Colin
2005-05-06 07:28:12 UTC
I'm trying to write a piece of code to validate a Server SSL certificate. I
can open a socket to the SSL site and read the certificate from the Client
SSL Hello packet OK and then validate the cert (using the certificate
verification functions) but this doesn't work if there is a proxy being used
on the machine because the socket connection doesn't go via the proxy.
Rather than add a whole lot of extra code to handle the proxy (and
authentication) I thought I'd use wininet to make the connection
(InternetOpenUrl) and then use the socket from the connection to send the
SSL Hello packet.
First problem was that the socket isn't that easy to get hold of. By using
an async wininet call and catching the INTERNET_STATUS_CONNECTED_TO_SERVER
callback event then using the INTERNET_OPTION_DIAGNOSTIC_SOCKET_INFO option
to InternetQueryOption I can retrieve the socket.
With the socket I then send the SSL hello packet and get back the server SSL
certificate.
The problem is that this seems to only work about 50% of the time. I can
retrieve the socket and write the Client SSL Hello each time but reading the
response often fails.
Question:
- Is this the right way to approach this?
- Should I be able to write and read my own data on the socket? I have found
that only on this event will the remote server respond. (I assume after this
wininet has completed it's own SSL handshake so everything needs to be
encrypted)
- Is there an easier way to get the complete server SSL certificate from
wininet?
There does seem to be a timing related problem because usually if I step
through the process in the debugger it works fine but just letting it run
starts getting read errors.
Thanks for any assistance
Colin
can open a socket to the SSL site and read the certificate from the Client
SSL Hello packet OK and then validate the cert (using the certificate
verification functions) but this doesn't work if there is a proxy being used
on the machine because the socket connection doesn't go via the proxy.
Rather than add a whole lot of extra code to handle the proxy (and
authentication) I thought I'd use wininet to make the connection
(InternetOpenUrl) and then use the socket from the connection to send the
SSL Hello packet.
First problem was that the socket isn't that easy to get hold of. By using
an async wininet call and catching the INTERNET_STATUS_CONNECTED_TO_SERVER
callback event then using the INTERNET_OPTION_DIAGNOSTIC_SOCKET_INFO option
to InternetQueryOption I can retrieve the socket.
With the socket I then send the SSL hello packet and get back the server SSL
certificate.
The problem is that this seems to only work about 50% of the time. I can
retrieve the socket and write the Client SSL Hello each time but reading the
response often fails.
Question:
- Is this the right way to approach this?
- Should I be able to write and read my own data on the socket? I have found
that only on this event will the remote server respond. (I assume after this
wininet has completed it's own SSL handshake so everything needs to be
encrypted)
- Is there an easier way to get the complete server SSL certificate from
wininet?
There does seem to be a timing related problem because usually if I step
through the process in the debugger it works fine but just letting it run
starts getting read errors.
Thanks for any assistance
Colin