> What happens if this value is left blank as well -- does it skip 
> checking validity of CA? Is there any way to have the components 
> instead use the CA roots that Windows maintains in the 
> Certificate Store?

Yes, the sample OverbyteIcsMsVerify.dpr will Verify a certificate chain
using the class TMsCertChainEngine which uses MS crypto API and the
Microsoft root store.   You need to add extra code to the
onSslHandshakeDone event to ignore the OpenSSL result and call the
engine instead.  

All my own client application and ICS components have options for both,
look at TMagIpLog at: 


which also shows better ways of displaying certificate information from
newer ICS versions. 

> My concern is that installing a 
> TrustedCABundle.pem file along with an application would lead to 
> problems with it going stale.

Root certificates mostly have a very long life and major new ones are
quite rare, although some do go out of favour, like Startcom currently
which is closing down.  

But there are hundreds of root certificates, many small countries want
to issue their own, and out bundle does not include many of those.
Windows should automatically download missing roots from Windows Update
during validation, but this may be slow.  


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to