Delphi - Certificate error in TWebBrowser, no error in IE9

StackOverflow https://stackoverflow.com/questions/21755281

  •  11-10-2022
  •  | 
  •  

Question

Few years ago I wrote a Delphi app which opens an intranet site in TWebBrowser. The app works fine on Windows XP SP3, but on Windows 7, TWebBrowser shows the IE8-style red certificate error page. Moreover, clicking on "Continue to this website" doesn't open the page. Interestingly, when I open the page either in IE8 on Windows XP, or in IE9 on Windows 7, it opens successfully, and the browsers report no certificate error.

Is it possible to configure TWebBrowser or the application or Windows itself in a way which eliminates the certificate error page?

I've tried to run the app in admin mode, with and without Windows XP compatibility mode. I've installed the certificate of the page into every reasonable cert store. I played with the security settings of IE, and the Internet Explorer FeatureControl settings in the registry. None of these helped.

Was it helpful?

Solution

(I rewrote my answer after David Heffernan's comments.)

1. Workaround

Turning off "Check for server certificate revocation" in "Internet Options\Advanced\Security" eliminated the certificate error page in TWebBrowser. Note that turning off revocation checking opens a security hole (thanks to David Heffernan for emphasizing this in his comments).

Certificate Revocation Checkbox

2. Difference between Windows XP and 7

The different behavior was due to that this option is turned off on Windows XP by default, but on Windows 7 it's turned on. It's strange that this security setting is handled differently on different OS versions. Windows XP should have been patched to turn this setting on by default.

3. The problem with the certificate

When revocation checking is turned on, IE reports that there is no problem with the site's certificate and every certificate in the certificate chain is OK. This is misleading, because if the Internet Explorer Feature Control FEATURE_WARN_ON_SEC_CERT_REV_FAILED is also turned on, IE displays a Certificate Warning which says "Internet Explorer was unable to contact the issuer to ensure the certificate has not been revoked".

Certificate Issuer Unreachable

4. The effect of Silent Mode

When revocation checking is turned on, and the issuer cannot be contacted, TWebBrowser shows a Security Alert popup with the text "Revocation information for the security certificate for this site is not available. Do you want to proceed?" Unfortunately, when the TWebBrowser.Silent property is True, the prompt is suppressed and "No" is automatically chosen. In my case, Silent Mode was turned on because I wanted to hide the JavaScript errors of the page, so TWebBrowser jumped directly to the certificate error page, and didn't let me proceed.

Revocation Information Unavailable

5. The solution

The security hole can be avoided by enabling the revocation check, but in this case TWebBrowser.Silent must be False, and the user will have to close every popup manually (on the above Security Alert popup "Yes" must be clicked). Since my app uses the site automatically (based on code written in PascalScript), it has to close every popup itself (this feature has already been implemented for Confirm popups).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top