Fast SSL verification of URL for Rest Client (testing against badssl.com)
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Fast SSL verification of URL for Rest Client (testing against badssl.com)
Greetings,
I am trying to implement an SSL verification to detect bad certs and man-in-the-middle attacks for a Delphi FMX mobile app accessing a rest API.
Given an URL, I would like to quickly be able to verify if the SSL is valid. Using TIdHTTP and TIdSSLIOHandlerSocketOpenSSL, I can do it, but it takes 3.5 seconds minimum to do a peer verify and I have not been able to just grab the original SSL cert and compare signatures.
Here is the approach I am going for:
1 - Given a working and valid URL (HTTPS://whatever...)
2 - Have we validated this URL before? If so, grab the last valid cert signature and grab just the server SSL cert signature and compare. If the same, then valid and move on.
3 - If not the same or invalid, attempt to validate the cert chain and save the root signature if valid.
I can do #3 with TIdHTTP and its SSL component. I cannot do #2. And #3 takes 3500ms on average right now.
Can I do #3 much faster with TScHttpWebRequest? Then I can skip #2? How do I detect bad certificates quickly with this component or another?
Or how do I just grab the cert and signature inside a TScHttpWebRequest and compare?
I am using the following URLs for testing:
https://expired.badssl.com/
https://untrusted-root.badssl.com/
https://revoked.badssl.com/
https://self-signed.badssl.com/
https://badssl.com/ (which has a good cert)
Thanks,
Scott
I am trying to implement an SSL verification to detect bad certs and man-in-the-middle attacks for a Delphi FMX mobile app accessing a rest API.
Given an URL, I would like to quickly be able to verify if the SSL is valid. Using TIdHTTP and TIdSSLIOHandlerSocketOpenSSL, I can do it, but it takes 3.5 seconds minimum to do a peer verify and I have not been able to just grab the original SSL cert and compare signatures.
Here is the approach I am going for:
1 - Given a working and valid URL (HTTPS://whatever...)
2 - Have we validated this URL before? If so, grab the last valid cert signature and grab just the server SSL cert signature and compare. If the same, then valid and move on.
3 - If not the same or invalid, attempt to validate the cert chain and save the root signature if valid.
I can do #3 with TIdHTTP and its SSL component. I cannot do #2. And #3 takes 3500ms on average right now.
Can I do #3 much faster with TScHttpWebRequest? Then I can skip #2? How do I detect bad certificates quickly with this component or another?
Or how do I just grab the cert and signature inside a TScHttpWebRequest and compare?
I am using the following URLs for testing:
https://expired.badssl.com/
https://untrusted-root.badssl.com/
https://revoked.badssl.com/
https://self-signed.badssl.com/
https://badssl.com/ (which has a good cert)
Thanks,
Scott
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Please specify the reason that keeps you from using TScHttpWebRequest for full work, not just for checking SSL certificates.
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Greetings,
I would be very happy to use TScHttpWebRequest for the whole process if it works better. I currently have not purchased SecureBridge so I have not implemented it yet. I have everything else working right now except for the ability to quickly verify the SSL certificate of my Rest Server.
I would like to use the trial version of SecureBridge to get a working solution to quickly verifying the SSL cert on the server as described in my original question, then I would be happy to consider using SecureBridge for the whole communication layer if it works better.
I want to see the certs in the verification of the chain without the multiple second delay I am currently encountering through the Indy components. Or I want to quickly see the server cert signature string from the destination REST server so I can compare it against what I already I have on record as a verified cert. Either of these would satisfy me.
I would love a code example of how to verify a cert or some details on how to do it.
Thanks!
- Scott
I would be very happy to use TScHttpWebRequest for the whole process if it works better. I currently have not purchased SecureBridge so I have not implemented it yet. I have everything else working right now except for the ability to quickly verify the SSL certificate of my Rest Server.
I would like to use the trial version of SecureBridge to get a working solution to quickly verifying the SSL cert on the server as described in my original question, then I would be happy to consider using SecureBridge for the whole communication layer if it works better.
I want to see the certs in the verification of the chain without the multiple second delay I am currently encountering through the Indy components. Or I want to quickly see the server cert signature string from the destination REST server so I can compare it against what I already I have on record as a verified cert. Either of these would satisfy me.
I would love a code example of how to verify a cert or some details on how to do it.
Thanks!
- Scott
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
The TScHttpWebRequest and TScSSLClient components automatically verify certificates. If the received server certificates do not meet some security requirements, then an exception occurs.
You can also perform any custom checks or simply save a list of received certificates by handling the OnServerCertificateValidation event. You can check the availability of receiving of a certificate chain by handling this event.
Note that comparing only the signatures of the received certificate with the stored value is rather unsafe and leads to potential issues. Therefore, we recommend you to adhere to the requirements of the TLS protocol and perform a full check of the certificate chain for each connection. This procedure takes a short time in comparison with the entire connection time.
You can also perform any custom checks or simply save a list of received certificates by handling the OnServerCertificateValidation event. You can check the availability of receiving of a certificate chain by handling this event.
