Zvone wrote:
> Also, is there a mechanism (in ICS) to check for invalid root
> certificates (regarding the recent SSL issue with bad Comodo
> certificates)?
No there isn't. 
It's rather easy to fix TSslContext to include CRLs 
(Certificate Revocation Lists) in the certificate 
verification process. 
That's just adding a new property "SslVerifyFlags" and
a call to f_X509_STORE_set_flags().
However that makes only sense if the revocation lists are
up to date. The download location is stored in the certificate
and can be either a HTTP link or something else, and the
format of the CRL may not be in PEM format. Another option
was OCSP, if I remember well.

-- 
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to