Winhttp - Prevent successful handshake if peer certificate is invalid
Edit: The thread : https://security.stackexchange.com/questions/179352/winhttp-prevent-successful-handshake-if-peer-certificate-is-invalid discusses and answers the concern. This can be closed for now
Using windows platform-provided WinHTTP on a delphi project to make calls over to the server.
Script:
userAgent := 'TestClient.exe';
hsession := WinHttpOpen(pwidechar(userAgent), WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, nil, nil, 0);
if(hsession = nil) then ShowMessage('Failed WinhttpOpen');
p := 'https';
port := 443;
requestflags := WINHTTP_FLAG_SECURE;
server := '10.0.0.221';
hconnection := WinHttpConnect(hsession, PWideChar(server), port, 0);
if(hconnection = nil) then
begin
le := GetLastError;
ShowMessage('Failed to connect: ' + IntToStr(le));
end;
Action := 'GET';
hInetRequest := WinHttpOpenRequest(hconnection, pwidechar(Action), nil, nil, nil, nil, WINHTTP_FLAG_SECURE);
if(hInetRequest = nil) then
begin
le := GetLastError;
ShowMessage('Failed to connect: ' + IntToStr(le));
end;
WinResult:=WinHttpSendRequest(hInetRequest, nil,0, 0, 0,0,0);
if(not WinResult) then
begin
le := GetLastError;
WinHttpCloseHandle(hInetRequest);
ShowMessage('No result obtained : ' + IntToStr(le));
end;
Required; For security compliance, connection must terminate right after SSL handshake. Incase peer certificate is deemed invalid.
Actual: Whats' happening is that, the client (using winhttp) makes a call and successfuly confirm TLS handshake even when the certificate is invalid. However, right after handshake and before completing request, it terminates the connection throwing '12175' error. Which is the error for invalid certificates. Which is right.
Problem: For compliance to pass, WinHTTP must not allow successful handshake, and hence terminate connection earlier.
Wireshark Screen attached below: (10.0.0.221 is the server)
I think you're just out of luck here because that is how WinHTTP is designed. What happens is in a way described at the nServerPort parameter's value INTERNET_DEFAULT_HTTPS_PORT in the WinHttpConnect function documentation (emphasized):
INTERNET_DEFAULT_HTTPS_PORT
Uses the default port for HTTPS servers (port 443). Selecting this port does not automatically establish a secure connection. You must still specify the use of secure transaction semantics by using the WINHTTP_FLAG_SECURE flag with WinHttpOpenRequest.
Which translates as that you need to open (and send) request with the WINHTTP_FLAG_SECURE flag specified to establish a secure connection.
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?