Note that comparing only the signatures of the received certificate with the stored value is rather unsafe and leads to potential issues. Therefore, we recommend you to adhere to the requirements of the TLS protocol and perform a full check of the certificate chain for each connection. This procedure takes a short time in comparison with the entire connection time.
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Greetings,
I am trying it out now.
Ultimately, I am looking for a secure solution for a REST layer. The existing TRestClient, TRestRequest, TRestResponse and TRestResponseDataSetAdapter which can connect with a TClientDataSet to turn JSON into Delphi Rows of Records.
Are there any sample examples of code to go from a Rest URL with JSON data to TClientDataSet with TScHttpWebRequest?
Thanks,
Scott
I am trying it out now.
Ultimately, I am looking for a secure solution for a REST layer. The existing TRestClient, TRestRequest, TRestResponse and TRestResponseDataSetAdapter which can connect with a TClientDataSet to turn JSON into Delphi Rows of Records.
Are there any sample examples of code to go from a Rest URL with JSON data to TClientDataSet with TScHttpWebRequest?
Thanks,
Scott
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
And does your SSL component have an equivalent to TRestRequest.ExecuteASync?
Or do I have to wrap it in a separate thread to make it ASync?
- Scott
Or do I have to wrap it in a separate thread to make it ASync?
- Scott
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Thank you for the interest to our product.
We plan to support REST protocol in the next SecureBridge release.
If you have any questions during using our products, please don't hesitate to contact us - and we will try to help you solve them.
We plan to support REST protocol in the next SecureBridge release.
If you have any questions during using our products, please don't hesitate to contact us - and we will try to help you solve them.
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Greetings,
I do need help. Do you have a code example on how to retrieve a GET request and quickly verify the SSL cert chain?
Your previous post mentioned the following:
I would very much appreciate some sample code on verifying a SSL cert.
Thank you!
- Scott
I do need help. Do you have a code example on how to retrieve a GET request and quickly verify the SSL cert chain?
Your previous post mentioned the following:
But I do not see how to link the two components to do a URL fetch or cert validation on my own. And your demo folder for SecureBridge has no examples that I can see for SSLClient or HTTPWebRequest.The TScHttpWebRequest and TScSSLClient components automatically verify certificates. If the received server certificates do not meet some security requirements, then an exception occurs. You can also perform any custom checks or simply save a list of received certificates by handling the OnServerCertificateValidation event. You can check the availability of receiving of a certificate chain by handling this event.
I would very much appreciate some sample code on verifying a SSL cert.
Thank you!
- Scott
-
- Posts: 8
- Joined: Mon 28 Jan 2019 15:21
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
This is how far I have gotten on a working example. I think it would help if you had an example like the following in the demo folder for SecureBridge. It took me a week of messaging and trying stuff to get to this point and it should have taken less than an hour.
- Scott
I did have some trouble detecting revoked certs and certs from the wrong host using the URLS from badssl.com. I will post that issue in another thread. Getting closer!!!var
d : TDateTime;
sResults, sExceptionUpper, sExceptionResult : string;
WebRequest : TScHttpWebRequest;
WebResponse : TScHttpWebResponse;
begin
d := Now();
sExceptionResult := '';
memoOutput.Lines.Clear;
memoOutput.Lines.Add('Testing ' + sURL);
WebRequest := TScHttpWebRequest.Create(sURL);
try
WebResponse := WebRequest.GetResponse;
try
sResults := WebResponse.ReadAsString;
if (WebResponse.IsSecure) then
memoOutput.Lines.Add(' Response Secure = TRUE')
else
memoOutput.Lines.Add(' Response Secure = FALSE');
memoOutput.Lines.Add(' Response Type = ' + WebResponse.ContentType);
memoOutput.Lines.Add(' Response Length = ' + IntToStr(sResults.Length));
memoOutput.Lines.Add(' Status Summary = ' + WebResponse.StatusDescription);
finally
WebResponse.Free;
end;
except on E : Exception do
begin
// memoOutput.Lines.Add(' Exception - ' + E.Message);
sExceptionUpper := UpperCase(E.Message);
if (sExceptionUpper.IndexOf('VALIDITY PERIOD') > -1) then begin
sExceptionResult := 'Expired Cert';
end else if (sExceptionUpper.IndexOf('NOT TRUSTED') > -1) then begin
sExceptionResult := 'Untrusted or Self-Signed Cert';
end else begin
sExceptionResult := 'Unknown Cert Issue';
end;
end;
end;
WebRequest.Free;
if (sExceptionResult <> '') then
memoOutput.Lines.Add(' Invalid Cert Issue - ' + sExceptionResult);
memoOutput.Lines.Add(' Processing Time = ' + IntToStr(MilliSecondsBetween(Now(), d)) + 'ms');
end;
- Scott
Re: Fast SSL verification of URL for Rest Client (testing against badssl.com)
Thank you for the interest to our product and your contribution in our product development. We will consider the possibility of adding the example you've provided in the SecureBridge demo.