[twsocket] SSL Certificates check
I have updated the SslHandshakeDone(Sender: TObject; ErrCode: Word; PeerCert: TX509Base; var Disconnect: Boolean); event as you mentioned and I used SslVerifyDepth = 15 and for I := 0 to TCustomSslWSocket(Sender).SslCertChain.Count -1 do TCustomSslWSocket(Sender).SslCertChain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem'); The first thing I noticed is that only one certificate is saved and this one is the one from the very top of chain (the CA for all sub_CAs – the one that I posted earlier, you can find it attached). Please advice-- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Attached cert file-BEGIN CERTIFICATE- MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi 4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe 7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb 4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB 0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL 3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn 4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8 6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50 D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+ yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57 YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5 pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij aTqyMZ2g4QisDw7YwI5QlkljaYdFbg== -END CERTIFICATE- -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: I have updated the SslHandshakeDone(Sender: TObject; ErrCode: Word; PeerCert: TX509Base; var Disconnect: Boolean); event as you mentioned and I used SslVerifyDepth = 15 and for I := 0 to TCustomSslWSocket(Sender).SslCertChain.Count -1 do TCustomSslWSocket(Sender).SslCertChain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem'); The first thing I noticed is that only one certificate is saved and this one is the one from the very top of chain (the CA for all sub_CAs – the one that I posted earlier, you can find it attached). Please advice One certificate is not enough, did you set OK := 1; in OnSslVerifyPeer event? -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Here are the files with OK := 1; cert0 = Greatest CA (same as server's great CA) cert1 = Intermediary CA (client's intermediary different from mine's server) cert2 = Client certificate-BEGIN CERTIFICATE- MIIKYjCCBkqgAwIBAgIJAMvPXQVBsjM2MA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJGUjEPMA0GA1UEBwwGUmVubmVzMREwDwYDVQQIDAhCcml0dGFueTEMMAoG A1UECgwDSUhFMQwwCgYDVQQLDANJSEUxFTATBgNVBAMMDFBvaXNlYXUgRXJpYzEk MCIGCSqGSIb3DQEJARYVZXJpYy5wb2lzZWF1QGlucmlhLmZyMB4XDTEwMDEyODIw NTQwOVoXDTEyMDEyODIwNTQwOVowgYoxCzAJBgNVBAYTAkZSMQ8wDQYDVQQHDAZS ZW5uZXMxETAPBgNVBAgMCEJyaXR0YW55MQwwCgYDVQQKDANJSEUxDDAKBgNVBAsM A0lIRTEVMBMGA1UEAwwMUG9pc2VhdSBFcmljMSQwIgYJKoZIhvcNAQkBFhVlcmlj LnBvaXNlYXVAaW5yaWEuZnIwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIE AQDFU7+rwGQtjFGoXuh3Bb3wzdZSEUxAPfGQ4Q0JqKGulZ6YN5VfPiPuKnGW4ytJ U9rvGrITTDyHXhgrl+thXdj5FGnUOM9EPimJK6B4M6siaGcPhqSLW3vbMPE8ga+Y veUdY/zPotgNxx+/Skf1O8OMUrguhhap3n//6Sm5xA8PqsVULWLORTVgVkYSc8xs CVgjFbZR9DIAw/Bd4RGHbLRsKuCq4hKo2ipmogRYhF6jh1JkezQ0Jj2u0MszSWzy xKnqoO9iJvNlBfxI/I0+4ZqW05x5wygwpG3PEQSKTcZCDlQjP2I47Back1/C4isi 4KxkX7peQhM6CgWHJzQmjI7EilDrSghw2gxKGBIhWOQV/yX8SsH0pIvCy0Q7D8fY hzjjW7UaguNZAFr0IMQJrLS13wffI5xmjDEwJWYuvNmnzsmiWLrGd1C5dvL3Wy1C aDrGAzHPaiTTKXA6miZNC1QgG4XrvoURcNOskRnwpNXY+NJEqatqjauMIRIk/2gE KKKPD54iMn/hLZIYVrWc/lHL29N9HyqVQEnOF1Tj8C1eSXniX3KXwISfOcptJsJD zGMzA+mbddY3URHRAbiLPpVRL7+P7ExOXceH7ixmfQY/ARKDlwNEyFK3zmdJDrdX LQJnNr6NHH+RA3dhxDF3U+KpDclg+RD3ftStmsSOVvfP7ro4tK0P3FTVSu6StKGL eyMNUrQIZaXBpAxyvcTyXjBDUHkwv/hIrEzt489ijCWwdT5qrmawBbrMY7zzZcAe 