Delphi Indy 验证服务器证书 SSL

Question

我已经搜索了 Internet，但没有找到关于如何在使用 TIdHTTP 通过 HTTPS 连接时验证证书的解决方案或方法。

我已经连接了一个 IdSSLIOHandlerSocketOpenSSL 组件作为 IOHandler，设置了 SSLModes 等，但是当我浏览到 https://s3.amazonaws.com 时它无法验证证书。

OpenSSL (Indy) 给出

“使用 SSL 连接时出错。SSL3_GET_SERVER_CERTIFICATE:证书验证失败”

OpenSSL 库已成功加载(使用 WhichFailedToLoad 检查)。 OnStatusInfo 事件写入以下内容:

SSL 状态:“之前/连接初始化”

SSL 状态:“之前/连接初始化”

SSL 状态:“SSLv2/v3 写入客户端 hello A”

SSL 状态:“SSLv3 读取服务器 hello A”

SSL 状态:“SSLv3 读取服务器证书 B”

SSL 状态:“SSLv3 读取服务器证书 B”

SSL 状态:“SSLv3 读取服务器证书 B”

和 OnVerifyPeer，AOk = False。

我怎样才能让它正确验证。怎么回事？

感谢阅读，阿德里安

Answer 1

您必须为 TIdSSLIOHandlerSocketOpenSSL 组件的 OnVerifyPeer 事件实现事件处理程序。

来自 IdSSLOpenSSL.pas:

Note that you really should always implement OnVerifyPeer, otherwise the certificate of the peer you are connecting to is NOT checked to ensure it is valid.

如果您只想考虑图书馆认为有效的相同证书也是有效的，您只需要以这种方式实现它:

function TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate: TIdX509;
  AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
  Result := AOk;
end;

因为 Indy 首先检查证书的有效性，并在 AOk 参数中传递给您是否正常。最后一句话在您的代码中，因为您可能希望让某些类型的次要验证错误通过，例如过时，甚至询问用户证书是否被接受以防万一任何错误(无论是否轻微)。

要了解它为何以这种方式工作，您可能还想阅读 IdSSLOpenSSL.pas 文件顶部的所有注释:

{

Important information concerning OnVerifyPeer: Rev 1.39 of February 2005 deliberately broke the OnVerifyPeer interface, which (obviously?) only affects programs that implemented that callback as part of the SSL negotiation. Note that you really should always implement OnVerifyPeer, otherwise the certificate of the peer you are connecting to is NOT checked to ensure it is valid.

Prior to this, if the SSL library detected a problem with a certificate or the Depth was insufficient (i.e. the "Ok" parameter in VerifyCallback is 0 / FALSE), then irrespective of whether your OnVerifyPeer returned True or False, the SSL connection would be deliberately failed.

This created a problem in that even if there was only a very minor problem with one of the certificates in the chain (OnVerifyPeer is called once for each certificate in the certificate chain), which the user may have been happy to accept, the SSL negotiation would be failed. However, changing the code to allow the SSL connection when a user returned True for OnVerifyPeer would have meant that existing code which depended on automatic rejection of invalid certificates would then be accepting invalid certificates, which would have been an unacceptable security change.

Consequently, OnVerifyPeer was changed to deliberately break existing code by adding an AOk parameter. To preserve the previous functionality, your OnVerifyPeer event should do "Result := AOk;". If you wish to consider accepting certificates that the SSL library has considered invalid, then in your OnVerifyPeer, make sure you satisfy yourself that the certificate really is valid and then set Result to True. In reality, in addition to checking AOk, you should always implement code that ensures you are only accepting certificates which are valid (at least from your point of view).

Ciaran Costelloe, ccostelloe[_a_t_]flogas.ie

}

{

RLebeau 1/12/2011: Breaking OnVerifyPeer event again, this time to add an additional AError parameter (patch courtesy of "jvlad", dmda@yandex.ru). This helps user code distinquish between Self-signed and invalid certificates.

}