Project

General

Profile

POST request with SSL certificate

Added by Marcelo Antunes over 3 years ago

I need to sen dddata to a webservice that needs a ssl cert.

The ssl cert has a password.

   auto client = form->addChild(std::make_unique<Wt::Http::Client>());
    client->setTimeout(std::chrono::seconds{15});
    client->setMaximumResponseSize(10 * 1024);
    client->setSslCertificateVerificationEnabled(true);
     client->setSslVerifyPath("folder path"); //the cert is inside that folder with pfx extension

    Wt::Http::Message message=*new Wt::Http::Message();
    message.addHeader("Content-Type","text/xml; charset=utf-8");
    message.setHeader("Accept", "text/xml, multipart/related");

    message.addBodyText(xmlData.toStdString());


    client->done().connect(std::bind(&WebService::handleHttpResponse, this, std::placeholders::_1, std::placeholders::_2));
    if (client->post(_urlDocument.toString().toStdString(),message))
        Wt::WApplication::instance()->deferRendering();
    else {
        // in case of an error in the %URL
    }

How do i use that certificate with password?

Regards

Marcelo


Replies (7)

RE: POST request with SSL certificate - Added by Wim Dumon over 3 years ago

Hello Marcelo,

From your question, I deduce that you want to use client certificates to identify the client with the server. The Http client currently does not support client certificates.

The methods you call are related to server authentication: you can either enable or disable this verification, and provice a list of root certificates that should be used for that verification.

Wim.

RE: POST request with SSL certificate - Added by Marcelo Antunes over 3 years ago

The webservice isn't mine, is a external webservice.

RE: POST request with SSL certificate - Added by Wim Dumon over 3 years ago

Hey Marcelo,

It doesn't look like this functionality can be added to the http client without modifying Wt/Http/Client.C. On the other hand, boost.asio documentation is a bit thin on details wrt how client certificates should be bound to a connection.

I believe that in Client::request, in the if-branch covering the case parsedUrl.protocol == "https", you can add client certificate support by adding calls to the boost::asio::context object:

if (!clientCertFile_.empty() && !clientKeyFile_.empty()) {
  context.use_certificate_file(clientCertFile_);
  context.use_private_key_file(clientCertFile_);
  context.set_password_callback(...); // std::bind, function, lambda, ..., possibly to a virtual function of Http::Client
}

See also https://www.boost.org/doc/libs/1_74_0/doc/html/boost_asio/reference/ssl__context.html

BR,

Wim.

RE: POST request with SSL certificate - Added by Marcelo Antunes over 3 years ago

So what is the function of these functions on http::client?

  void setSslCertificateVerificationEnabled(bool enabled);
  bool isSslCertificateVerificationEnabled() const { return verifyEnabled_; }
  void setSslVerifyFile(const std::string& verifyFile);

regards

Marcelo

RE: POST request with SSL certificate - Added by Wim Dumon over 3 years ago

Turning on/off the verification of the certificate presented by the server.

RE: POST request with SSL certificate - Added by Marcelo Antunes over 3 years ago

Wim Dumon wrote:

Turning on/off the verification of the certificate presented by the server.

This means using the same cert that the server uses to auth on the webservice?

If client class allows choose a cert, why it is not used to auth on the remote webservervice?

RE: POST request with SSL certificate - Added by Wim Dumon over 3 years ago

Hey,

When using Http::Client, I refer to the computer running the Http::Client as the client, and the computer targeted by the URL as the server. These methods refer to the certificate that is presented by that server, by which it proofs that you're actually talking to the correct server, and not to a man in the middle or a hijacked computer.

It is called 'setSslVerifyFile', because it allows you to set the root certificate against which the server certificate is verified for validity.

Client certificates, by which a client proves its identity to a server, are not that often used. Most cases I know of, is when the client is authenticated by means of a smart card. More often clients are identified by pre-shared keys, tokens, oauth, ...

BR,

Wim.

    (1-7/7)