Delphi 7 Indy 10 HTTPS [Edit]

I have an old program I inherited that I'm required to maintain and Delphi is not a language I regularly use. From what I can see, the program uses an http proxy server to monitor pages as they are loaded into a browser control. Depending on the name and/or the content of the pages, the http proxy server does various tasks. All has been good up until now. The client wishes to now use https for their pages and I was wondering how can I get the http proxy server to be able to deal with https pages and keep 
the client happy.

I did try to add an IdSSLIOHandlerSocketOpenSSL to the program and set it as the default handler for the http proxy server but it either didn't work or I didn't set it up correctly.

Edited by: Micheal Holman on Dec 15, 2013 4:17 AM
0
Micheal
12/15/2013 12:18:11 PM
embarcadero.delphi.winsock 1874 articles. 2 followers. Follow

10 Replies
3196 Views

Similar Articles

[PageSpeed] 10

Micheal wrote:

> The client wishes to now use https for their pages and I was wondering
> how can I get the http proxy server to be able to deal with https pages
> and keep the client happy.

The problem with doing that is HTTPS is encrypted, and as such works differently 
over proxies than unencrypted HTTP does.

Depending on the type of proxy used, there are two possible configurations:

1) if the proxy is an HTTP proxy, an HTTP client can send unencrypted HTTP 
requests directly to the proxy, specifying the host/port of the target HTTP 
server, and the proxy will forward the requests/responses accordingly.  This 
allows the proxy to have full access to the unencrypted URLs/content.  However, 
for HTTPS, the only way for the proxy to gain access to the decrypted URLs/content 
is if the proxy acts as its own HTTPS server, negotiating an HTTPS session 
directly with the client, and then establishes a separate HTTPS session with 
the target HTTPS server, and then passes data between the two sessions as 
needed.

2) if the proxy is not an HTTP proxy (ie, SOCKS, etc), an HTTP(S) client 
must first instruct the proxy to establish a base TCP connection to the target 
HTTP(S) server, then any HTTP(S) requests/responses are exchanged directly 
with the target HTTP(S) server, not with the proxy.  The proxy is just an 
intermediate pass-through of raw data.  In order to determine the URLs/content, 
the proxy would have to manually parse the data that is flowing through it. 
 However, in this scenario, an HTTPS session is negotiated between the client 
and the targer server directly, and as such the proxy will not be able to 
decrypt the HTTPS requests/responses unless it parses out the security keys 
from the SSL/TLS handshake.

So, to do what you are asking for, you first need to identify what kind of 
proxy you are working with, and how the webbrowser interacts with it.  Only 
then can you determine whether or not you will be able to monitor HTTPS traffic 
through it.

--
Remy Lebeau (TeamB)
0
Remy
12/15/2013 7:52:30 PM
From what I can see it is an HTTP Proxy Server control with default settings so my guess would be an HTTP proxy. The original programmer then added custom code to the TransferData procedure to check for filenames in the HTTPProxyServerContext as they passed through.

This poses another question, if I were to update the program to a latter version of Delphi, how would I go about adding the custom code to the TransferData procedure? I have had a look with a trial version of XE5 and I guess all the Indy controls are pre compiled?

Edited by: Micheal Holman on Dec 15, 2013 8:36 PM
0
Micheal
12/16/2013 4:38:17 AM
Micheal wrote:

> From what I can see it is an HTTP Proxy Server control with default
> settings so my guess would be an HTTP proxy. The original programmer
> then added custom code to the TransferData procedure to check for
> filenames in the HTTPProxyServerContext as they passed through.

You did not say that you were using Indy's TIdHTTPProxyServer component. 
 It can only grab HTTP details for #1 in my earlier list of possible proxy 
configurations.  However, HTTPS proxying typically uses #2 instead, via an 
HTTP "CONNECT" request to tell an HTTP proxy where to connect to before the 
HTTPS session can then be negotiated, thus preventing TIdHTTPProxyServer 
from being able to decrypt the HTTPS traffic since it does not have the encryption 
keys to do so.

> This poses another question, if I were to update the program to a
> latter version of Delphi, how would I go about adding the custom code
> to the TransferData procedure? I have had a look with a trial version
> of XE5 and I guess all the Indy controls are pre compiled?

Yes, they are.  You would have to remove the pre-installed version and then 
recompile Indy's source code.

--
Remy Lebeau (TeamB)
0
Remy
12/16/2013 7:44:58 PM
Sorry, I should have been more explicit.

Is there any sample code and/or a control that can do what I need or is it a lost cause?

Edited by: Micheal Holman on Dec 17, 2013 1:01 AM

Edited by: Micheal Holman on Dec 17, 2013 1:02 AM
1
Micheal
12/17/2013 9:02:23 AM
Hello Micheal,

> Sorry, I should have been more explicit.
> 
> Is there any sample code and/or a control that can do what I need or
> is it a lost cause?

