> Setting the Clients SslContext obj property SslVerifyPeer = true
> yields an errCode = 1 in the Clients HandshakeDone event (not a
> winsock error) 
> I tried setting up the clients SslContext::SslPrivKeyFile to the "C:\
> ... \ClientKey.pem" file created by the IcsSslBuildCerts.bat file and
> retried, got ErrCode = 1 still.

At first, the private key has nothing to do with peer/certificate 

The purpose of SslVerifyPeer is to check for a complete, valid and 
trusted certificate chain.  

For example:
Root signed-> intermediate signed-> peer certificate.

Usually the peer (in your case the server) sends the peer 
In order to be able to build the chain you have to provide the 
root and intermediate certificate locally.
Either included in a single PEM file (property TSslContext.SslCAFile, 
example: Ics\Delphi\Sslinternet\TrustedCABundle.pem) or 
as separate files (property TSslContext.SslCAPath, example: 
Ics\Delphi\SslInternet\TrustedCaStore). At least the root cert 
must be available in one of these trusted locations locally. The
peer might send all or intermediate and peer certificates
or just a single self-signed (root) certificate.

Handle event OnSslVerifyPeer and see what happens:

procedure THttpsTstForm.SslHttpCli1SslVerifyPeer(
    Sender  : TObject;
    var Ok  : Integer;
    Cert    : TX509Base);
    Ok := 1; // Marks current check as passed 
             // just for testing or to skip any error.  
    Display('Checking certificate'#13#10 +
            'Subject: "' + Cert.SubjectOneLine + '"'#13#10 +
            'Issuer:  "' + Cert.IssuerOneLine + '"'#13#10  +
            'Verify result: ' + Cert.VerifyErrMsg +
            ' Verify depth: ' + IntToStr(Cert.VerifyDepth));

Arno Garrels
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to