marius gabi wrote:
> Arno, in this moment the client sends the entire certificates chain:
> 1. its client certificate issued by the intermediary CA (2 from
> bellow)
> 2. intermediary certificate issued by the root CA
> 3. root CA
OK.
>
> The only certificate that is common between our server chain and
> client chain is (3) root CA.
That's OK as well, provided it actually is the same root
certificate, which still has to be proved. It might for
some reason use the same subject fields however that is
not enough of course.
What happens if you do not add your root certificate to the
SslCAFile? It's possible that the client sends the complete
chain inluding its own root certificate. Then save the root
certificate to a PEM file and compare it with your root
certificate.
>
> This should be enough, the communication should continue as both
> chains are issued by the same CA root. Please correct me if i'm
> wrong.
Correct.
> The issue that I encounter is that in onsslverifypeer event I receive
> error 7.
Well, then something seems wrong with some certificate in
the chain, that's why I asked you to log them all and post
the result. Please write each certificate to a PEM file in
event OnSslHandShakeDone like:
{code}
for I := 0 to Chain.Count -1 do
Chain[I].SaveToPemFile('cert' + IntToStr(I) + '.pem');
{code}
(requires that you always set OK :=1 in OnSslVerifyPeer and
SslVerifyDepth is set to >= 3, better 10 in order to get everything).
Open the resulting files in a text editor, copy and paste their
content into your email editor and post them here.
Then I'll be able to check them when I have some minutes.
Also add the content of your root certificate to the email.
> Further more, I managed to obtain a valid communication when I've
> always returned OK = 1 in that event but ONLY when
> sslcontext.sslverifydepth is 0. This has no logic for me.
In that case only the end-certificate (level 0, here the client
certificate) is verified any further checks are skipped.
--
Arno Garrels
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
