<div dir="ltr"><div>Hello,<br></div><div><br></div><div>This doesn't seem to have an easy solution right now. Many of the functions needed to set up openssl for this doesn't even seem to have imports in the FPC package.</div><div>You'd then have to import the functions and implement a custom 
TSSLSocketHandler, and then hook it using either<br></div><div>(fphttpapp.)Application.HTTPHandler.HTTPServer.OnGetSocketHandler or TSSLSocketHandler.SetDefaultHandlerClass();</div><div></div><div><br></div><div>Some pointers:<br><a href="https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c">https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c</a></div><div><a href="https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl">https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl</a></div><div><a href="https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api">https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api</a></div><div><a href="https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca">https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca</a></div><div><br></div><div>Best regards,</div><div>Flávio<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em sáb., 23 de mar. de 2024 às 08:47, Jos Wegman via fpc-pascal <<a href="mailto:fpc-pascal@lists.freepascal.org" target="_blank">fpc-pascal@lists.freepascal.org</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>

  

    
  
  <div>
    Hi,<br>
    <br>
    Out of the info on the wiki I created a simple Webserver with a
    server-certificate.<br>
    To get this code working you need to create the necessary
    certificate.<br>
    For this I used xca from <a href="https://hohnstaedt.de" target="_blank">https://hohnstaedt.de</a> but you can use
    OpenSSL to do the same.<br>
     <br>
    <br>
    [code=pascal]<br>
    program webserver;<br>
    <br>
    {$mode objfpc}{$H+}<br>
    <br>
    uses<br>
      {$ifdef UNIX}<br>
      cthreads, cmem,<br>
      {$endif}<br>
      fphttpapp,<br>
      httpdefs,<br>
      httproute,<br>
      opensslsockets;<br>
    <br>
    var<br>
      fUseSSL: boolean;<br>
    const<br>
      fCertificatePassword: string = 'hello';<br>
      fCertificateHostName: string = 'localhost';<br>
      fCertificateFileName: string = 'Server.crt';<br>
      fCertificatePrivateKey: string = 'Server.key';<br>
    <br>
      procedure route1(aReq: TRequest; aResp: TResponse);<br>
      begin<br>
        aResp.Content := '<html><body><h1>Route 1 The
    Default</h1></body></html>';<br>
      end;<br>
    <br>
      procedure route2(aReq: TRequest; aResp: TResponse);<br>
      begin<br>
        aResp.Content := '<html><body><h1>Route
    2</h1></body></html>';<br>
      end;<br>
    <br>
    begin<br>
      HTTPRouter.RegisterRoute('/', @route1);<br>
      HTTPRouter.RegisterRoute('/2', @route2);<br>
      Application.Port := 1999;<br>
      fUseSSL :=true;<br>
      Application.UseSSL := fUseSSL;<br>
      if fUseSSL then<br>
      begin<br>
        Application.CertificateData.KeyPassword := fCertificatePassword;<br>
        Application.CertificateData.HostName := fCertificateHostName;<br>
        Application.CertificateData.Certificate.FileName :=
    fCertificateFileName;<br>
        Application.CertificateData.PrivateKey.FileName :=
    fCertificatePrivateKey;<br>
      end;<br>
      Application.Threaded := True;<br>
      Application.Initialize;<br>
      Application.Run;<br>
    end.<br>
    [/code]<br>
    <br>
    My questions are: <br>
    <b>- How can I modify this example to enforce the use of a client
      certificate?<br>
      - How can I verify a client certificate in the server?</b><br>
    <br>
    In the TLS handshake a client certificate is optional but the server
    can ensure that it is mandatory.<br>
    <br>
    Any help, pointers, sample code is appreciated.<br>
    <br>
    Sincerely,<br>
    <br>
    Jos<br>
  </div>

_______________________________________________<br>
fpc-pascal maillist  -  <a href="mailto:fpc-pascal@lists.freepascal.org" target="_blank">fpc-pascal@lists.freepascal.org</a><br>
<a href="https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal" rel="noreferrer" target="_blank">https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal</a><br>
</blockquote></div>