Delphi 如何验证服务器主机名
我使用IndyDelphi 如何验证服务器主机名,delphi,ssl,openssl,certificate,indy,Delphi,Ssl,Openssl,Certificate,Indy,我使用IndyTIdHTTP(XE2附带)和OpenSSL库DLL V1.0.1m在通过HTTPS连接时验证证书。我已经为TIdSSLIOHandlerSocketOpenSSL组件的OnVerifyPeer事件实现了一个事件处理程序 function TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate: TIdX509; AOk: Boolean; ADepth, AError: Integer): Boolean; begi
TIdHTTPTIdSSLIOHandlerSocketOpenSSLOnVerifyPeerfunction TForm1.IdSSLIOHandlerSocketOpenSSL1VerifyPeer(Certificate: TIdX509;
AOk: Boolean; ADepth, AError: Integer): Boolean;
begin
(...)
end;
OnVerifyPeerCertificate.Subject.OneLine尽管需要验证主机名,但是否有人可以确认Indy或OpenSSL库删除了通配符 我两次引用这句话的原因是:)IETF和CA/B论坛都不赞成将服务器名放在通用名(CN)中(浏览器遵循的原则) 您可能正在经历类似于
CN=example.comexample.com*.example.comhttps://example.comexample.com在这种情况下,有人想验证主机名吗 1.1.0之前的OpenSSL未执行主机名匹配。开发商必须这样做。OpenSSL 1.1.0及以上版本具有内置功能。再见,朋友们 要匹配主机名,您应该从公共名称(CN)和主题备用名称(SAN)中收集所有名称。然后,它通常与正则表达式匹配一样简单 IETF是快速而松散的,它们允许主机名显示在CN或SAN中。CA/B论坛和浏览器更严格:如果主机名在CN中,那么它也必须出现在SAN中(是的,必须列出两次)。否则,CA/B论坛和浏览器期望SAN中的所有主机名 我相信OpenSSL和CA/B论坛只允许在最左边的标签中使用通配符。我相信IETF允许通配符出现在任何地方 如果您想查看示例代码,请查看cURL的实现。cURL使用OpenSSL,但不依赖于1.1.0和朋友。cURL有自己的实现
快速警告。主机名匹配是一门黑色艺术。例如 IETF允许匹配到全局顶级域(gTLD),如
*.com*.net*.uk*.us*.googleAmazon.comexample.Amazon.comIETF正试图解决该地区的行政边界问题。但委员会的工作似乎停滞不前。不幸的是,由于内部规范,我不得不坚持使用XE2 Indy和OpenSSL V1.0.1m 为了对照Subject CN和Subject备用名称验证主机名,我(使用该方法)执行了以下操作: 1。在应用程序启动时,我尝试一次扩展对Indy crypto库中方法的访问。
function ExtendIndyCryptoLibrary(): Boolean;
var
hIdCrypto: HMODULE;
begin
Result := False;
// Try to get handle to Indy used crypto library
if not IdSSLOpenSSL.LoadOpenSSLLibrary() then
Exit;
hIdCrypto := IdSSLOpenSSLHeaders.GetCryptLibHandle();
if hIdCrypto = 0 then
Exit();
// Try to get exported methods that are needed additionally
@X509_get_ext_d2i := GetProcAddress(hIdCrypto, 'X509_get_ext_d2i');
Result := Assigned(X509_get_ext_d2i);
end;
type
THostnameValidationResult = (hvrMatchNotFound, hvrNoSANPresent, hvrMatchFound);
var
X509_get_ext_d2i: function(a: PX509; nid: TIdC_INT; var pcrit: PIdC_INT; var pidx: PIdC_INT): PSTACK_OF_GENERAL_NAME; cdecl = nil;
type
TIdX509Access = class(TIdX509)
protected
function Hostmatch(Hostname, Pattern: String): Boolean;
function MatchesSAN(Hostname: String): THostnameValidationResult;
function MatchesCN(Certificate: TIdX509; Hostname: String): THostnameValidationResult;
public
function ValidateHostname(Certificate: TIdX509; Hostname: String): THostnameValidationResult;
end;
implementation
{ TIdX509Access }
function TIdX509Access.Hostmatch(Hostname, Pattern: String): Boolean;
begin
// Match hostname against pattern using RFC, CA/Browser Forum, ...
// (...)
