Changing SSL certificates on the fly in IdHTTPServer

Question

I'm developing a MITM proxy with SSL support in delphi 10.3, using indy. I use IdHttpServer component, which does work in CommandOther event. I managed to make it to decrypt and dump data on the fly, and reencrypt and send it to browser, but I need to change idhttpserver certificate for each domain. I can generate them and install my own CA, but i cant find a way to change them while my proxy is working . I will greatly appreciate if someone will show me how!

 procedure TForm3.IdHTTPServer1CommandOther(AContext: TIdContext;
  ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo);
 var
S: string;
LClient: TIdtcpClient;
 newsize:int64;
LBuf: TIdBytes;
Len: Integer;

var response:integer;
s3: TStringDynArray;
var cmd:string;
bytes:tidbytes;

oldstr,newstr:string;
ResponseCode, ResponseText: string;
  Size: Int64;
ssl:tIdServerIOHandlerSSLopenssl;


begin
 if not TextIsSame(ARequestInfo.Command, 'CONNECT') then Exit;


 LClient := TIdtcpClient.Create(nil);
  try

S := ARequestInfo.URI;
LClient.Host := Fetch(S, ':', True);
LClient.Port := StrToIntDef(S, 443);


LClient.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(LClient);


LClient.ConnectTimeout := 5000;



// connect and activate SSL between this proxy and the target server

LClient.Connect;
try
  AResponseInfo.ResponseNo := 200;
  AResponseInfo.ResponseText := 'Connection established';
  AResponseInfo.WriteHeader;


  // activate SSL between this proxy and the client
  TIdSSLIOHandlerSocketOpenSSL(AContext.Connection.Socket).PassThrough:=false;

  // pass data between AContext.Connection.IOHandler and LClient.IOHandler
//as needed.


  // received data will be decrypted, and sent data will be encryted...
  while AContext.Connection.Connected and lclient.Connected do
  begin

    //mitm traffic modification routine      


  end;

finally

 LClient.Disconnect;

end;
 finally
 LClient.Free;

end;
 end;

This is cert switching code:

procedure TForm3.IdHTTPServer1Connect(AContext: TIdContext);
var

SSL: TIdSSLIOHandlerSocketOpenSSL;
begin

if AContext.Connection.Socket.Binding.Port = 443 then
        begin



sslh:=tIdSSLIOHandlerSocketOpenSSL(AContext.Connection.IOHandler);



          sslh.SSLOptions.CertFile:='Certificate.pem';
     sslh.SSLOptions.keyfile:='PrivateKey.pem';
    sslh.SSLOptions.RootCertFile:='certificateAuthorityCertificate.pem';
     sslh.SSLOptions.SSLVersions:=[sslvSSLv23];
     sslh.ssloptions.mode:=sslmBoth;
   sslh.OnGetPassword:= IdServerIOHandlerSSLOpenSSL1GetPassword;

     sslh.PassThrough:=false;

      TIdSSLIOHandlerSocketOpenSSL(AContext.Connection).PassThrough:=false;
       //memo2.Text:=AContext.Connection.IOHandler.ReadLn();

        end;

  end;

On a form I have a tidhttpserver and TIdServerIOHandlerSSLOpenSSL as iohandler for it.

Answer 1

Assign on OnQuerySSLPort event handler that unconditionally sets the VUseSSL parameter to False regardless of the APort requested. Then, in the OnConnect event, if the AContext.Connection.Socket.Binding.Port property is 443 (or whatever port you want to use HTTPS on), you can typecast the AContext.Connection.IOHandler property to TIdSSLIOHandlerSocketBase (or descendant, like TIdSSLIOHandlerSocketOpenSSL if using OpenSSL), configure its certificates as needed, and then set its PassThrough property to False to complete the SSL/TLS handshake.