Fast SSL verification of URL for Rest Client (testing against badssl.com)

[onlinesolutions]

Greetings,

I am trying to implement an SSL verification to detect bad certs and man-in-the-middle attacks for a Delphi FMX mobile app accessing a rest API.

Given an URL, I would like to quickly be able to verify if the SSL is valid. Using TIdHTTP and TIdSSLIOHandlerSocketOpenSSL, I can do it, but it takes 3.5 seconds minimum to do a peer verify and I have not been able to just grab the original SSL cert and compare signatures.

Here is the approach I am going for:

1 - Given a working and valid URL (HTTPS://whatever...)
2 - Have we validated this URL before? If so, grab the last valid cert signature and grab just the server SSL cert signature and compare. If the same, then valid and move on.
3 - If not the same or invalid, attempt to validate the cert chain and save the root signature if valid.

I can do #3 with TIdHTTP and its SSL component. I cannot do #2. And #3 takes 3500ms on average right now.
Can I do #3 much faster with TScHttpWebRequest? Then I can skip #2? How do I detect bad certificates quickly with this component or another?

Or how do I just grab the cert and signature inside a TScHttpWebRequest and compare?

I am using the following URLs for testing:
https://expired.badssl.com/
https://untrusted-root.badssl.com/
https://revoked.badssl.com/
https://self-signed.badssl.com/
https://badssl.com/ (which has a good cert)

Thanks,
Scott

[ViktorV]

Please specify the reason that keeps you from using TScHttpWebRequest for full work, not just for checking SSL certificates.

[onlinesolutions]

Greetings,
I would be very happy to use TScHttpWebRequest for the whole process if it works better. I currently have not purchased SecureBridge so I have not implemented it yet. I have everything else working right now except for the ability to quickly verify the SSL certificate of my Rest Server.

I would like to use the trial version of SecureBridge to get a working solution to quickly verifying the SSL cert on the server as described in my original question, then I would be happy to consider using SecureBridge for the whole communication layer if it works better.

I want to see the certs in the verification of the chain without the multiple second delay I am currently encountering through the Indy components. Or I want to quickly see the server cert signature string from the destination REST server so I can compare it against what I already I have on record as a verified cert. Either of these would satisfy me.

I would love a code example of how to verify a cert or some details on how to do it.
Thanks!

- Scott

[Dimon]

The TScHttpWebRequest and TScSSLClient components automatically verify certificates. If the received server certificates do not meet some security requirements, then an exception occurs.
You can also perform any custom checks or simply save a list of received certificates by handling the OnServerCertificateValidation event. You can check the availability of receiving of a certificate chain by handling this event.

Note that comparing only the signatures of the received certificate with the stored value is rather unsafe and leads to potential issues. Therefore, we recommend you to adhere to the requirements of the TLS protocol and perform a full check of the certificate chain for each connection. This procedure takes a short time in comparison with the entire connection time.

[onlinesolutions]

Greetings,
I am trying it out now.

Ultimately, I am looking for a secure solution for a REST layer. The existing TRestClient, TRestRequest, TRestResponse and TRestResponseDataSetAdapter which can connect with a TClientDataSet to turn JSON into Delphi Rows of Records.

Are there any sample examples of code to go from a Rest URL with JSON data to TClientDataSet with TScHttpWebRequest?

Thanks,
Scott

[onlinesolutions]

And does your SSL component have an equivalent to TRestRequest.ExecuteASync?
Or do I have to wrap it in a separate thread to make it ASync?

- Scott

[ViktorV]

Thank you for the interest to our product.
We plan to support REST protocol in the next SecureBridge release.
If you have any questions during using our products, please don't hesitate to contact us - and we will try to help you solve them.

[onlinesolutions]

Greetings,
I do need help. Do you have a code example on how to retrieve a GET request and quickly verify the SSL cert chain?

Your previous post mentioned the following:

The TScHttpWebRequest and TScSSLClient components automatically verify certificates. If the received server certificates do not meet some security requirements, then an exception occurs. You can also perform any custom checks or simply save a list of received certificates by handling the OnServerCertificateValidation event. You can check the availability of receiving of a certificate chain by handling this event.

But I do not see how to link the two components to do a URL fetch or cert validation on my own. And your demo folder for SecureBridge has no examples that I can see for SSLClient or HTTPWebRequest.

I would very much appreciate some sample code on verifying a SSL cert.
Thank you!

- Scott

[onlinesolutions]

This is how far I have gotten on a working example. I think it would help if you had an example like the following in the demo folder for SecureBridge. It took me a week of messaging and trying stuff to get to this point and it should have taken less than an hour.

var
d : TDateTime;
sResults, sExceptionUpper, sExceptionResult : string;
WebRequest : TScHttpWebRequest;
WebResponse : TScHttpWebResponse;
begin
d := Now();
sExceptionResult := '';
memoOutput.Lines.Clear;
memoOutput.Lines.Add('Testing ' + sURL);
WebRequest := TScHttpWebRequest.Create(sURL);
try
WebResponse := WebRequest.GetResponse;
try
sResults := WebResponse.ReadAsString;
if (WebResponse.IsSecure) then
memoOutput.Lines.Add(' Response Secure = TRUE')
else
memoOutput.Lines.Add(' Response Secure = FALSE');
memoOutput.Lines.Add(' Response Type = ' + WebResponse.ContentType);
memoOutput.Lines.Add(' Response Length = ' + IntToStr(sResults.Length));
memoOutput.Lines.Add(' Status Summary = ' + WebResponse.StatusDescription);
finally
WebResponse.Free;
end;
except on E : Exception do
begin
// memoOutput.Lines.Add(' Exception - ' + E.Message);
sExceptionUpper := UpperCase(E.Message);
if (sExceptionUpper.IndexOf('VALIDITY PERIOD') > -1) then begin
sExceptionResult := 'Expired Cert';
end else if (sExceptionUpper.IndexOf('NOT TRUSTED') > -1) then begin
sExceptionResult := 'Untrusted or Self-Signed Cert';
end else begin
sExceptionResult := 'Unknown Cert Issue';
end;
end;
end;
WebRequest.Free;
if (sExceptionResult <> '') then
memoOutput.Lines.Add(' Invalid Cert Issue - ' + sExceptionResult);
memoOutput.Lines.Add(' Processing Time = ' + IntToStr(MilliSecondsBetween(Now(), d)) + 'ms');
end;

I did have some trouble detecting revoked certs and certs from the wrong host using the URLS from badssl.com. I will post that issue in another thread. Getting closer!!!

- Scott

[ViktorV]

Thank you for the interest to our product and your contribution in our product development. We will consider the possibility of adding the example you've provided in the SecureBridge demo.