> I_m trying to send email via gmail.com. Which perfectly worked 
> since a while ago.
> but now it seems gmail (I think this is the reason) is rejecting 
> the 01cert.pem certificate Because the encryption is too weak.

Client SSL applications rarely need to send certificates, so just leave
SslCertFile and SslPrivKeyFile blank and everything should work.  

The confusion here is that the SslContext is used for both client and
server applications, and it's not obvious which properties relate only
to servers, clients, or both.  Worse, most of the samples just offer
all the options without explaining which are needed or why. 

Some background. 

SSL certificates have two purposes, identifying a host and encrypting
data.  

For SSL to work, a certificate and private key are needed to encrypt
the data, the certificate is sent to the client and includes the public
key so the client can negotiate encryption keys and can decode the data.


The only time a client needs a certificate is if it needs to identify
itself to a server, mostly when using VPN to access remote networks,
sometimes for servers with highly valuable information (like SWIFT
international money transfer).  It is the server that demands a client
certificate, before allowing data to be sent.  

In your case, newer versions of OpenSSL have higher minimum
requirements for certificates, and 01cert.pem is probably very old.
Note current ICS release have one dated 2016 which should not give a
problem, but is still only required for server samples. 

Clients do still need Certificate Authority roots to be able to check
the server is sending a valid certificate, so leave: 

SslCAFile := GlobalUserSettings.fCertDir + '\TrustedCABundle.pem';


Angus



-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to