Thank you very much for all help and information.
On 27/8/2011 7:29 μμ, Arno Garrels wrote:
Dimitris Botsis wrote:
OK, let me explain what I want.
I want my client that connects over https to a server, before start
exchanging data with server, first to check if the certificate
provided by the server is the right one. I think there is a signature
in certificate which client will know, and verify if the certificate's
signature that is read from the server are the same.
I see, so this is the common procedure as shown in the demos
mentioned in one of my previous mails.
A certificate is always signed / issued by another certificate and it
can be quite a long chain from top level root certificate down to
the server certificate. The top level root certificate is always self-signed.
All you have to do is to provide the signing certificates you trust in
either the TSslContext.SslCAFile or TSslContext.SslCAPath so
OpenSSL finds them on certificate verification when it builds up
the chain. All certificates issued by these certificates are trusted
as well. Event OnSslVerifyPeer is triggered for each certificate
check, OnSslHandShakeDone triggers after the certificate
chain has been verified. When this was OK you use method
PostConnection of the peer certificate to check for DNS name
match. If you are new to SSL and OpenSSL you should read a
good book about that stuff first i.e.
"Network Security with OpenSSL" published by O'REILY.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
