login about faq

When setting the server certificate validation to true for https requests using the CkHttp object, the client validates the expiration of the server certificate as well as the signature. However, if we want to validate fields of the DN like the CN of the server, it seems the only option we have is to use the GetServerSslCert and the CkCert::get_IssuerCN. This method makes another connection which is not good for us.

Is there a way to do that validation on the same connection as the request ?

I didn't see any override of the CkHttp class that allow that and it doesn't seem possible to do it with the socket api then pass the socket to the CkHttp object if the validation succeeds.

Regards

asked May 25 '15 at 13:47

Laval's gravatar image

Laval
12

Also, it doesn't seem like the library allows the client to have a list of trusted certificates like web browsers do.

(May 29 '15 at 08:22) Laval

link

answered May 29 '15 at 08:34

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Thank you, it's exactly what i need. So if i understand correctly, i can load trusted certificates into the CkTrustedRoots object from a pkcs12 store using CkCertStore::LoadPfxFile, CkCertStore::GetCertificate and CkTrustedRoots::AddCert. Then the certificates will be loaded in some global state and will be used by the CkHttp client.

My question is do you need to teardown that object ? Does the object need to exist during all the transaction or can it be destroyed once the certificates are loaded ?

link
This answer is marked "community wiki".

answered May 29 '15 at 09:12

Laval's gravatar image

Laval
12

edited May 29 '15 at 09:13

Thanks, I'm in the process of building some example for example-code.com. I'll post here once completed..

PS> Yes, load trusted certs into CkTrustedRoots, then call CkTrustedRoots::Activate to activate those trusted roots globally. My concern for now is if the cert chain contains intermediate certificates, and the HTTP server response does not contain these intermediate certs, then the automatic ability to establish the chain to the root won't work. Usually the HTTP server will include the intermediate certs in the SSL/TLS handshake. In case they don't there is also the "CkXmlCertVault" object to help. Again.. I'm working on examples..

link

answered May 29 '15 at 09:18

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Thank you very much.

The servers i have worked with in my setup always have and send the intermediary CA cerificates so it should work. If they don't, i guess the intermediary certificates will need to be put in the store.

link

answered May 29 '15 at 09:28

Laval's gravatar image

Laval
12

Just to add some details ...

I have done some testing and it works like a charm.

I also have a big memory leak when the application exists.

Do i have to do anything special beside calling CkSettings::cleanupMemory() when the application exists ?

(May 29 '15 at 10:06) Laval

For any Chilkat method that returns an object, make sure your code deletes that object. (For example, your app is responsible for deleting the CkCert object for any method returning a "CkCert *" ).

If you still see the leak, post the simplest possible snippet of code that demonstrates the leak.

Here's an example using TrustedRoots:

Android: HTTP - Verify Server is a Trusted Root CA

C: HTTP - Verify Server is a Trusted Root CA

C#: HTTP - Verify Server is a Trusted Root CA

C# WinRT: HTTP - Verify Server is a Trusted Root CA

C++: HTTP - Verify Server is a Trusted Root CA

Classic ASP: HTTP - Verify Server is a Trusted Root CA

DataFlex: HTTP - Verify Server is a Trusted Root CA

Delphi ActiveX: HTTP - Verify Server is a Trusted Root CA

Delphi DLL: HTTP - Verify Server is a Trusted Root CA

Java: HTTP - Verify Server is a Trusted Root CA

Lianja: HTTP - Verify Server is a Trusted Root CA

MFC: HTTP - Verify Server is a Trusted Root CA

Objective-C: HTTP - Verify Server is a Trusted Root CA

Perl: HTTP - Verify Server is a Trusted Root CA

PHP ActiveX: HTTP - Verify Server is a Trusted Root CA

PHP Extension: HTTP - Verify Server is a Trusted Root CA

PowerBuilder: HTTP - Verify Server is a Trusted Root CA

PowerShell: HTTP - Verify Server is a Trusted Root CA

PureBasic: HTTP - Verify Server is a Trusted Root CA

Python: HTTP - Verify Server is a Trusted Root CA

Ruby: HTTP - Verify Server is a Trusted Root CA

SQL Server: HTTP - Verify Server is a Trusted Root CA

Swift: HTTP - Verify Server is a Trusted Root CA

Unicode C: HTTP - Verify Server is a Trusted Root CA

Unicode C++: HTTP - Verify Server is a Trusted Root CA

VB.NET: HTTP - Verify Server is a Trusted Root CA

VB.NET WinRT: HTTP - Verify Server is a Trusted Root CA

VBScript: HTTP - Verify Server is a Trusted Root CA

Visual Basic 6.0: HTTP - Verify Server is a Trusted Root CA

Visual FoxPro: HTTP - Verify Server is a Trusted Root CA

link

answered May 29 '15 at 10:36

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×3

Asked: May 25 '15 at 13:47

Seen: 1,133 times

Last updated: May 29 '15 at 10:36

powered by OSQA