Dimitris Botsis wrote:
> OK, let me explain what I want.
> I want my client that connects over https to a server, before start
> exchanging data with server, first to check if the certificate
> provided by the server is the right one. I think there is a signature
> in certificate which client will know, and verify if the certificate's
> signature that is read from the server are the same.

I see, so this is the common procedure as shown in the demos
mentioned in one of my previous mails.

A certificate is always signed / issued by another certificate and it
can be quite a long chain from top level root certificate down to
the server certificate. The top level root certificate is always self-signed.
All you have to do is to provide the signing certificates you trust in
either the TSslContext.SslCAFile or TSslContext.SslCAPath so 
OpenSSL finds them on certificate verification when it builds up
the chain. All certificates issued by these certificates are trusted
as well. Event OnSslVerifyPeer is triggered for each certificate
check, OnSslHandShakeDone triggers after the certificate
chain has been verified. When this was OK you use method 
PostConnection of the peer certificate to check for DNS name
match. If you are new to SSL and OpenSSL you should read a
good book about that stuff first i.e. 
"Network Security with OpenSSL" published by O'REILY.  

Arno Garrels 

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to