7apj/7PY4oL5Mgryyq6WdBp0PiJJBHM814M1mQnGXXi/m4Vj57yLeZXVsetDpMar vT25qOPDFTCHfefLq1zZwYYs+Vy+V94G9FeQY0bdNN5TGeSicbU5qzUYWGKmn9GD W3o5/QYKGQ7f+5BQy9zkXmVY2qtSKpWCNDHxcXSOfPtMTA1Avh5mApSGMmebCXdW hGS1BlQ2a9ShFR1wyYeFszSYa1akZEnelderlE/lkS7Ge6f+GcQwkGWgu3KA6Jsb 4DKaPMlJskOvbp3nYkB4xU8ZwuzNJNq2qwKzfGdwkxvFavKBOy7TnFdFgNO2zmVP s3dCT1BHSJzXk9x2PEN1qYyN1kTVIwzZmiCDmIfspF13nUmGfCv7x2jaoq3d25fp DGdAyB6uR2myHaeG8WnFpSzLg5SDwTdkqX9ibKJA2FwBHc6LoBLtzGSj/Slp6A8w RJkm2grDc5ljHcF83KJGM8FF40ONfapypziJWthrP2aoMvHvkPkHFEyjGRd6xlVp ri4kjog1KjIuvVRpsXI6LveXldhyjFFKrWM+MhhjJym38YRkzUbaxEOCxXpwWA/b MtsKruP5M02sDSCNyPlYwdrVAgMBAAGjgcgwgcUwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUb8ry99aB0mZlxZyStU7nYFaQ91wwHwYDVR0jBBgwFoAUb8ry99aB 0mZlxZyStU7nYFaQ91wwDgYDVR0PAQH/BAQDAgEGMCAGA1UdEQQZMBeBFWVyaWMu cG9pc2VhdUBpbnJpYS5mcjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vc3Vtby5p cmlzYS5mci9odG1sL3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsF AAOCBAEAW4IAXMum08trpguOEr8uLJZ8ldIWRDvPr7i7u0xpWHAtvGJSkS3TymVL 3HHgjFnS4dHDXlpiGO56RFBkEIDqDFb1s+lYM6IJ5niAfkvJKCEa+WwuDQcbArZZ wf0pUvR3WyQEV1M6VwS8muhI+80DmXWRAJFwA1pppwarAAZuRLsJxCFlVMZxnKOg bUC1rZGhHB9OndthPFGgP/BzLN89Tw3mXtXI4Cb1BTY4rmn4RHLEu+75r8CmN+UO zPRIQpSFJF9h9v4j7mw365jlFaZeaVgJ/bMceU0xAHCTBPKQwNGJKngesYz5N/qG oT3jMZL0iY9srS1M94z+kflbgKEM0E4j5Ve2nKC+ul7vEO/rZB8/omoqRMWvCYOn 4utYE9+LXcrUCnw1IaBYHcy3iKiUxF1LrdCx6yXEZstHECl6CIYtUjg3kxQy5nGd mW5BpAc/r8fEVU+q5LPEr9y4k+waUoTkJD+RdmKfmhiwQ9gfy3NMo4cWfdELX+l8 6XW/m81nib3S5FDKNeGh4UHmo4KxjuozrcxyIXQOj/tXbDKi5S+pXwBPH+E8SoBx Gc3/qVe0vul8hDNoWM0c4gbG/hissAxn9OOuA5uXazcOhRTgNFKCg8Q+E+TYHj0u Ziv/HOLDOvpZbhzQ13aPJ+Znh9rhSNyOxqTthavuF23Zy8kd/jQzdBaqKxW3R0IF BWkaejeI0gHZFF+MGsXS4zB4d0cttopR1oshyNAtQcZsSxeo/EyCwBztWbRQ2IRs klPS0+IrfMutAnd3zX2Ds4SCARkXzZYT64ni1pIsvr/xVUOddu2QAR5IEluoPT50 D6jAVnKnbVTYhYAETq5X5jZSlo4bmlzuDFGDCXP1dGIJDeZW7KcSrOF2uw4NLjL+ yPQFY8F2xwowvAhLgjH+DHtIQKpF9kTos0Z1mfnsPh7NrlrE3sLIySP0MwzGBNmq x8EMnTG0hOHGOFwhJdcj54kbb6ccjDV3gacfjoihHS8QoS4eT0wdnu4BJQhVgt57 YHc0DlOE0v/fnMGVyUYrXjgRhPwrhn/t5iQaz1c/QOxQXIUjRo0Vv3hfn6gS+I7L w4Gd/9zznT3GobgnSDbyz84psYnCsr5Ixeo96X6Be1l3Bsyk58/GLHZdOGfUKzKy kay/zdWcmK2cbfelOhy91Gv+orHnfuDinIt3LM9sxFCu0GIBXwyCDEq9YYIVM60e oMHt7rCrZvqNC9VZC3aoDNYm2xdBazrxuRxlF/0MB1c0c8BjxIFcPURCBMjC75z5 pmXDUfFpzyhQP/pnDyzimYW0bF2gm25YyWWm93QA7Rg7irca7fMVQTZNiHx2g3ij aTqyMZ2g4QisDw7YwI5QlkljaYdFbg== -END CERTIFICATE- -BEGIN CERTIFICATE- MIIGJjCCAg6gAwIBAgIBFDANBgkqhkiG9w0BAQ0FADCBijELMAkGA1UEBhMCRlIx DzANBgNVBAcMBlJlbm5lczERMA8GA1UECAwIQnJpdHRhbnkxDDAKBgNVBAoMA0lI RTEMMAoGA1UECwwDSUhFMRUwEwYDVQQDDAxQb2lzZWF1IEVyaWMxJDAiBgkqhkiG 9w0BCQEWFWVyaWMucG9pc2VhdUBpbnJpYS5mcjAeFw0xMTAyMTcxNTEwMTZaFw0x MjAyMTcxNTEwMTZaMC4xCzAJBgNVBAYTAkdCMQwwCgYDVQQKDANJSEUxETAPBgNV BAMMCFN1YkNBX0dCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCFCHz/MlUc 4RaELsQ1orN9kNhwbNHmCIV77sqTFh0vLZuJKCgdy1EdIk8kxg3S0GS/m6NozbKY o14YBAvXesDFwenvgiXbj5W/D5CHVsN2WrlBQMAGRfcOA3eZve/r3WbQDPm4Y1qb 2oTBKsmDInw2F0szqnvO7FD+fzyxls6vPQIDAQABo3YwdDAOBgNVHQ8BAf8EBAMC AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFGPsK9peekOOwZu9qbvJETK2 h4QwHwYDVR0jBBgwFoAUb8ry99aB0mZlxZyStU7nYFaQ91wwEQYJYIZIAYb4QgEB BAQDAgAHMA0GCSqGSIb3DQEBDQUAA4IEAQBul8O8Ef9eIPGdEDCAWO9keYTWCnxS XPVa24dbi9sPIYEUFKg444jlV42EPTPTkuLeFHNuakX5ek3GaCbl7bmq/VrrAWAW hr9puoc/H04T7wdFQhs1x+t6VHA03MosyNZ40Ja6620Rx9RSjrXMpArNclCUclR3 jzl+4Sj+CXfWNdJ3uIgVqXlw08nNAH4F3Vlq5voSltBp3PDyxeEBOA2/i+jYVmE0 wj3KI46loclI+DDTrMZu62JnwxIYVUQPLS/bTdPHzF/vNNUmthHL4WFszWyebaNP aIv8IEm8C+T62o7zXO56yEn8pge6oQiW5W8iJeh+vONh8SJu9KmwVmkKBFk4LqcB
Re: [twsocket] SSL Certificates check
