marius gabi wrote: > Arno, in this moment the client sends the entire certificates chain: > 1. its client certificate issued by the intermediary CA (2 from > bellow) > 2. intermediary certificate issued by the root CA > 3. root CA
OK. > > The only certificate that is common between our server chain and > client chain is (3) root CA. That's OK as well, provided it actually is the same root certificate, which still has to be proved. It might for some reason use the same subject fields however that is not enough of course. What happens if you do not add your root certificate to the SslCAFile? It's possible that the client sends the complete chain inluding its own root certificate. Then save the root certificate to a PEM file and compare it with your root certificate. > > This should be enough, the communication should continue as both > chains are issued by the same CA root. Please correct me if i'm > wrong. Correct. > The issue that I encounter is that in onsslverifypeer event I receive > error 7. Well, then something seems wrong with some certificate in the chain, that's why I asked you to log them all and post the result. Please write each certificate to a PEM file in event OnSslHandShakeDone like: {code} for I := 0 to Chain.Count -1 do Chain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem'); {code} (requires that you always set OK :=1 in OnSslVerifyPeer and SslVerifyDepth is set to >= 3, better 10 in order to get everything). Open the resulting files in a text editor, copy and paste their content into your email editor and post them here. Then I'll be able to check them when I have some minutes. Also add the content of your root certificate to the email. > Further more, I managed to obtain a valid communication when I've > always returned OK = 1 in that event but ONLY when > sslcontext.sslverifydepth is 0. This has no logic for me. In that case only the end-certificate (level 0, here the client certificate) is verified any further checks are skipped. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be