifyCertificate;
8.  

Try setting the CertCA property to your self-signed / private CA cert. Or implement a handler for the OnVerifyCertificate event.

One of these ought to do it.

[Thaddy]

That will only work one sided. (It is about the peer certificate)
If you are on a fixed or reasonably stable IPv4/v6, you can obtain a letsencrypt certificate for free.
That may solve your problem.
My home server is on a stable IP and works with letsencrypt. My other servers are either static and http or work with a commercial certificate (comodo).

But self-signed certificates are great for development, as are the properties that Pierceng mentioned.
They are not meant for production code, though.
Self-signed certificates are also great for secure connections withinn a lan/wan network over which you have full control. (where an administrator controls all keyrings).
But in principle it is a bad idea to ignore certificates.
1.: Get one for free
2.: Create a CA and derived certificates. Make sure the other side adds your CA public key to their Keyring.

[Thaddy]

I did some tests. It seems that the suggestion by pierceng actually works on the client level.
Tested against one of my own websites, which has a self-signed certificate: https://thaddy.org
A browser would initialize refuse the connection with a 443 error, but a small fphttpclient will succeed when VerifySSLCertificate := false and fails when VerifySSLCertificate := true.
Code used is similar to my other post, but with exception handling.

Code: Pascal  [Select][+][-]

1. {$mode objfpc}
2. uses
3.   classes,sysutils,fphttpclient,opensslsockets,fpJson,jsonparser;
4.  
5. var
6.   Client:TFpHttpClient;
7.   List:TStringList;
8.   URL:String = 'https://thaddy.org';
9. begin
10.   Randomize;
11.   Client := TfpHttpClient.Create(nil);
12.   try
13.     // this is important
14.     Client.AllowRedirect := true;
15.     // optional
16.     Client.RequestHeaders.Add('User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0');
17.     Client.VerifySSLCertificate := Boolean(random(2)); // fails or succeeds based on true/false
18.     List := TStringlist.Create;
19.     try
20.       try
21.         List.Text := Client.Get(URL);
22.         writeln(Client.ResponseStatusText, Client.ResponseStatusCode: 5);
23.       except
24.          On
25.            E:Exception do
26.              writeln(E.Message);
27.       end;
28.       writeln(List.Text);
29.     finally
30.       List.Free;
31.     end;
32.   finally
33.     Client.Free;
34.   end;
35. end.

Response can be (true):

Code: [Select]

Connect to thaddy.org:443 failed: SSL error code: 336134278: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failedOr (false):

Code: [Select]

OK  200
<html>Apache is functioning normally</html>
Don't worry about security here: apache is configured to only serve static pages.
(unless I am testing CGI delivered pages, but those pages are usually not publicly known and shortlived. There is also no database running on this one.)

Also note - logically - that if the client has the certificate installed it will always succeed! Also tested on a different laptop. The other way around seems to fail everytime, though (a small server, still testing)
This is all as expected. Does that help?

[johnkirt]

I try this solution and it does not find such a property VerifySSLCertificate.
The goal is to make LazAutoUpdate work with self-signed certificates. The module uses its own unit based on the fphttpclient - lazautoupdate_httpclient. I have to refactor this module (lazautoupdate_httpclient - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/lazautoupdate_httpclient.pas) or the place where this one is called in  (ulazautoupdate - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/ulazautoupdate.pas)? I tried to add VerifySSLCertificate := false

Code: Pascal  [Select][+][-]

1. procedure TDownloadThreadClass.Execute;
2. begin
3.   fHTTPClient := TFPHTTPClient.Create(nil);
4.   fHTTPClient.VerifySSLCertificate := false; // ulazautoupdate.pas(2697,15) Error: identifier idents no member "VerifySSLCertificate"
5.   // OnThreadDataEvent:=fHTTPClient.OnDataReceived;
6.   // fHTTPClient.OnDataReceived:=@DoPercent;
7.   // Start the download procedure
8.   fDownloadSize := GetDownloadFileSize(fURL, fIsRepositoryURL);
9.   if (fDownloadSize > 0) then
10.   begin
11.     fDownloadSize := 0;
12.     DownloadHTTP(fURL, fFileName, fReturnCode, fDownloadSize,
13.       fIsRepositoryURL, fDebugMode);
14.   end
15.   else
16.     fLastError := 'Zero Size';
17.  
18. end;  

in ulazautoupdate - https://svn.code.sf.net/p/lazarus-ccr/svn/components/lazautoupdate/latest_stable/ulazautoupdate.pas
but it does not find such a property VerifySSLCertificate.

[TRon]

I try this solution and it does not find such a property VerifySSLCertificate.

Try Free Pascal trunk.

[PierceNg]

I try this solution and it does not find such a property VerifySSLCertificate.

Thaddy is testing what I wrote using TFPHTTPClient. See my post earlier the relevant properties of TSSLSocketHandler.

[johnkirt]

I tried the properties you suggested and nothing helped. Experimentally, I found out that the program stops at this point, that is, it does not have time to apply this property yet.

Code: Pascal  [Select][+][-]

1. function TFPCustomHTTPClient.GetSocketHandler(const UseSSL: Boolean): TSocketHandler;
2. Var AHandler : TSSLSocketHandler;
3. begin
4.   Result:=Nil;
5.   AHandler:=Nil;
6.   if Assigned(FonGetSocketHandler) then
7.     FOnGetSocketHandler(Self,UseSSL,Result);
8.   if (Result=Nil) then
9.   {$if not defined(HASAMIGA)}
10.     If UseSSL then
11.     begin
12.          ShowMessage('Before');
13.          AHandler:= TSSLSocketHandler.Create; //here the program stops
14.          AHandler.VerifyPeerCert:=false;
15.          ShowMessage('After');
16.          Result:=AHandler;
17.     end
18.     else
19.   {$endif}
20.       Result:=TSocketHandler.Create;
21. end;
22.