Archived Forum Post

Index of archived forum posts

Question:

CkHttp SSL server certificate validation C++

May 29 '15 at 10:36

When setting the server certificate validation to true for https requests using the CkHttp object, the client validates the expiration of the server certificate as well as the signature. However, if we want to validate fields of the DN like the CN of the server, it seems the only option we have is to use the GetServerSslCert and the CkCert::get_IssuerCN. This method makes another connection which is not good for us.

Is there a way to do that validation on the same connection as the request ?

I didn't see any override of the CkHttp class that allow that and it doesn't seem possible to do it with the socket api then pass the socket to the CkHttp object if the validation succeeds.

Regards


Answer

See http://www.chilkatsoft.com/refdoc/vcCkTrustedRootsRef.html


Answer

Thank you, it's exactly what i need. So if i understand correctly, i can load trusted certificates into the CkTrustedRoots object from a pkcs12 store using CkCertStore::LoadPfxFile, CkCertStore::GetCertificate and CkTrustedRoots::AddCert. Then the certificates will be loaded in some global state and will be used by the CkHttp client.

My question is do you need to teardown that object ? Does the object need to exist during all the transaction or can it be destroyed once the certificates are loaded ?


Answer

Thanks, I'm in the process of building some example for example-code.com. I'll post here once completed..

PS> Yes, load trusted certs into CkTrustedRoots, then call CkTrustedRoots::Activate to activate those trusted roots globally. My concern for now is if the cert chain contains intermediate certificates, and the HTTP server response does not contain these intermediate certs, then the automatic ability to establish the chain to the root won't work. Usually the HTTP server will include the intermediate certs in the SSL/TLS handshake. In case they don't there is also the "CkXmlCertVault" object to help. Again.. I'm working on examples..


Answer

Thank you very much.

The servers i have worked with in my setup always have and send the intermediary CA cerificates so it should work. If they don't, i guess the intermediary certificates will need to be put in the store.


Answer

For any Chilkat method that returns an object, make sure your code deletes that object. (For example, your app is responsible for deleting the CkCert object for any method returning a "CkCert *" ).

If you still see the leak, post the simplest possible snippet of code that demonstrates the leak.

Here's an example using TrustedRoots:

Android: HTTP - Verify Server is a Trusted Root CA

C: HTTP - Verify Server is a Trusted Root CA

C#: HTTP - Verify Server is a Trusted Root CA

C# WinRT: HTTP - Verify Server is a Trusted Root CA

C++: HTTP - Verify Server is a Trusted Root CA

Classic ASP: HTTP - Verify Server is a Trusted Root CA

DataFlex: HTTP - Verify Server is a Trusted Root CA

Delphi ActiveX: HTTP - Verify Server is a Trusted Root CA

Delphi DLL: HTTP - Verify Server is a Trusted Root CA

Java: HTTP - Verify Server is a Trusted Root CA

Lianja: HTTP - Verify Server is a Trusted Root CA

MFC: HTTP - Verify Server is a Trusted Root CA

Objective-C: HTTP - Verify Server is a Trusted Root CA

Perl: HTTP - Verify Server is a Trusted Root CA

PHP ActiveX: HTTP - Verify Server is a Trusted Root CA

PHP Extension: HTTP - Verify Server is a Trusted Root CA

PowerBuilder: HTTP - Verify Server is a Trusted Root CA

PowerShell: HTTP - Verify Server is a Trusted Root CA

PureBasic: HTTP - Verify Server is a Trusted Root CA

Python: HTTP - Verify Server is a Trusted Root CA

Ruby: HTTP - Verify Server is a Trusted Root CA

SQL Server: HTTP - Verify Server is a Trusted Root CA

Swift: HTTP - Verify Server is a Trusted Root CA

Unicode C: HTTP - Verify Server is a Trusted Root CA

Unicode C++: HTTP - Verify Server is a Trusted Root CA

VB.NET: HTTP - Verify Server is a Trusted Root CA

VB.NET WinRT: HTTP - Verify Server is a Trusted Root CA

VBScript: HTTP - Verify Server is a Trusted Root CA

Visual Basic 6.0: HTTP - Verify Server is a Trusted Root CA

Visual FoxPro: HTTP - Verify Server is a Trusted Root CA