search

synopse / mORMot

Synopse mORMot 1 ORM/SOA/MVC framework - Please upgrade to mORMot 2 !
https://synopse.info
785 stars 323 forks source link

Lack of explanation in case of WinHttp security error in SynCrtSock #412

Closed FeelAirSlow closed 2 years ago

FeelAirSlow commented 2 years ago

Hello,

If I use SyCrtSock's THttpRequest.Request to make an https request to an url with a machine name only, without the domain information, there is obviously a security error because the CN is invalid. But the error message contains only the error code and is thus hard to understand : "WinHTTP security error. Status 65536, statusInfo: 16". Could the procedure WinHTTPSecurityErrorCallback be enhanced to give more explanation, for example :

procedure WinHTTPSecurityErrorCallback(hInternet: HINTERNET; dwContext: PDWORD;
  dwInternetStatus: DWORD; lpvStatusInformation: pointer; dwStatusInformationLength: DWORD); stdcall;
var
   err : String;
   code : DWORD;
begin
  code := pdword(lpvStatusInformation)^;
  err := '';
  if code and $00000001 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED | ';
  if code and $00000002 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT | ';
  if code and $00000004 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_CERT_REVOKED | ';
  if code and $00000008 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA | ';
  if code and $00000010 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID | ';
  if code and $00000020 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID | ';
  if code and $00000040 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_CERT_WRONG_USAGE | ';
  if code and $80000000 > 0 then err := err + 'WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR | ';
  if err <> '' then err := ': ' + Copy(err, 1, Length(err) - 3);
  // in case lpvStatusInformation^=-2147483648 this is attempt to connect to
  // non-https socket wrong port - perhaps must be 443?
  raise EWinHTTP.CreateFmt('WinHTTP security error. Status %d, statusInfo: %d (%s)',
    [dwInternetStatus, code, '$' + IntToHex(code, 8) + err]);
end;

Thank you !

synopse commented 2 years ago

Good idea. Also backported to mORMOt 2.

FeelAirSlow commented 2 years ago

I tested your modifications of SynCrtSock.pas : that's perfect, thank you !