There are yet more SSL improvements in V8.39 in SVN and the nightly zip.
Hopefully these are the large major changes to the core SSL code, which is now in only three units instead of five, with DLL export loading much cleaner and easier to extend. The next planned SSL changes will be a certificate creation component and finally ACME support to request free Let's Encrypt SSL certificates. The main change in V8.39 is to support host name verification using OpenSSL APIs added since the original ICS SSL implementation was done, so it's no longer necessary to use PostConnectionCheck in the handshake event. The native verification has improved flexibility for checking partial and wild card domain names, and may be controlled by a new SslCheckHostFlags in the context. The new host name check is enabled by default, but there is no harm in PostConnectionCheck doing a second check so it's backward compatible, but may be disabled by setting sslX509_NO_HOST_CHECK. The host name checked is SslServerName which is set by the main high level components. There are also new functions to ease checking and listing SSL certificates loaded into a context, or contained in a CA bundle file, which are primarily for diagnostic and development purposes, since working out precisely what is contained in base64 encoded certificate files can be challenging. OverbyteIcsWSocket.pas OverbyteIcsLIBEAY.pas OverbyteIcsSSLEAY.pas OverbyteIcsSslX509Utils.pas Minimum OpenSSL support is now 1.0.2 (1.0.1 support ceases Dec 2016). Added functions to check certificate params using X509_VERIFY_PARAM, which means the peer certificate common name is now checked against the host set as SslServerName during handshaking instead of needing to use PostConnectionCheck in the handshake event. Added more SslVerifyFlags for extra certificate verification options. Added SslCheckHostFlags to context to control host name checking. Added SslCertPeerName property set after successful SSL handshake and peer certificate check that returns matched name from certificate. Combined TX509Ex properties into TX509Base from OverbyteIcsSslX509Utils to simplify applications. TX509Base has new methods CheckHost, CheckEmail and CheckIPaddr as alternatives to PostConnectionCheck using OpenSSL APIs. Added SslGetAllCerts to context to get TX509list of certificates from context store, may be used to check CA certificates have been correctly loaded from files, 1.1.0 and later. TX509List has new LoadFromFile method to load all certificates from a bundle file. Added IcsSslOpenFileBio and IcsSslLoadStackFromInfoFile which were previously methods in TSslContext so thjey can be used elsewhere. Added IcsUnwrapNames which changes multi-line string to comma string. Added SslCertX509 to context which returns last certificate loaded for reporting purposes (can not be set yet). Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.dfm Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.pas No longer need PostConnectionCheck or TX509Ex. Added List Cert Store button to list common names of any certificates loaded from CA File or CA Path, so you know exactly what was found . Samples/Delphi/SslInternet/OverbyteIcsPemTool1.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool1.pas Samples/Delphi/SslInternet/OverbyteIcsPemTool2.dfm Replaced TX509Ex with TX509Base. View multiple PEM certificates in a bundle file. Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.dfm Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.pas Better way of listing certificates actually loaded into context rather than opening files a second time. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
