Arno Garrels wrote:
> Zvone wrote:
>> Also, is there a mechanism (in ICS) to check for invalid root
>> certificates (regarding the recent SSL issue with bad Comodo
>> certificates)?
>
> No there isn't.
Currently not, after some investigation it looks like the easiest way
is to use Windows Crypto-API for verification. No more trouble
with trusted CAs etc., and Windows also checks for revocated certs
even it uses OCSP since AFAIK Vista+. In order to verify a certificate
with Windows CertGetCertificateChain seems to be the right API. In
order to convert from OpenSSL X509 internal format to Windows format
you can use:
function OpenSslToMsCertContext(x: PX509): PCCERT_CONTEXT;
var
Buf, P: PByte;
Len: Integer;
begin
Result := nil;
Len := f_i2d_X509(x, nil);
if Len > 0 then
begin
GetMem(Buf, Len);
try
P := Buf; // This is important since f_i2d_X509 increments P by Len
Len := f_i2d_X509(x, @P);
if Len > 0 then
Result := CertCreateCertificateContext(X509_ASN_ENCODING, Buf, Len);
finally
FreeMem(Buf);
end;
end;
end;
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
