Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

HTTPS Server Certificate Require Hostname Match

See more HTTP Examples

Demonstrates and explains the RequireHostnameMatch property.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Http;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  http: THttp;
  html: string;

begin
  //  The RequireHostnameMatch property was added in Chilkat v11.0.0
  //  to ensure the URL's hostname matches at least one of the server certificate SAN's (Subject Alternative Names)
  //  
  //  In actuality, it is the SNI hostname that must match.  If the SNI hostname is not explicitly set,
  //  then Chilkat uses the hostname from the URL as the SNI hostname.

  //  Here's an example using chilkatsoft.com
  //  The SSL server certificate for chilkatsoft.com has 2 Subject Alternative Names:
  //  
  //  1) DNS Name: *.chilkatsoft.com
  //  2) DNS Name: chilkatsoft.com
  //  
  //  See Explaining the SNI Hostname in TLS

  http := THttp.Create;

  http.RequireHostnameMatch := True;

  //  This should succeed because "www.chilkatsoft.com" matches the SAN entry "*.chilkatsoft.com"
  html := http.QuickGetStr('https://www.chilkatsoft.com/helloWorld.html');
  WriteLn('1) Succeeded: ' + http.LastMethodSuccess);

  //  At the time of writing this example, the IP address for chilkatsoft.com is 3.101.18.47
  //  If we send the request using the IP address, it will fail because the IP address is does 
  //  not match any of the SAN entries in the server certificate.
  html := http.QuickGetStr('https://3.101.18.47/helloWorld.html');
  WriteLn('2) Succeeded: ' + http.LastMethodSuccess);

  //  However, it will succeed if we explicitly set the SNI hostname.
  http.SniHostname := 'www.chilkatsoft.com';
  html := http.QuickGetStr('https://3.101.18.47/helloWorld.html');
  WriteLn('3) Succeeded: ' + http.LastMethodSuccess);

  //  Remove our explicit SNI hostname.
  http.SniHostname := '';

  //  Now let's try wrong.host.badssl.com
  //  The SSL server certificate for badssl.com has 2 Subject Alternative Names:
  //  
  //  1) DNS Name: *.badssl.com
  //  2) DNS Name: badssl.com

  //  The domain wrong.host.badssl.com will fail the RequireHostnameMatch because
  //  the wildcarded domain SAN entry only extends 1 level deep.  
  html := http.QuickGetStr('https://wrong.host.badssl.com/');
  WriteLn('4) Succeeded: ' + http.LastMethodSuccess);

  //  The expected output is:
  //  1) Succeeded: True
  //  2) Succeeded: False
  //  3) Succeeded: True
  //  4) Succeeded: False


  http.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.