Pascal (Lazarus/Delphi)
Pascal (Lazarus/Delphi)
HTTPS Server Certificate Require Hostname Match
See more HTTP Examples
Demonstrates and explains the RequireHostnameMatch property.Chilkat Pascal (Lazarus/Delphi) Downloads
program ChilkatDemo;
// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.
{$IFDEF FPC}
{$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}
uses
{$IFDEF UNIX}
cthreads,
{$ENDIF}
SysUtils,
CkDllLoader,
Chilkat.Http;
// ---------------------------------------------------------------------------
procedure RunDemo;
var
http: THttp;
html: string;
begin
// The RequireHostnameMatch property was added in Chilkat v11.0.0
// to ensure the URL's hostname matches at least one of the server certificate SAN's (Subject Alternative Names)
//
// In actuality, it is the SNI hostname that must match. If the SNI hostname is not explicitly set,
// then Chilkat uses the hostname from the URL as the SNI hostname.
// Here's an example using chilkatsoft.com
// The SSL server certificate for chilkatsoft.com has 2 Subject Alternative Names:
//
// 1) DNS Name: *.chilkatsoft.com
// 2) DNS Name: chilkatsoft.com
//
// See Explaining the SNI Hostname in TLS
http := THttp.Create;
http.RequireHostnameMatch := True;
// This should succeed because "www.chilkatsoft.com" matches the SAN entry "*.chilkatsoft.com"
html := http.QuickGetStr('https://www.chilkatsoft.com/helloWorld.html');
WriteLn('1) Succeeded: ' + http.LastMethodSuccess);
// At the time of writing this example, the IP address for chilkatsoft.com is 3.101.18.47
// If we send the request using the IP address, it will fail because the IP address is does
// not match any of the SAN entries in the server certificate.
html := http.QuickGetStr('https://3.101.18.47/helloWorld.html');
WriteLn('2) Succeeded: ' + http.LastMethodSuccess);
// However, it will succeed if we explicitly set the SNI hostname.
http.SniHostname := 'www.chilkatsoft.com';
html := http.QuickGetStr('https://3.101.18.47/helloWorld.html');
WriteLn('3) Succeeded: ' + http.LastMethodSuccess);
// Remove our explicit SNI hostname.
http.SniHostname := '';
// Now let's try wrong.host.badssl.com
// The SSL server certificate for badssl.com has 2 Subject Alternative Names:
//
// 1) DNS Name: *.badssl.com
// 2) DNS Name: badssl.com
// The domain wrong.host.badssl.com will fail the RequireHostnameMatch because
// the wildcarded domain SAN entry only extends 1 level deep.
html := http.QuickGetStr('https://wrong.host.badssl.com/');
WriteLn('4) Succeeded: ' + http.LastMethodSuccess);
// The expected output is:
// 1) Succeeded: True
// 2) Succeeded: False
// 3) Succeeded: True
// 4) Succeeded: False
http.Free;
end;
// ---------------------------------------------------------------------------
begin
try
RunDemo;
except
on E: Exception do
WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
end;
WriteLn;
{$IFDEF MSWINDOWS}
WriteLn('Press Enter to exit...');
ReadLn;
{$ENDIF}
end.