0

I have code that was tested (and approved) using HTTP requests. Release was scheduled for tomorrow... but the first test of our client against the (third party) release server reveals that it demands HTTPS. At least superficially, the one (and only?) part of our code that will need to change is:

HTTPClientSession session( myUri.GetHost(), myUri.GetPort() );

And the change required seems to be:

HTTPSClientSession session( myUri.GetHost(), myUri.GetPort(), context );

What is a simple, direct way to establish that context? My closest guess is to follow the lead of this question, but...

I am blissfully ignorant of the SSL layer that supports HTTPS - do I need to obtain a certificate? This question seems to suggest that client connections like mine generally don't need a certificate (the access to the server requires a login)... but if that's the case... what do you do instead? Am I even right to use an HTTPSClientSession?

omatai
  • 3,448
  • 5
  • 47
  • 74
  • I'm not familiar with POCO - but is your code running inside a parent web-server (like as an ISAPI module or Apache `mod_`?) or running behind a reverse-proxy (like `nginx` or IIS ARR)? Or is your C++ binary's HTTP listener socket directly exposed to the Internet? – Dai Dec 18 '19 at 08:14
  • ...because if it's a module inside a parent web-server or behind a reverse-proxy, then you don't configure TLS/HTTPS inside your application code but only in the webserver or reverse-proxy. – Dai Dec 18 '19 at 08:14
  • You're asking questions above my pay grade :-) Definitely not either of the first two cases. Might be the last case... but if there are listener sockets, that's a big surprise - this is a client connection; surely it is the server that is listening? Maybe my question was unclear - I'll edit. – omatai Dec 18 '19 at 20:28
  • Update: I am hoping that the answers to this question (https://stackoverflow.com/questions/10875938/how-to-use-openssl-in-poco-c-library-correctly) contain what I need, but so far 2 hours investment have not yielded success – omatai Dec 18 '19 at 22:15

1 Answers1

1

First, you'll need to add a layer of SSL functionality to Poco by installing OpenSSL. Build OpenSSL and the corresponding Poco modules (taking care to produce the correct 32- or 64-bit versions for your deployment). On Windows, this will add libssl.dll, libcrypto.dll, PocoNetSSL.dll and PocoCrypto.dll to the DLLs you are already using.

When it comes to the code, this question has two answers that both give informative examples of how to use HTTPSClientSession. The first answer adds only a single line of code to what you already have, but it uses VERIFY_NONE, and so bypasses certificate verification. The second answer uses VERIFY_STRICT and goes to the other extreme. Whether you choose either, or something in between, will depend on your application. In my application, HTTPS had essentially no benefit at all, and the first (simpler) answer worked immediately out of the box. The second answer did not immediately work, so I can't comment further on it.

omatai
  • 3,448
  • 5
  • 47
  • 74