end;
function TIdX509Access.MatchesSAN(Hostname: String): THostnameValidationResult;
var
pcrit, pidx: PIdC_INT;
psan_names: PSTACK_OF_GENERAL_NAME;
san_names_nb: Integer;
pcurrent_name: PGENERAL_NAME;
i: Integer;
DnsName: String;
begin
Result := hvrMatchNotFound;
// Try to extract the names within the SAN extension from the certificate
pcrit := nil;
pidx := nil;
psan_names := X509_get_ext_d2i(FX509, NID_subject_alt_name, pcrit, pidx);
// Check if SAN is present
if psan_names <> nil then
begin
san_names_nb := sk_num(PSTACK(psan_names));
// Check each name within the extension
for i := 0 to san_names_nb-1 do
begin
pcurrent_name := PGENERAL_NAME( sk_value(PSTACK(psan_names), i) );
if pcurrent_name._type = GEN_DNS then
begin
// Current name is a DNS name, let's check it
DnsName := String(pcurrent_name.d.dNSName.data);
// Compare expected hostname with the DNS name
if Hostmatch(Hostname, DnsName) then
begin
Result := hvrMatchFound;
Break;
end;
end;
end;
end
else
Result := hvrNoSANPresent;
// Clean up
sk_free(PSTACK(psan_names));
end;
function TIdX509Access.MatchesCN(Certificate: TIdX509;
Hostname: String): THostnameValidationResult;
var
TempList: TStringList;
Cn: String;
begin
Result := hvrMatchNotFound;
// Extract CN from Subject
TempList := TStringList.Create();
TempList.Delimiter := '/';
TempList.DelimitedText := Certificate.Subject.OneLine;
Cn := Trim(TempList.Values['CN']);
FreeAndNil(TempList);
// Compare expected hostname with the CN
if Hostmatch(Hostname, Cn) then
Result := hvrMatchFound;
end;
function TIdX509Access.ValidateHostname(Certificate: TIdX509;
Hostname: String): THostnameValidationResult;
begin
// First try the Subject Alternative Names extension
Result := MatchesSAN(Hostname);
if Result = hvrNoSANPresent then
begin
// Extension was not found: try the Common Name
Result := MatchesCN(Certificate, Hostname);
end;
end;
function ExtendIndyCryptoLibrary(): Boolean;
var
hIdCrypto: HMODULE;
begin
Result := False;
// Try to get handle to Indy used crypto library
if not IdSSLOpenSSL.LoadOpenSSLLibrary() then
Exit;
hIdCrypto := IdSSLOpenSSLHeaders.GetCryptLibHandle();
if hIdCrypto = 0 then
Exit();
// Try to get exported methods that are needed additionally
@X509_get_ext_d2i := GetProcAddress(hIdCrypto, 'X509_get_ext_d2i');
Result := Assigned(X509_get_ext_d2i);
end;
type
THostnameValidationResult = (hvrMatchNotFound, hvrNoSANPresent, hvrMatchFound);
var
X509_get_ext_d2i: function(a: PX509; nid: TIdC_INT; var pcrit: PIdC_INT; var pidx: PIdC_INT): PSTACK_OF_GENERAL_NAME; cdecl = nil;
type
TIdX509Access = class(TIdX509)
protected
function Hostmatch(Hostname, Pattern: String): Boolean;
function MatchesSAN(Hostname: String): THostnameValidationResult;
function MatchesCN(Certificate: TIdX509; Hostname: String): THostnameValidationResult;
public
function ValidateHostname(Certificate: TIdX509; Hostname: String): THostnameValidationResult;
end;
implementation
{ TIdX509Access }
function TIdX509Access.Hostmatch(Hostname, Pattern: String): Boolean;
begin
// Match hostname against pattern using RFC, CA/Browser Forum, ...
// (...)
end;
function TIdX509Access.MatchesSAN(Hostname: String): THostnameValidationResult;
var
pcrit, pidx: PIdC_INT;
psan_names: PSTACK_OF_GENERAL_NAME;
san_names_nb: Integer;
pcurrent_name: PGENERAL_NAME;
i: Integer;
DnsName: String;
begin
Result := hvrMatchNotFound;
// Try to extract the names within the SAN extension from the certificate
pcrit := nil;
pidx := nil;
psan_names := X509_get_ext_d2i(FX509, NID_subject_alt_name, pcrit, pidx);
// Check if SAN is present
if psan_names <> nil then
begin
san_names_nb := sk_num(PSTACK(psan_names));
// Check each name within the extension
for i := 0 to san_names_nb-1 do
begin
pcurrent_name := PGENERAL_NAME( sk_value(PSTACK(psan_names), i) );
if pcurrent_name._type = GEN_DNS then
begin
// Current name is a DNS name, let's check it
DnsName := String(pcurrent_name.d.dNSName.data);
// Compare expected hostname with the DNS name
if Hostmatch(Hostname, DnsName) then
begin
Result := hvrMatchFound;
Break;
end;
end;
end;
end
else
Result := hvrNoSANPresent;
// Clean up
sk_free(PSTACK(psan_names));
end;
function TIdX509Access.MatchesCN(Certificate: TIdX509;
Hostname: String): THostnameValidationResult;
var
TempList: TStringList;
Cn: String;
begin
Result := hvrMatchNotFound;
// Extract CN from Subject
TempList := TStringList.Create();
TempList.Delimiter := '/';
TempList.DelimitedText := Certificate.Subject.OneLine;
Cn := Trim(TempList.Values['CN']);
FreeAndNil(TempList);
// Compare expected hostname with the CN
if Hostmatch(Hostname, Cn) then
Result := hvrMatchFound;
end;
function TIdX509Access.ValidateHostname(Certificate: TIdX509;
Hostname: String): THostnameValidationResult;
begin
// First try the Subject Alternative Names extension
Result := MatchesSAN(Hostname);
if Result = hvrNoSANPresent then
begin
// Extension was not found: try the Common Name
Result := MatchesCN(Certificate, Hostname);
end;
end;
证书数据由OpenSSL本身提供。Indy的
TIdX509PX509TIdX509SubjectX509\u NAMEPX509\u-get\u-Subject\u-NAME()OneLineX509\u-NAME\u-OneLine()函数返回的任何值。也就是说,OpenSSL确实具有X509\u check\u host()
和certificate\u host\u override()
功能