Indy TIdHTTP get https page with client side SSL certificate

1
votes

I'm trying to get https page with client side SSL certificate, with Indy TIdHTTP.

Code is

var IdHTTP1 : TIdHTTP;
    IdSSLIOHandlerSocket : TIdSSLIOHandlerSocketOpenSSL;
begin
    try
      IdHTTP1 := TIdHTTP.Create( self );
      IdHTTP1.Request.BasicAuthentication := False;
      IdHTTP1.Request.UserAgent := 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0';
      IdSSLIOHandlerSocket := TIdSSLIOHandlerSocketOpenSSL.Create( IdHTTP1 );
      IdSSLIOHandlerSocket.SSLOptions.CertFile := 'cert.pem';
      IdSSLIOHandlerSocket.SSLOptions.Method := sslvTLSv1_2;
      IdSSLIOHandlerSocket.SSLOptions.Mode:= sslmUnassigned;

      IdHTTP1.IOHandler := IdSSLIOHandlerSocket;

      writeln( IdHTTP1.Get( 'https://www.scriptjunkie.us/auth/verifycert' ) );
    finally
      IdSSLIOHandlerSocket.Free;
      IdHTTP1.Free;
    end;

Get is not authenticating. Client PEM certificate is not accepted.

How to get url with client cert?

I've use https://www.scriptjunkie.us/auth/verifycert site with free client side SSL certificated. FPC is 3.0.2, Indy is 10.6.2.0

1
ssl-certificateindylazarusfreepascalindy10
What is the actual problem? Is Get raising an exception? If so, what does it say? Why are you using a client certificate in the first place? Does the server only respond to authenticated clients? Are you able to access the server with a standard web browser? - Remy Lebeau
@Remy Lebeau Yes, problem is actual. I face it with last Indy version (from dev svn). Exceptions is not rised, server just return un-authorized content. If I use FireFox and import certificate - all is working right (see links in my question) - Y.N
what. If Get is not raising an error then neither HTTP nor SSL are failing. What makes you think this is an SSL issue, and not simply a user authentication issue? Does the server require a client to login, either through HTTP authentication or HTML webform authentication? - Remy Lebeau
I'm following scriptjunkie.us/2013/11/…. This site generates client cert for free, and provide scriptjunkie.us/auth/verifycert test page for cert validation, In Firefox I see Cert is valid. In Indy.Get I see No valid cert. Can you test it? - Y.N

1 Answers

2
votes

Here is a working code (Indy 10.6.2.0, FPC 3.0.2)

uses IdHTTP, IdSSLOpenSSL;

var IdHTTP1 : TIdHTTP;
    Id_HandlerSocket : TIdSSLIOHandlerSocketOpenSSL;
    s : string;

begin
    try
      IdHTTP1 := TIdHTTP.Create( self );
      IdHTTP1.Request.BasicAuthentication := False;
      IdHTTP1.Request.UserAgent := 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0';
      Id_HandlerSocket := TIdSSLIOHandlerSocketOpenSSL.Create( IdHTTP1 );
      cert := 'my_scriptjunkie_pem.pem';
      Id_HandlerSocket.SSLOptions.CertFile := cert; (* PEM contain both CERT and Key *)
      Id_HandlerSocket.SSLOptions.KeyFile := cert;

      Id_HandlerSocket.SSLOptions.Mode := sslmClient;
      Id_HandlerSocket.SSLOptions.Method := sslvSSLv23;
      IdHTTP1.IOHandler := Id_HandlerSocket;

      WriteLn( Id_HandlerSocket.SSLOptions.CertFile );

      s := IdHTTP1.Get( 'https://www.scriptjunkie.us/auth/verifycert' );

      writeln( s );

    finally
      Id_HandlerSocket.Free;
      IdHTTP1.Free;
    end;    
end;