If I try using Synapse trunk, same machine, same configuration, it doesn't work:
(...)
Finally I figured out why this Synapse code didn't work... Badssl.com is serving different URLs from the same IP address. Therefore, the Server Name Indication (SNI) needs to be used, so the server knows which certificate to present to the client (e.g. the badssl.com certificate, the expired.badssl.com certificate, etc.). The THTTPSend component automatically adds SNI to the request, but the TCPBlockSocket does not. Therefore, I had to add this manually:
The easier solution is of course to use THTTPSend. The following example shows how to use certificate verification with Synapse:
This code uses Synapse trunk [r270]program project1;
uses httpsend, ssl_openssl3;
const URLs: array[0..5] of string = (
'https://badssl.com', // should work
'https://wrong.host.badssl.com', // should be rejected
'https://expired.badssl.com', // should be rejected
'https://self-signed.badssl.com', // should be rejected
'https://untrusted-root.badssl.com', // should be rejected
'https://revoked.badssl.com' // should be rejected
);
var
URL: string;
HTTP: THTTPSend;
begin
HTTP := THTTPSend.Create;
try
HTTP.Sock.SSL.VerifyCert := True;
HTTP.Sock.SSL.CertCAFile := 'ca-bundle.crt';
for URL in URLs do
begin
if HTTP.HTTPMethod('GET', URL) then
WriteLn('Success: ', URL)
else
WriteLn('Failure: ', URL, '; verify result: ', HTTP.Sock.SSL.GetVerifyCert);
end;
finally
HTTP.Free;
end;
end.
As show in this example, certificate verification also needs a reference to trusted root (CA) certificates. Without any trusted CA certificates, all verifications will fail. A file containing trusted certificates in PEM format can for example be created using the mk-ca-bundle script from the Curl project (
https://curl.se/docs/mk-ca-bundle.html).
Warning!Using the current Synapse code (trunk [r270]), certificate verification works, but
wrong host certificates are not detected. This is a security risk.
I filed a bug including patches to fix this issue:
https://sourceforge.net/p/synalist/bugs/75/