What you are looking for requires implementing a man-in-the-middle proxy, 
where the proxy establishes its own HTTPS session with the webbrowser, and 
connects to the target server to establish a separate HTTPS session, and 
then passes data between them.  TIdHTTPProxyServer is not designed to support 
that.  It might be doable with some tweaking, but you are likely better off 
using TIdHTTPServer instead of TIdHTTPProxyServer, and then handle the 'CONNECT' 
request manually in the TIdHTTPServer.OnCommandOther event, for example (untested):

{code}
// don't let TIdHTTPServer automatically activate SSL with connected
// clients so that can be handled manually in the OnCommandOther event...
procedure TMyForm.IdHTTPServer1QuerySSLPort(APort: TIdPort; var VUseSSL: 
Boolean);
begin
  VUseSSL := False;
end;

// make sure a TIdServerIOHandlerSSLOpenSSL component is assigned to
// the TIdHTTPServer.IOHandler property before activating the server...
procedure TMyForm.IdHTTPServer1CommandOther(AContext: TIdContext; ARequestInfo: 
TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo);
var
  S: string;
  LClient: TIdTCPClient;
  LBuf: TIdBytes;
  Len: Integer;
begin
  if not TextIsSame(ARequestInfo.Command, 'CONNECT') then Exit;

  LClient := TIdTCPClient.Create(nil);
  try
    S := ARequestInfo.URI;
    LClient.Host := Fetch(S, ':', True);
    LClient.Port := StrToIntDef(S, 443);
    LClient.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(LClient);

    LClient.ConnectTimeout := 5000;

    // connect and activate SSL between this proxy and the target server
    LClient.Connect;
    try
      AResponseInfo.ResponseNo := 200;
      AResponseInfo.ResponseText := 'Connection established';
      AResponseInfo.WriteHeader;

      // activate SSL between this proxy and the client
      TIdSSLIOHandlerSocketOpenSSL(AContext.Connection.Socket).PassThrough 
:= False;

      // pass data between AContext.Connection.IOHandler and LClient.IOHandler 
as needed.
      // received data will be decrypted, and sent data will be encryted...
      while AContext.Connection.Connected and LClient.Connected do
      begin
        // ...
      end;
    finally
      LClient.Disconnect;
    end;
  finally
     LClient.Free;
  end;
end;
{code}

--
Remy Lebeau (TeamB)
0
Remy
12/17/2013 11:05:58 AM
Hi Remy,

I tried adding the code but I'm getting an error on the line where you have ARequestInfo.URI assigned to S. It says that URI is an undeclared identifier?

Mike
0
Micheal
12/21/2013 9:57:17 AM
Micheal wrote:

> I tried adding the code but I'm getting an error on the line where you
> have ARequestInfo.URI assigned to S. It says that URI is an undeclared
> identifier?

Which version of Indy 10 are you actually using?  In the current version, 
URI is a public property of TIdHTTPRequestInfo:

{code}
  TIdHTTPRequestInfo = class(TIdRequestHeaderInfo)
  ...
  public
    ...
    property URI: string read FURI;
    ...
  end;
{code}

And is populated by TIdHTTPServer before triggering any event for a new request.

--
Remy Lebeau (TeamB)
0
Remy
12/22/2013 8:50:57 PM
I'm led to believe it's version 10.5 but I can't confirm it. I'll grab the latest build and get back to you.

Edit: Not 10.5 but 10 build 5064

Edited by: Micheal Holman on Dec 26, 2013 8:04 PM
0
Micheal
12/27/2013 4:05:14 AM
Micheal wrote:

> I'm led to believe it's version 10.5 but I can't confirm it. I'll
> grab the latest build and get back to you.
> 
> Edit: Not 10.5 but 10 build 5064

That would be 10.6.0.5064, in which case you should have the TIdHTTPRequestInfo.URI 
property available.  Make sure you cleaned out any older versions that might 
be interferring with the compiler.

--
Remy Lebeau (TeamB)
0
Remy
12/29/2013 1:29:38 AM
Thanks for your help so far. I think the project has been abandoned, at least in its current form. I might try again with a trial of the latest Delphi at some point.
0
Micheal
2/26/2014 2:39:09 AM
Reply:

Web resources about - Delphi 7 Indy 10 HTTPS [Edit] - embarcadero.delphi.winsock

Delphi - Wikipedia, the free encyclopedia
... an archaeological site and a modern town in Greece on the south-western spur of Mount Parnassus in the valley of Phocis . The site of Delphi ...

Delphi Automotive (@DelphiAuto) on Twitter
Log in Sign up You are on Twitter Mobile because you are using an old version of Internet Explorer. Learn more here Delphi Automotive @ DelphiAuto ...

Delphi Connect for Verizon on the App Store on iTunes
Get Delphi Connect for Verizon on the App Store. See screenshots and ratings, and read customer reviews.


Audi working with Delphi to develop autonomous car tech
Audi is developing an iPad-sized device that will pack all the necessary computing power for a self-driving car

US approves China company's acquisition of Delphi biz
The Committee on Foreign Investment in the United States has formally approved the acquisition of Delphi's global production of braking systems ...

Verizon And Delphi Officially Launch Vehicle Diagnostics Service - $250 For The Module, $5 A Month On ...
If you're a car nut, a paranoid parent, or a small business owner looking to do a little, uh, company vehicle economy analysis, Verizon's teamed ...

Watch out Google: Delphi gives Ars a ride in its self-driving car
The automotive components maker gave Ars a preview ride around the neighborhood. MOUNTAIN VIEW, CA—On Thursday morning I met with Delphi at its ...

The skinny on Delphi's autonomous road trip across the United States
Filed under: Green , Videos , Autonomous Last week, Delphi's autonomous car became the first to complete a coast-to-coast trip across the United ...

Delphi partners with WiTricity on automated wireless charging system
One could easily argue that parking between the white lines at any local hangout presents a challenge for some inexperienced drivers. So, why ...

Resources last updated: 1/21/2016 10:31:35 PM