Dimitris Botsis wrote: > OK, let me explain what I want. > I want my client that connects over https to a server, before start > exchanging data with server, first to check if the certificate > provided by the server is the right one. I think there is a signature > in certificate which client will know, and verify if the certificate's > signature that is read from the server are the same.
I see, so this is the common procedure as shown in the demos mentioned in one of my previous mails. A certificate is always signed / issued by another certificate and it can be quite a long chain from top level root certificate down to the server certificate. The top level root certificate is always self-signed. All you have to do is to provide the signing certificates you trust in either the TSslContext.SslCAFile or TSslContext.SslCAPath so OpenSSL finds them on certificate verification when it builds up the chain. All certificates issued by these certificates are trusted as well. Event OnSslVerifyPeer is triggered for each certificate check, OnSslHandShakeDone triggers after the certificate chain has been verified. When this was OK you use method PostConnection of the peer certificate to check for DNS name match. If you are new to SSL and OpenSSL you should read a good book about that stuff first i.e. "Network Security with OpenSSL" published by O'REILY. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
