Hello, This doesn't seem to have an easy solution right now. Many of the functions needed to set up openssl for this doesn't even seem to have imports in the FPC package. You'd then have to import the functions and implement a custom TSSLSocketHandler, and then hook it using either (fphttpapp.)Application.HTTPHandler.HTTPServer.OnGetSocketHandler or TSSLSocketHandler.SetDefaultHandlerClass();
Some pointers: https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca Best regards, Flávio Em sáb., 23 de mar. de 2024 às 08:47, Jos Wegman via fpc-pascal < fpc-pascal@lists.freepascal.org> escreveu: > Hi, > > Out of the info on the wiki I created a simple Webserver with a > server-certificate. > To get this code working you need to create the necessary certificate. > For this I used xca from https://hohnstaedt.de but you can use OpenSSL to > do the same. > > > [code=pascal] > program webserver; > > {$mode objfpc}{$H+} > > uses > {$ifdef UNIX} > cthreads, cmem, > {$endif} > fphttpapp, > httpdefs, > httproute, > opensslsockets; > > var > fUseSSL: boolean; > const > fCertificatePassword: string = 'hello'; > fCertificateHostName: string = 'localhost'; > fCertificateFileName: string = 'Server.crt'; > fCertificatePrivateKey: string = 'Server.key'; > > procedure route1(aReq: TRequest; aResp: TResponse); > begin > aResp.Content := '<html><body><h1>Route 1 The > Default</h1></body></html>'; > end; > > procedure route2(aReq: TRequest; aResp: TResponse); > begin > aResp.Content := '<html><body><h1>Route 2</h1></body></html>'; > end; > > begin > HTTPRouter.RegisterRoute('/', @route1); > HTTPRouter.RegisterRoute('/2', @route2); > Application.Port := 1999; > fUseSSL :=true; > Application.UseSSL := fUseSSL; > if fUseSSL then > begin > Application.CertificateData.KeyPassword := fCertificatePassword; > Application.CertificateData.HostName := fCertificateHostName; > Application.CertificateData.Certificate.FileName := > fCertificateFileName; > Application.CertificateData.PrivateKey.FileName := > fCertificatePrivateKey; > end; > Application.Threaded := True; > Application.Initialize; > Application.Run; > end. > [/code] > > My questions are: > > *- How can I modify this example to enforce the use of a client > certificate? - How can I verify a client certificate in the server?* > > In the TLS handshake a client certificate is optional but the server can > ensure that it is mandatory. > > Any help, pointers, sample code is appreciated. > > Sincerely, > > Jos > _______________________________________________ > fpc-pascal maillist - fpc-pascal@lists.freepascal.org > https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal >
_______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal