When setting the server certificate validation to true for https requests using the CkHttp object, the client validates the expiration of the server certificate as well as the signature. However, if we want to validate fields of the DN like the CN of the server, it seems the only option we have is to use the GetServerSslCert and the CkCert::get_IssuerCN. This method makes another connection which is not good for us.
Is there a way to do that validation on the same connection as the request ?
I didn't see any override of the CkHttp class that allow that and it doesn't seem possible to do it with the socket api then pass the socket to the CkHttp object if the validation succeeds.
Thank you, it's exactly what i need. So if i understand correctly, i can load trusted certificates into the CkTrustedRoots object from a pkcs12 store using CkCertStore::LoadPfxFile, CkCertStore::GetCertificate and CkTrustedRoots::AddCert. Then the certificates will be loaded in some global state and will be used by the CkHttp client.
My question is do you need to teardown that object ? Does the object need to exist during all the transaction or can it be destroyed once the certificates are loaded ?
Thanks, I'm in the process of building some example for example-code.com. I'll post here once completed..
PS> Yes, load trusted certs into CkTrustedRoots, then call CkTrustedRoots::Activate to activate those trusted roots globally. My concern for now is if the cert chain contains intermediate certificates, and the HTTP server response does not contain these intermediate certs, then the automatic ability to establish the chain to the root won't work. Usually the HTTP server will include the intermediate certs in the SSL/TLS handshake. In case they don't there is also the "CkXmlCertVault" object to help. Again.. I'm working on examples..
Thank you very much.
The servers i have worked with in my setup always have and send the intermediary CA cerificates so it should work. If they don't, i guess the intermediary certificates will need to be put in the store.
For any Chilkat method that returns an object, make sure your code deletes that object. (For example, your app is responsible for deleting the CkCert object for any method returning a "CkCert *" ).
If you still see the leak, post the simplest possible snippet of code that demonstrates the leak.
Here's an example using TrustedRoots: