No announcement yet.

Checking for valid SSL certificate on remote server

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Checking for valid SSL certificate on remote server

    A customer has requested a way to validate if the web server from where the TrueUpdate data files and/or updaters, installers or patches are to be downloaded has a valid SSL certificate, to make the update process more secure (i.e. "man in the middle" attack). Assuming that somehow a server could be impersonated, using a self-signed or invalid SSL certificate, an attempt like this could be detected before any file is downloaded from this location. If wanted, an error message could be displayed, reporting an issue found with the SSL certificate, such as these examples, or the whole process could just terminate silently without alerting the end user about a problem, giving you some time to work on the issue.

    Click image for larger version  Name:	SCRN-2020-10-13-01.png Views:	0 Size:	3.2 KB ID:	305627

    The plugin can test if a common name on the certificate matches the server name, or if it is on the list of "subject alternative names list", or SANs. It should work with wildcard certificates, such as "*".

    How to use:

    After installing, add the plugin to the project.

    Click image for larger version  Name:	SCRN-2020-10-13-05.png Views:	3 Size:	16.8 KB ID:	305624

    You could add a test of the SSL certificate at the start of the Client Script, log the error, and abort.

    Click image for larger version  Name:	SCRN-2020-10-13-01.png Views:	0 Size:	30.3 KB ID:	305626

    Possible error codes provided by this plugin include:

    12182 - Invalid certificate.
    12183 - Certificate chain broken.
    12184 - Expired certificate found.
    12185 - Self-signed certificate detected.
    12186 - Attempt to use an untrusted root certificate.
    12187 - Revoked certificate found.
    12188 - Server name does not match certificate.
    12189 - Could not load certificate.
    12190 - OCSP check failed.

    I have implemented the action HTTP.IsValidCertificate() in my existing HTTP plugin, which also allows to submit multipart forms (submit files to a remote web server) via HTTP or HTTPS, as well as resume aborted or incomplete downloads from web servers via HTTP and HTTPS.

    The installer of this plugin will deploy the required files for AutoPlay Media Studio 7 and 8, Setup Factory 8 and 9, TrueUpdate and Visual Patch, and can be downloaded from here.


    Download and further info
    Last edited by Ted Sullivan; 06-24-2021, 10:54 AM.