There are yet more SSL improvements in V8.39 in SVN and the nightly zip.

Hopefully these are the large major changes to the core SSL code, which
is now in only three units instead of five, with DLL export loading
much cleaner and easier to extend.  

The next planned SSL changes will be a certificate creation component
and finally ACME support to request free Let's Encrypt SSL certificates.

The main change in V8.39 is to support host name verification using
OpenSSL APIs added since the original ICS SSL implementation was done,
so it's no longer necessary to use PostConnectionCheck in the handshake
event.  The native verification has improved flexibility for checking
partial and wild card domain names, and may be controlled by a new
SslCheckHostFlags in the context. The new host name check is enabled by
default, but there is no harm in PostConnectionCheck doing a second
check so it's backward compatible, but may be disabled by setting
sslX509_NO_HOST_CHECK.  The host name checked is SslServerName which is
set by the main high level components.

There are also new functions to ease checking and listing SSL
certificates loaded into a context, or contained in a CA bundle file,
which are primarily for diagnostic and development purposes, since
working out precisely what is contained in base64 encoded certificate
files can be challenging.


Minimum OpenSSL support is now 1.0.2 (1.0.1 support ceases Dec 2016).

Added functions to check certificate params using X509_VERIFY_PARAM,
which means the peer certificate common name is now checked against the
host set as SslServerName during handshaking instead of needing to use
PostConnectionCheck in the handshake event.

Added more SslVerifyFlags for extra certificate verification options.

Added SslCheckHostFlags to context to control host name checking.

Added SslCertPeerName property set after successful SSL handshake and
peer certificate check that returns matched name from certificate.

Combined TX509Ex properties into TX509Base from
OverbyteIcsSslX509Utils to simplify applications.

TX509Base has new methods CheckHost, CheckEmail and CheckIPaddr as
alternatives to PostConnectionCheck using OpenSSL APIs.

Added SslGetAllCerts to context to get TX509list of certificates from
context store, may be used to check CA certificates have been correctly
loaded from files, 1.1.0 and later.

TX509List has new LoadFromFile method to load all certificates from a
bundle file.

Added IcsSslOpenFileBio and IcsSslLoadStackFromInfoFile which were
previously methods in TSslContext so thjey can be used elsewhere.

Added IcsUnwrapNames which changes multi-line string to comma string.

Added SslCertX509 to context which returns last certificate loaded for
reporting purposes (can not be set yet).


No longer need PostConnectionCheck or TX509Ex.

Added List Cert Store button to list common names of any certificates
loaded from CA File or CA Path, so you know exactly what was found .


Replaced TX509Ex with TX509Base.
View multiple PEM certificates in a bundle file.


Better way of listing certificates actually loaded into context rather
than opening files a second time.


To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to