marius gabi wrote: Here are the files with OK := 1; cert0 = Greatest CA (same as server's great CA) cert1 = Intermediary CA (client's intermediary different from mine's server) cert2 = Client certificate Use at least OpenSSL version 0.9.8k from: http://wiki.overbyte.be/wiki/index.php/ICS_Download Never versions don't have problems with these certificates. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: Thank you for your time! Indeed updating the OpenSSL version fixed my issue but the following strange thing happens: currently I am using ICS V7 but the highest version supported by my ICS is 0.9.8n and in this case the application still would not work OK. What does that mean not work? I tested verification of your certificate chain with 0.9.8n successfully as well as with v1.0.0d. The OpenSSL ver 0.9.8r (or higher) is not supported so I used libeay32.dll from n version and ssleay32.dll from r version and everything worked OK. Any thoughts on that? The version checks are only against libeay32.dll so that no error is triggered, however do not do that! Instead upgrade to latest ICS, downloadable here: http://wiki.overbyte.be/wiki/index.php/ICS_Download It supports newest 0.9.8r and 1.0.0d. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Thank you for your feedback.In my current scenario the certificate structure is as follows: Server(my application) | Client Root certificate -same as- Root certificate Intermediary CA -not same as- Intermediary CA Server Cert -not same as- Client Cert (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients) When I stated this I was referring to following certificate structure: Server(my application) | Client Root certificate = 0 -same as- Root certificate = 0 Intermediary CA = 1 signed by 0 -same as- Intermediary CA = 1 Server Cert = 2 signed by 1 -not same as- Client Cert= 2 signed by 1 Hope this is clear enough. I'm looking forward to your feedback. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: Thank you for your feedback.In my current scenario the certificate structure is as follows: Server(my application) | Client Root certificate -same as- Root certificate Intermediary CA-not same as- Intermediary CA Server Cert -not same as- Client Cert (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients) When I stated this I was referring to following certificate structure: Server(my application) | Client Root certificate = 0 -same as- Root certificate = 0 Intermediary CA = 1 signed by 0-same as- Intermediary CA = 1 Server Cert = 2 signed by 1 -not same as- Client Cert= 2 signed by 1 Hope this is clear enough. I'm looking forward to your feedback. Please read my previous message again, I already showed a resolution to this scenario. In short: 1)Use a certificate chain file as the SslCertFile containing both server's certificate and server's intermediate CA certificate. 2) Use a SslCAFile containing the root and clients's Intermediary CA certificate. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Thank you for your prompt response. We already tried your solution and seems to be working. The issue is as follows: I do not have (access to) the client's certificate (application not developed by me) in order to compose the chains you mentioned. Furthermore I aspect that other clients that have the same ROOT as me (but possibly other intermediary CA and client certs) will connect to my server. I was wondering if there is a possibility to test the certificates at ROOT level and complete a communication and transaction. Please advice! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: Thank you for your prompt response. We already tried your solution and seems to be working. The issue is as follows: I do not have (access to) the client's certificate (application not developed by me) in order to compose the chains you mentioned. You do not need client's certificate since that will be sent by the client always. If the client does NOT sent his intermediate CA certificate(s) there is no way for the server to complete client's certificate chain except client's intermediate CA certificate(s) are available locally to the server i.e. in SslCaFile. Furthermore I aspect that other clients that have the same ROOT as me (but possibly other intermediary CA and client certs) will connect to my server. I was wondering if there is a possibility to test the certificates at ROOT level and complete a communication and transaction. That is only possible if the server is able to build a complete client certificate chain. Usually all CA certificates issued by a root CA are available for download as well. In your case the URL is http://sumo.irisa.fr/html/pki/ but their server currently fails with error OpenCA Error: Server is not online or does not accept requests. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
Arno Garrels wrote: Usually all CA certificates issued by a root CA are available for download as well. Correction: That is mostly true if they have been issued to their own organizition. In your case the URL is http://sumo.irisa.fr/html/pki/ but their server currently fails with error OpenCA Error: Server is not online or does not accept requests. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Arno, in this moment the client sends the entire certificates chain: 1. its client certificate issued by the intermediary CA (2 from bellow) 2. intermediary certificate issued by the root CA 3. root CA The only certificate that is common between our server chain and client chain is (3) root CA. This should be enough, the communication should continue as both chains are issued by the same CA root. Please correct me if i'm wrong. The issue that I encounter is that in onsslverifypeer event I receive error 7. Further more, I managed to obtain a valid communication when I've always returned OK = 1 in that event but ONLY when sslcontext.sslverifydepth is 0. This has no logic for me. Thank you very much for your time. You're assistance is really appreciated. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: Arno, in this moment the client sends the entire certificates chain: 1. its client certificate issued by the intermediary CA (2 from bellow) 2. intermediary certificate issued by the root CA 3. root CA OK. The only certificate that is common between our server chain and client chain is (3) root CA. That's OK as well, provided it actually is the same root certificate, which still has to be proved. It might for some reason use the same subject fields however that is not enough of course. What happens if you do not add your root certificate to the SslCAFile? It's possible that the client sends the complete chain inluding its own root certificate. Then save the root certificate to a PEM file and compare it with your root certificate. This should be enough, the communication should continue as both chains are issued by the same CA root. Please correct me if i'm wrong. Correct. The issue that I encounter is that in onsslverifypeer event I receive error 7. Well, then something seems wrong with some certificate in the chain, that's why I asked you to log them all and post the result. Please write each certificate to a PEM file in event OnSslHandShakeDone like: {code} for I := 0 to Chain.Count -1 do Chain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem'); {code} (requires that you always set OK :=1 in OnSslVerifyPeer and SslVerifyDepth is set to = 3, better 10 in order to get everything). Open the resulting files in a text editor, copy and paste their content into your email editor and post them here. Then I'll be able to check them when I have some minutes. Also add the content of your root certificate to the email. Further more, I managed to obtain a valid communication when I've always returned OK = 1 in that event but ONLY when sslcontext.sslverifydepth is 0. This has no logic for me. In that case only the end-certificate (level 0, here the client certificate) is verified any further checks are skipped. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: Hello! Here is what the log is showing:Received certificateSubject: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frIssuer: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frVerify result: certificate signature failure Verify depth: 2 Currently I'm not setting a specific value for the SslVerifyDepth. Regarding the OpenSSL DLL version I tried with 0.9.8e and 0.9.8h. You forgot to print out the certificate with: Cert.GetRawText; That would show you / us the *Signature Algorithm*. Since there's a certificate signature failure it is my guess that an unsupported algorithm is used. -- Arno Garrels --- On Mon, 5/2/11, Arno Garrels arno.garr...@gmx.de wrote: From: Arno Garrels arno.garr...@gmx.de Subject: Re: [twsocket] SSL Certificates check To: ICS support mailing twsocket@elists.org Date: Monday, May 2, 2011, 5:10 PM marius gabi wrote: I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). In the OnSslVerifyPeer event please do the following logging and post the result: Log('Received certificate'#13#10 + 'Subject: ' + Cert.SubjectOneLine + ''#13#10 + 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); Log(Cert.GetRawText); -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Sorry! Please find attached the log content for Cert.GetRawText.Certificate: Data: Version: 3 (0x2) Serial Number: cb:cf:5d:05:41:b2:33:36 Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau Eric/emailAddress=eric.pois...@inria.fr Validity Not Before: Jan 28 20:54:09 2010 GMT Not After : Jan 28 20:54:09 2012 GMT Subject: C=FR, L=Rennes, ST=Brittany, O=IHE, OU=IHE, CN=Poiseau Eric/emailAddress=eric.pois...@inria.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (8192 bit) Modulus (8192 bit): 00:c5:53:bf:ab:c0:64:2d:8c:51:a8:5e:e8:77:05: bd:f0:cd:d6:52:11:4c:40:3d:f1:90:e1:0d:09:a8: a1:ae:95:9e:98:37:95:5f:3e:23:ee:2a:71:96:e3: 2b:49:53:da:ef:1a:b2:13:4c:3c:87:5e:18:2b:97: eb:61:5d:d8:f9:14:69:d4:38:cf:44:3e:29:89:2b: a0:78:33:ab:22:68:67:0f:86:a4:8b:5b:7b:db:30: f1:3c:81:af:98:bd:e5:1d:63:fc:cf:a2:d8:0d:c7: 1f:bf:4a:47:f5:3b:c3:8c:52:b8:2e:86:16:a9:de: 7f:ff:e9:29:b9:c4:0f:0f:aa:c5:54:2d:62:ce:45: 35:60:56:46:12:73:cc:6c:09:58:23:15:b6:51:f4: 32:00:c3:f0:5d:e1:11:87:6c:b4:6c:2a:e0:aa:e2: 12:a8:da:2a:66:a2:04:58:84:5e:a3:87:52:64:7b: 34:34:26:3d:ae:d0:cb:33:49:6c:f2:c4:a9:ea:a0: ef:62:26:f3:65:05:fc:48:fc:8d:3e:e1:9a:96:d3: 9c:79:c3:28:30:a4:6d:cf:11:04:8a:4d:c6:42:0e: 54:23:3f:62:38:ec:16:9c:93:5f:c2:e2:2b:22:e0: ac:64:5f:ba:5e:42:13:3a:0a:05:87:27:34:26:8c: 8e:c4:8a:50:eb:4a:08:70:da:0c:4a:18:12:21:58: e4:15:ff:25:fc:4a:c1:f4:a4:8b:c2:cb:44:3b:0f: c7:d8:87:38:e3:5b:b5:1a:82:e3:59:00:5a:f4:20: c4:09:ac:b4:b5:df:07:df:23:9c:66:8c:31:30:25: 66:2e:bc:d9:a7:ce:c9:a2:58:ba:c6:77:50:b9:76: f2:f7:5b:2d:42:68:3a:c6:03:31:cf:6a:24:d3:29: 70:3a:9a:26:4d:0b:54:20:1b:85:eb:be:85:11:70: d3:ac:91:19:f0:a4:d5:d8:f8:d2:44:a9:ab:6a:8d: ab:8c:21:12:24:ff:68:04:28:a2:8f:0f:9e:22:32: 7f:e1:2d:92:18:56:b5:9c:fe:51:cb:db:d3:7d:1f: 2a:95:40:49:ce:17:54:e3:f0:2d:5e:49:79:e2:5f: 72:97:c0:84:9f:39:ca:6d:26:c2:43:cc:63:33:03: e9:9b:75:d6:37:51:11:d1:01:b8:8b:3e:95:51:2f: bf:8f:ec:4c:4e:5d:c7:87:ee:2c:66:7d:06:3f:01: 12:83:97:03:44:c8:52:b7:ce:67:49:0e:b7:57:2d: 02:67:36:be:8d:1c:7f:91:03:77:61:c4:31:77:53: e2:a9:0d:c9:60:f9:10:f7:7e:d4:ad:9a:c4:8e:56: f7:cf:ee:ba:38:b4:ad:0f:dc:54:d5:4a:ee:92:b4: a1:8b:7b:23:0d:52:b4:08:65:a5:c1:a4:0c:72:bd: c4:f2:5e:30:43:50:79:30:bf:f8:48:ac:4c:ed:e3: cf:62:8c:25:b0:75:3e:6a:ae:66:b0:05:ba:cc:63: bc:f3:65:c0:1e:ed:aa:63:ff:b3:d8:e2:82:f9:32: 0a:f2:ca:ae:96:74:1a:74:3e:22:49:04:73:3c:d7: 83:35:99:09:c6:5d:78:bf:9b:85:63:e7:bc:8b:79: 95:d5:b1:eb:43:a4:c6:ab:bd:3d:b9:a8:e3:c3:15: 30:87:7d:e7:cb:ab:5c:d9:c1:86:2c:f9:5c:be:57: de:06:f4:57:90:63:46:dd:34:de:53:19:e4:a2:71: b5:39:ab:35:18:58:62:a6:9f:d1:83:5b:7a:39:fd: 06:0a:19:0e:df:fb:90:50:cb:dc:e4:5e:65:58:da: ab:52:2a:95:82:34:31:f1:71:74:8e:7c:fb:4c:4c: 0d:40:be:1e:66:02:94:86:32:67:9b:09:77:56:84: 64:b5:06:54:36:6b:d4:a1:15:1d:70:c9:87:85:b3: 34:98:6b:56:a4:64:49:de:95:d7:ab:94:4f:e5:91: 2e:c6:7b:a7:fe:19:c4:30:90:65:a0:bb:72:80:e8: 9b:1b:e0:32:9a:3c:c9:49:b2:43:af:6e:9d:e7:62: 40:78:c5:4f:19:c2:ec:cd:24:da:b6:ab:02:b3:7c: 67:70:93:1b:c5:6a:f2:81:3b:2e:d3:9c:57:45:80: d3:b6:ce:65:4f:b3:77:42:4f:50:47:48:9c:d7:93: dc:76:3c:43:75:a9:8c:8d:d6:44:d5:23:0c:d9:9a: 20:83:98:87:ec:a4:5d:77:9d:49:86:7c:2b:fb:c7: 68:da:a2:ad:dd:db:97:e9:0c:67:40:c8:1e:ae:47: 69:b2:1d:a7:86:f1:69:c5:a5:2c:cb:83:94:83:c1: 37:64:a9:7f:62:6c:a2:40:d8:5c:01:1d:ce:8b:a0: 12:ed:cc:64:a3:fd:29:69:e8:0f:30:44:99:26:da: 0a:c3:73:99:63:1d:c1:7c:dc:a2:46:33:c1:45:e3: 43:8d:7d:aa:72:a7:38:89:5a:d8:6b:3f:66:a8:32: f1:ef:90:f9:07:14:4c:a3:19:17:7a:c6:55:69:ae:
Re: [twsocket] SSL Certificates check
marius gabi wrote: The certificate you posted in your previous messages doesn't use unsupported signature algorithms as I was guessing previously. Since its verify depth is 2 and it seems to be the root certificate, I think the complete chain of the client certificate consists of three certificates. Currently I'm facing an issue in a Server application that uses TSSLWSocketServer. I'm setting to the SSLContext a server certificate identified in code as SSLContext.SslCertFile, with the correct private key file identified as SSLContext.SslPrivKeyFile and a password. Correct. Also I'm adding a CAFile identified as SslContext.SslCAFile. What is the content of that file? For instance if the server certificate chain consists of three items: [2] Root [1] Intermediate_ServerCA signed by [2] [0] SSL server certificate signed by [1] You set [0] as the TSslContext.SslCertFile, as you did already. Next create a CAFile that contains both [1] and [2] (I think [1] has to be the first, however I always forget the order in which they must appear, just play). That way the entire chain is sent to the client, or at least [0] and [1]. You can check what's actually sent using WireShark since the connection is still unencrypted. A client application sends a message and uses a X509 Certificate from the same CA as my own certificates. Client certificate and server certificate are signed by the exact _same_ certificate? I'm asking because only in such a case their chains up to root are also the same, in which case my example should work. If client and server certificate have different chains the TSslContext.SslCertFile itself should contain the chain of certificates sent to the client, and CAFile the certicates required to verify client certificates. 