> What happens if this value is left blank as well -- does it skip > checking validity of CA? Is there any way to have the components > instead use the CA roots that Windows maintains in the > Certificate Store?
Yes, the sample OverbyteIcsMsVerify.dpr will Verify a certificate chain using the class TMsCertChainEngine which uses MS crypto API and the Microsoft root store. You need to add extra code to the onSslHandshakeDone event to ignore the OpenSSL result and call the engine instead. All my own client application and ICS components have options for both, look at TMagIpLog at: https://www.magsys.co.uk/delphi/magics.asp which also shows better ways of displaying certificate information from newer ICS versions. > My concern is that installing a > TrustedCABundle.pem file along with an application would lead to > problems with it going stale. Root certificates mostly have a very long life and major new ones are quite rare, although some do go out of favour, like Startcom currently which is closing down. But there are hundreds of root certificates, many small countries want to issue their own, and out bundle does not include many of those. Windows should automatically download missing roots from Windows Update during validation, but this may be slow. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
