我已经将IdSSLIOHandlerSocketOpenSSL组件连接为IOHandler,设置SSLModes等,但是当我浏览到https://s3.amazonaws.com时,它无法验证证书.
OpenSSL(Indy)给出
“使用SSL连接时出错.SSL3_GET_SERVER_CERTIFICATE:证书验证失败”
已成功加载OpenSSL库(使用WhichFailedToLoad进行检查). OnStatusInfo事件写入以下内容:
SSL状态:“在/初始化之前”
SSL状态:“在/初始化之前”
SSL状态:“SSLv2 / v3写客户端问候A”
SSL状态:“SSLv3读取服务器问候A”
SSL状态:“SSLv3读取服务器证书B”
SSL状态:“SSLv3读取服务器证书B”
SSL状态:“SSLv3读取服务器证书B”
并且OnVerifyPeer,AOk = False.
我怎样才能让它正确验证.这是怎么回事?
谢谢阅读,
阿德里安
解决方法
来自IdSSLOpenSSL.pas:
Note that you really should always
implement OnVerifyPeer,otherwise the certificate of the peer you are
connecting to is NOT checked to ensure it is valid.
如果您只想考虑库认为有效的相同证书,您只需要以这种方式实现它:
function TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate: TIdX509; AOk: Boolean; ADepth,AError: Integer): Boolean; begin Result := AOk; end;
因为Indy首先检查证书的有效性,如果在AOk参数中是否正常则通过.最后一个词是在你的代码中,因为你可能想要传递某些类型的小验证错误,比如过时,或者甚至询问用户是否接受证书是否有任何错误(次要或不是) .
要了解它为何如此工作,您可能还想阅读IdSSLOpenSSL.pas文件顶部的所有注释:
{
Important information concerning OnVerifyPeer:
Rev 1.39 of February 2005 deliberately broke the OnVerifyPeer interface,
which (obvIoUsly?) only affects programs that implemented that callback
as part of the SSL negotiation. Note that you really should always
implement OnVerifyPeer,otherwise the certificate of the peer you are
connecting to is NOT checked to ensure it is valid.Prior to this,if the SSL library detected a problem with a certificate
or the Depth was insufficient (i.e. the “Ok” parameter in VerifyCallback
is 0 / FALSE),then irrespective of whether your OnVerifyPeer returned True
or False,the SSL connection would be deliberately Failed.This created a problem in that even if there was only a very minor
problem with one of the certificates in the chain (OnVerifyPeer is called
once for each certificate in the certificate chain),which the user may
have been happy to accept,the SSL negotiation would be Failed. However,
changing the code to allow the SSL connection when a user returned True
for OnVerifyPeer would have meant that existing code which depended on
automatic rejection of invalid certificates would then be accepting
invalid certificates,which would have been an unacceptable security
change.Consequently,OnVerifyPeer was changed to deliberately break existing code
by adding an AOk parameter. To preserve the prevIoUs functionality,your
OnVerifyPeer event should do “Result := AOk;”. If you wish to consider
accepting certificates that the SSL library has considered invalid,then
in your OnVerifyPeer,make sure you satisfy yourself that the certificate
really is valid and then set Result to True. In reality,in addition to
checking AOk,you should always implement code that ensures you are only
accepting certificates which are valid (at least from your point of view).Ciaran Costelloe,ccostelloe[_a_t_]flogas.ie
}
{
RLebeau 1/12/2011: Breaking OnVerifyPeer event again,this time to add an additional
AError parameter (patch courtesy of “jvlad”,dmda@yandex.ru). This
helps user code distinquish between Self-signed and invalid
certificates.}