1. The client doesn't have a client version of my certificates In the sample above the client must explicitly trust [2]. The client might or might not have [1] locally in his trusted certificates. IF NOT, the server MUST send [1] during handshake as well. That is achieved by adding intermediate certificates to either to CAFile or use a certificate chain as the SslCertFile. (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients) Sorry, I do not understand. Please explain again since that might help to resolve your problem. 2. I have to use SslContext.SslVerifyPeer = True 3. I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). The requirement is: if the client sends its own client certificate but has the same CA as my server certificate than the communication (client sends a message to server) should be possible. That should work. I already tried to implement in the SSLVerifyPeer event so this method always returns true but with no positive outcome: For debugging set OK := 1; in order to continue verification and to log ALL events and certificates. Then post the log again. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
Arno Garrels wrote: Next create a CAFile that contains both [1] and [2] (I think [1] has to be the first, however I always forget the order in which they must appear, just play). The best way to determine what certificates are sent to the peer requesting certificate verification is to add them to the PEM file specified in TSslContext.SslCertFile. The order starts with the server or client certificate followed by required intermediate certificates until the root certificate, for example: // Server or client certificate -BEGIN CERTIFICATE- MIIC+DCCAmGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBAMQswCQYDVQQGEwJCRTEO MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNTTCBD QTAeFw0wOTEyMTQwMDAwMDBaFw0yOTEyMDgyMzU5NTlaMEUxCzAJBgNVBAYTAkJF MQ4wDAYDVQQHEwVMaWVnZTEMMAoGA1UEChMDSUNTMRgwFgYDVQQDEw93d3cuZG9t YWluMS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKus0idVJ6i82cje RMQQOyIwpL4LQ1QODi/6qHK5gZVk14uEgtHVJ7aIFoyWoacQMVFE3gShwpQ5cEbe tLHzVp+tnLw8xe1caP/UjvbTX5NkPenvh1nHxFhJDWlb0MQhXR5PFeJ+EVtRRCX+ bLpOjOxL6ky2Si4qLtHGJ9CN7vCzAgMBAAGjgfwwgfkwDwYDVR0TAQH/BAUwAwIB ADAdBgNVHQ4EFgQUyUdb+crJAOYS7Wdva6NHjei9+HUwUwYDVR0jBEwwSqFFpEMw QTELMAkGA1UEBhMCQkUxDjAMBgNVBAcTBUxpZWdlMQwwCgYDVQQKEwNJQ1MxFDAS BgNVBAMTC0lDUyBSb290IENBggECMAsGA1UdDwQEAwIE8DAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5v dmVyYnl0ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCBsAwDQYJKoZI hvcNAQEFBQADgYEAE99KuClUXfh27+dsoLIi96g4xS0Idg4AfKEEiEWVZLluG7xP GU9/UfXVt+9/m8fAgzjXEGzxMf/eKADr2HVq+gI3qD93CcuStxd+b8YPc6MkrneZ vImqBms3rC4XPfFgGwpH8R/z66Bv2bupAi4c1fpDWsydXp3FOoQsTBivQxw= -END CERTIFICATE- // Intermediate CA, signed preceding certificate -BEGIN CERTIFICATE- MIICYjCCAcugAwIBAgIBAjANBgkqhkiG9w0BAQUFADBBMQswCQYDVQQGEwJCRTEO MAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzEUMBIGA1UEAxMLSUNTIFJvb3Qg Q0EwHhcNMDkxMjE0MDAwMDAwWhcNMjkxMjA4MjM1OTU5WjBAMQswCQYDVQQGEwJC RTEOMAwGA1UEBxMFTGllZ2UxDDAKBgNVBAoTA0lDUzETMBEGA1UEAxMKSUNTIFNT TCBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAucOlN3IAxsRpu7PzKK1N 1xGzYKtqXYadx+x0sb+Z0Zq8b9+i1B6ruFmDChUkrC4kI9+WBzrTw39/YpswCrwt GR6I7rkOXJ6ycPIl3yDwBmQQ9KWjSlb772Lf3v9M0Blm05tD5bBkLpM65CCSsbLo Ljyw1HE9iQl3tZP6an0l+a0CAwEAAaNrMGkwEgYDVR0TAQH/BAgwBgEB/wIBAjAL BgNVHQ8EBAMCAYYwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5vdmVyYnl0 ZS5iZS9zc2xjYS0xLmNybDARBglghkgBhvhCAQEEBAMCABcwDQYJKoZIhvcNAQEF BQADgYEASuI9oM/fMSn30ToF27FxU7cY2XssKVPPdk6+jfm6zKQltZceoY89mtRQ FM7PBDcM0X1OBDYVfGrajLUKENssNl7bE1GVjDFgw3/A2HOzgNAXWfRVzuL86+DN xQY4CLOsRZJkDlKGiI38WNjEVF5+Rf12pXFOiR/78YlQVlUcPgM= -END CERTIFICATE- // Here we do not add the root since we assume the verifying // peer has at least the root in his trusted certificates. // But it could be appended as well if you like to. // If there are more intermediate CAs in the chain they have // to be added all. