Create an SSL IOHandler for Win32 that uses Microsoft CryptoAPI instead of OpenSSL #49
Comments
rlebeau
added
Type: Enhancement
|
Hi Remy, I'm not sure my implementation is perfect because I don't know the internals of Indy...so I've used my units and what's needed to let idHTTP works with it. I had to override the Connected method because the method that check for KeepAlive tries to read from the socket while the server was waiting for the next request (chunked content). I've tried to make my code as clear as possible, hope it will be usefull. |
|
I haven't had a chance to really dig into it yet, but since it is a standalone implementation, it will likely end up being re-written to some extent to utilize Indy's existing SSPI functionality, which itself probably needs to be tweaked a little to make it more reusable, I think. So, your work will probably end up being more inspirational than actually integrated. Not that I'm belittling your work, by any means, as it is more than I have written so far. |
|
Hello, I have a problem with my implementation because of a customer with a Proxy I've changed the code to take PassThrough into account, but when I start the TLS session, the Host property point to the Proxy name, not the target host and the negociation fails. CERT_E_CN_NO_MATCH = $800B010F; // The certificate's CN name does not match the passed value. procedure TIdSSLIOHandlerSocketSChannel.StartSSL; procedure TIdSSLIOHandlerSocketSChannel.SetPassThrough(const Value: Boolean); procedure TIdSSLIOHandlerSocketSChannel.ConnectSSL; I don't know exactly how an HTTP proxy works for an HTTPS request...do you see a big mistake in my code ? Paul |
If you are using TIdHTTP and enabling its ProxyParams, then yes (see the implementation of TIdCustomHTTP.SetHostAndPort() in IdHTTP.pas). TIdHTTP sets its own Host and Port properties to connect to the immediate listening IP/Port, which would be a proxy in your case. After the connection is established, further logic kicks in to direct the proxy to connect a tunnel to the next server. If that tunnel is successful, then TIdHTTP sends its HTTP/S request as needed (which includes initiating the SSL/TLS handshake at this time). TIdSSLIOHandlerSocketOpenSSL takes into account that TIdHTTP fiddles with its Host property. When determining the hostname to use for SNI validation (see the implementation of TIdSSLIOHandlerSocketOpenSSL.OpenEncodedConnection() in IdSSLOpenSSL.pas), if the IOHandler's URIToCheck property is not blank (TIdHTTP assigns it for each request), then the URI is parsed and its Host portion is used. Otherwise, the IOHandler's TransparentProxy is checked, and if enabled then the last Host in the proxy chain is used. Otherwise, the IOHandler's own Host is used. You will have to do something similar in your IOHandler when determining which Host to use for validations.
The HTTP client connects to the proxy with an unencrypted connection and instructs it to open a tunnel to the target server, and then the client initiates the SSL/TLS handshake with the target server and sends the HTTP request. |
|
thanks ! it works ! I've updated my repository perhaps should you add a GetTargetHost method in TIdSSLIOHandlerSocketBase to avoid code duplication https://github.com/tothpaul/Delphi/blob/master/Indy.SChannel/lib/Execute.IdSSLSChannel.pas#L197 |
|
Yes, that makes sense. I'll incorporate it in a future version. |
|
Native ssl implementation with schannel would be great. |
See https://github.com/tothpaul/Delphi/tree/master/Indy.SChannel for a 3rd party implementation.
Also of note: https://github.com/Fr0sT-Brutal/Delphi_SChannelTLS#note---schannel-bug
The text was updated successfully, but these errors were encountered: