Kurt, > Setting the Clients SslContext obj property SslVerifyPeer = true > yields an errCode = 1 in the Clients HandshakeDone event (not a > winsock error) > > I tried setting up the clients SslContext::SslPrivKeyFile to the "C:\ > ... \ClientKey.pem" file created by the IcsSslBuildCerts.bat file and > retried, got ErrCode = 1 still.
At first, the private key has nothing to do with peer/certificate verification. The purpose of SslVerifyPeer is to check for a complete, valid and trusted certificate chain. For example: Root signed-> intermediate signed-> peer certificate. Usually the peer (in your case the server) sends the peer certificate. In order to be able to build the chain you have to provide the root and intermediate certificate locally. Either included in a single PEM file (property TSslContext.SslCAFile, example: Ics\Delphi\Sslinternet\TrustedCABundle.pem) or as separate files (property TSslContext.SslCAPath, example: Ics\Delphi\SslInternet\TrustedCaStore). At least the root cert must be available in one of these trusted locations locally. The peer might send all or intermediate and peer certificates or just a single self-signed (root) certificate. Handle event OnSslVerifyPeer and see what happens: procedure THttpsTstForm.SslHttpCli1SslVerifyPeer( Sender : TObject; var Ok : Integer; Cert : TX509Base); begin Ok := 1; // Marks current check as passed // just for testing or to skip any error. Display('Checking certificate'#13#10 + 'Subject: "' + Cert.SubjectOneLine + '"'#13#10 + 'Issuer: "' + Cert.IssuerOneLine + '"'#13#10 + 'Verify result: ' + Cert.VerifyErrMsg + ' Verify depth: ' + IntToStr(Cert.VerifyDepth)); end; -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be