Kurt,
> Setting the Clients SslContext obj property SslVerifyPeer = true
> yields an errCode = 1 in the Clients HandshakeDone event (not a
> winsock error)
>
> I tried setting up the clients SslContext::SslPrivKeyFile to the "C:\
> ... \ClientKey.pem" file created by the IcsSslBuildCerts.bat file and
> retried, got ErrCode = 1 still.
At first, the private key has nothing to do with peer/certificate
verification.
The purpose of SslVerifyPeer is to check for a complete, valid and
trusted certificate chain.
For example:
Root signed-> intermediate signed-> peer certificate.
Usually the peer (in your case the server) sends the peer
certificate.
In order to be able to build the chain you have to provide the
root and intermediate certificate locally.
Either included in a single PEM file (property TSslContext.SslCAFile,
example: Ics\Delphi\Sslinternet\TrustedCABundle.pem) or
as separate files (property TSslContext.SslCAPath, example:
Ics\Delphi\SslInternet\TrustedCaStore). At least the root cert
must be available in one of these trusted locations locally. The
peer might send all or intermediate and peer certificates
or just a single self-signed (root) certificate.
Handle event OnSslVerifyPeer and see what happens:
procedure THttpsTstForm.SslHttpCli1SslVerifyPeer(
Sender : TObject;
var Ok : Integer;
Cert : TX509Base);
begin
Ok := 1; // Marks current check as passed
// just for testing or to skip any error.
Display('Checking certificate'#13#10 +
'Subject: "' + Cert.SubjectOneLine + '"'#13#10 +
'Issuer: "' + Cert.IssuerOneLine + '"'#13#10 +
'Verify result: ' + Cert.VerifyErrMsg +
' Verify depth: ' + IntToStr(Cert.VerifyDepth));
end;
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