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Currently I'm facing an issue in a Server application that uses TSSLWSocketServer. I'm setting to the SSLContext a server certificate identified in code as SSLContext.SslCertFile, with the correct private key file identified as SSLContext.SslPrivKeyFile and a password. Also I'm adding a CAFile identified as SslContext.SslCAFile. All files are .pem format and stored locally in my application folder (not in Certificate Store). A client application sends a message and uses a X509 Certificate from the same CA as my own certificates. The current scenario is as follows:1. The client doesn't have a client version of my certificates (With my client certificate issued for me the communication works perfectly but this is not an option as project specification doesn't allow providing certificates to clients)2. I have to use SslContext.SslVerifyPeer = True3. I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure).The requirement is: if the client sends its own client certificate but has the same CA as my server certificate than the communication (client sends a message to server) should be possible. I already tried to implement in the SSLVerifyPeer event so this method always returns true but with no positive outcome: the mentioned error does not appear it just connects the client, performs a handshake and disconnects the client and the message never arrives. Please advice! -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
marius gabi wrote: I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). In the OnSslVerifyPeer event please do the following logging and post the result: Log('Received certificate'#13#10 + 'Subject: ' + Cert.SubjectOneLine + ''#13#10 + 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); Log(Cert.GetRawText); -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL Certificates check
Arno Garrels wrote: marius gabi wrote: I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). In the OnSslVerifyPeer event please do the following logging and post the result: Log('Received certificate'#13#10 + 'Subject: ' + Cert.SubjectOneLine + ''#13#10 + 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); Log(Cert.GetRawText); Since it might happen that some certificate in the chain uses an unsupported, deprecated hash algorithm. AFAIK, i.e. newer OpenSSL DLLs are all built without MD2-support by default. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL Certificates check
Hello! Here is what the log is showing:Received certificateSubject: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frIssuer: /C=FR/L=Rennes/ST=Brittany/O=IHE/OU=IHE/CN=Poiseau Eric/emailAddress=eric.pois...@inria.frVerify result: certificate signature failure Verify depth: 2 Currently I'm not setting a specific value for the SslVerifyDepth. Regarding the OpenSSL DLL version I tried with 0.9.8e and 0.9.8h. --- On Mon, 5/2/11, Arno Garrels arno.garr...@gmx.de wrote: From: Arno Garrels arno.garr...@gmx.de Subject: Re: [twsocket] SSL Certificates check To: ICS support mailing twsocket@elists.org Date: Monday, May 2, 2011, 5:10 PM marius gabi wrote: I'm receiving the following message in the SSLVerifyPeer event: Error = 7 (certificate signature failure). In the OnSslVerifyPeer event please do the following logging and post the result: Log('Received certificate'#13#10 + 'Subject: ' + Cert.SubjectOneLine + ''#13#10 + 'Issuer: ' + Cert.IssuerOneLine + ''#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); Log(Cert.GetRawText); -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be