0

I use a third party tool by the name of DwinsHs for Inno Setup.

This third party tool provides me the capability for downloading files as part of the installation.

I want to send an HTTPS request using the function DwinsHs_ReadRemoteURL.
I want the request to ignore all TLS (SSL) certificate errors but I can't find a way.

This third party tool is Open Source and this function is defined in dwinshs.iss, which you get by downloading the third party tool.

How can I ignore all SSL certificate errors in an HTTPS request using DwinsHs_ReadRemoteURL in the third party tool DwinsHs?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
yuval
  • 2,848
  • 4
  • 31
  • 51

1 Answers1

1

The dwinshs.iss uses the WinInet API. With this API, to ignore the unknown CA error, you have to call the InternetSetOption function.

That's somewhat complicated as it takes a pointer to integer with the security flags as its argument. Inno Setup does not support pointers to integers. But it supports pointers to structures (as you have commented). So you can wrap the integer to a structure.

You need to declare an alternative name for the InternetSetOption that takes the structure instead of the string (again as the Inno Setup does not support generic pointers, otherwise single declaration would suffice).

const
  INTERNET_OPTION_SECURITY_FLAGS = 31;
  SECURITY_FLAG_IGNORE_UNKNOWN_CA = $00000100;

type
  TInteger = record
    Value: Integer;
  end;

function InternetSetOptionInt(
  hInet: HINTERNET; dwOption: DWORD; var lpBuffer: TInteger; dwBufferLength: DWORD): BOOL;
  external 'InternetSetOptionA@wininet.dll stdcall delayload setuponly';

And use it like:

SecurityFlags.Value := SECURITY_FLAG_IGNORE_UNKNOWN_CA;
InternetSetOptionInt(
  hRequest, INTERNET_OPTION_SECURITY_FLAGS, SecurityFlags, SizeOf(SecurityFlags))

(after the hRequest is assigned in dwinshs.iss).

Or use a plain HTTP instead. HTTPS set to ignore certificate errors is not secure anyway.

Or use a different library to download the files.

The Inno Download Plugin can ignore all certificate errors with:

idpSetOption('InvalidCert', 'ignore');
Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992
  • Invalid number of parameters in the function `InternetSetOption` – yuval Mar 22 '16 at 12:51
  • I also tried just using using a plain HTTP request but it fails with error code 6, but when I use a website with a valid certificate it executes successfully. Could it be that HTTP requests check a certificate somehow? – yuval Mar 22 '16 at 13:02
  • And I have clients that block HTTP but not HTTPS to make my situation worse. – yuval Mar 22 '16 at 13:03
  • Im having problems using the Inno Download Plugin in my code. I use `DwinsHs_ReadRemoteURL` `OnRead` fallback to update my progress bar. I don't see any options in this plugin to update my own progress bar. – yuval Mar 22 '16 at 14:57
  • I will open a new question for this – yuval Mar 22 '16 at 15:01
  • I see the use of `InternetSetOption` in `dwinshs.iss`. If they use `InternetSetOption` then why can't I? – yuval Mar 23 '16 at 11:20
  • http://stackoverflow.com/a/12601867/1538099, this post shows how to use pointers for external dlls – yuval Mar 23 '16 at 11:52
  • Still doesn't work, what did u mean by `SizeOf(SecurityFlagsSize)`? I just used `SizeOf(SecurityFlags)`. Maybe that's why it still doesn't work? – yuval Mar 23 '16 at 13:02
  • I still can't download with an invalid certificate – yuval Mar 23 '16 at 13:04
  • It's a self signed certificate on my localhost – yuval Mar 23 '16 at 13:07
  • `InternetSetOptionInt ` returns false – yuval Mar 23 '16 at 13:08
  • `DLLGetLastError ` returns 0, I do `InternetSetOptionInt` after `Result := CONNECT_ERROR_OPENSESSION;` just like u recommended. – yuval Mar 23 '16 at 13:12
  • Now `InternetSetOptionInt ` returns true but the download still doesn't work when I do an HTTPS request – yuval Mar 23 '16 at 13:20
  • It works once I changed `SECURITY_FLAG_IGNORE_UNKNOWN_CA = $00000100;` to `SECURITY_FLAG_IGNORE_UNKNOWN_CA = $00003300;` – yuval Mar 23 '16 at 13:29
  • Good! + You better define `SECURITY_FLAG_IGNORE_CERT_CN_INVALID = $00001000` `SECURITY_FLAG_IGNORE_CERT_DATE_INVALID = $00002000` etc – Martin Prikryl Mar 23 '16 at 13:46