openssl socket accepts invalid certificates

Original Reporter info from Mantis: BeniBela @benibela

Reporter name: Benito van der Zander

Description:

With the default settings TFPHttpClient opens these pages, which it must not do:

https://expired.badssl.com/
https://wrong.host.badssl.com/
https://self-signed.badssl.com/
https://untrusted-root.badssl.com/

Even after enabling VerifyPeerCert, it still accepts wrong.host.badssl.com

Steps to reproduce:

Enabling VerifyPeerCert (which seems to be a rather convoluted way):

type TSecureOpenSSLSocketHandler = class(TOpenSSLSocketHandler)
  constructor create; override;
end;

constructor TSecureOpenSSLSocketHandler.create;
begin
  inherited create;
  VerifyPeerCert := true;
  CertCA.FileName := '/etc/ssl/certs/ca-certificates.crt';
end;

TSSLSocketHandler.SetDefaultHandlerClass(TSecureOpenSSLSocketHandler);

Additional information:

Only OpenSSL 1.0.2+ can check whether the host name is correct, for older versions the certificate needs to be parsed manually: https://wiki.openssl.org/index.php/Hostname_validation

Mantis conversion info:

Mantis ID: 37980
OS: linux
OS Build: opensuse
Build: r47006
Platform: amd64
Version: 3.3.1
Fixed in revision: 47340 (#5ec7ffa8)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information