Allow invalid/self signed cert on windows (in Client)

Question

Allow invalid/self signed cert on windows (in Client)

ohainz opened this issue 10 months ago · 6 comments

Hello,

I try to do an https GET to a server wich has an invalid cert (It is self signed and the Name/CN does not match). This certificate is not added to the trusted root certificate store in windows on the host of the client.

I tried this to allow all certs by using the function SSL_CTX_set_cert_verify_callback, but I still get the result httplib::Error::SSLServerVerification. Here a code example:

static int always_true_callback(X509_STORE_CTX* ctx, void* arg)
{
	return 1; // 
}
void test_invalid_cert() {
	auto http_client = httplib::Client::Client("https://server:20443");
	SSL_CTX_set_cert_verify_callback(http_client.ssl_context(), always_true_callback, nullptr);
	auto result = http_client.Get("healthz");
	auto error = result.error();
	if (error == httplib::Error::SSLServerVerification) {
		// I end here
	}
}

I also tried this, with the same result:

static int always_valid_callback(int preverify_ok, X509_STORE_CTX* x509_ctx)
{
	return 1;
}
void test_invalid_cert() {
	auto http_client = httplib::Client::Client("https://server:20443");
	SSL_CTX_set_verify(http_client.ssl_context(), SSL_VERIFY_PEER, always_valid_callback);
	auto result = http_client.Get("healthz");
	auto error = result.error();
	if (error == httplib::Error::SSLServerVerification) {
		// I end here
	}
}

I also check the following sites, but I did not find a solution for my problem:

Hopefully someone already solved this issue and can tell me what I am doing wrong. Thanks in advance.

Answer 1 · 2023-11-20T15:14:17.000Z

Does http_client.enable_server_certificate_verification(false); work?

Answer 2 · 2023-11-21T07:15:50.000Z

Hello @yhirose,
thank you for the quick response. I changed the code like you suggested. Now I get the Http status code 405 (The member reason in the result object contains the message "Method Not Allowed"). If I do an http get in the browser Chrome https://server:20443/healthz and I ignore the certification warning, then I get the body and it is shown in the browser.

What else can I try? Thanks in advance again.

void test_invalid_cert() {
	auto http_client = httplib::Client::Client("https://server:20443");
	http_client.enable_server_certificate_verification(false);
	auto result = http_client.Get("healthz");
	auto error = result.error();
	if (error == httplib::Error::Success && result->status == 405) {
		// Now I end here
		assert(false);
	}
}

Answer 3 · 2023-11-24T15:03:20.000Z

@ohainz unless we understand why the server returned 405, we cannot do anything for it. Could it be missing HTTP header information that the server requires, or does the server requires particular user agents? Anyway, I am sorry that I can't give you meaningful answer...

Answer 4 · 2023-11-24T16:39:45.000Z

Hello @yhirose,
thanks again for you answer and your time.
I searched for an alternative. I switched to libcurl now. There is also a package available in VCPKG which is already in use in the project of our company (For all with similar issues).
After one and a half day every thing works fine with libcurl.
libcurl is not so easy to use like your cpp-httplib, but it solves my problem.
I wish you all the best for the future...

Answer 5 · 2023-11-25T03:34:34.000Z

@ohainz glad to hear the you fixed the issue with libcurl. I think it's too late though, I found the following information.

The server must generate an Allow header field in a 405 status code response. The field must contain a list of methods that the target resource currently supports.

So you may find a list of available methods on the target server in the 405 response.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/405

Answer 6 · 2023-11-27T07:12:08.000Z

Thank you again.