
<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>If you want to use OpenSSL then you might be interesting in

      trying out my proposed update to the Indy components. This is to

      support the latest versions of OpenSSL and can be downloaded from:</p>

    <p><a class="moz-txt-link-freetext" href="https://github.com/MWASoftware/Indy.proposedUpdate">https://github.com/MWASoftware/Indy.proposedUpdate</a></p>

    <p>There is a test case in Test/OpenSSL/openssl-server which is

      based on the use of the Indy http server and OpenSSL which

      includes a test case where a client certificate must be validated

      by the server. This appears to work on both Linux and Windows and

      hopefully other platforms.<br>

    </p>

    <div class="moz-cite-prefix">On 10/04/2024 01:34, Flávio Etrusco via

      fpc-pascal wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:CAJvBmObA5XUsJ57a2-kWynhV5EcyAhc2MF14tvdrKitWD9ahdg@mail.gmail.com">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div dir="ltr">

        <div>Hello,<br>

        </div>

        <div><br>

        </div>

        <div>This doesn't seem to have an easy solution right now. Many

          of the functions needed to set up openssl for this doesn't

          even seem to have imports in the FPC package.</div>

        <div>You'd then have to import the functions and implement a

          custom TSSLSocketHandler, and then hook it using either<br>

        </div>

        <div>(fphttpapp.)Application.HTTPHandler.HTTPServer.OnGetSocketHandler

          or TSSLSocketHandler.SetDefaultHandlerClass();</div>

        <div><br>

        </div>

        <div>Some pointers:<br>

          <a

href="https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c</a></div>

        <div><a

href="https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl</a></div>

        <div><a

href="https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api</a></div>

        <div><a

href="https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca</a></div>

        <div><br>

        </div>

        <div>Best regards,</div>

        <div>Flávio<br>

        </div>

        <div><br>

        </div>

      </div>

      <br>

      <div class="gmail_quote">

        <div dir="ltr" class="gmail_attr">Em sáb., 23 de mar. de 2024 às

          08:47, Jos Wegman via fpc-pascal <<a

            href="mailto:fpc-pascal@lists.freepascal.org"

            target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">fpc-pascal@lists.freepascal.org</a>>

          escreveu:<br>

        </div>

        <blockquote class="gmail_quote"

style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

          <div> Hi,<br>

            <br>

            Out of the info on the wiki I created a simple Webserver

            with a server-certificate.<br>

            To get this code working you need to create the necessary

            certificate.<br>

            For this I used xca from <a href="https://hohnstaedt.de"

              target="_blank" moz-do-not-send="true"

              class="moz-txt-link-freetext">https://hohnstaedt.de</a>

            but you can use OpenSSL to do the same.<br>

             <br>

            <br>

            [code=pascal]<br>

            program webserver;<br>

            <br>

            {$mode objfpc}{$H+}<br>

            <br>

            uses<br>

              {$ifdef UNIX}<br>

              cthreads, cmem,<br>

              {$endif}<br>

              fphttpapp,<br>

              httpdefs,<br>

              httproute,<br>

              opensslsockets;<br>

            <br>

            var<br>

              fUseSSL: boolean;<br>

            const<br>

              fCertificatePassword: string = 'hello';<br>

              fCertificateHostName: string = 'localhost';<br>

              fCertificateFileName: string = 'Server.crt';<br>

              fCertificatePrivateKey: string = 'Server.key';<br>

            <br>

              procedure route1(aReq: TRequest; aResp: TResponse);<br>

              begin<br>

                aResp.Content :=

            '<html><body><h1>Route 1 The

            Default</h1></body></html>';<br>

              end;<br>

            <br>

              procedure route2(aReq: TRequest; aResp: TResponse);<br>

              begin<br>

                aResp.Content :=

            '<html><body><h1>Route

            2</h1></body></html>';<br>

              end;<br>

            <br>

            begin<br>

              HTTPRouter.RegisterRoute('/', @route1);<br>

              HTTPRouter.RegisterRoute('/2', @route2);<br>

              Application.Port := 1999;<br>

              fUseSSL :=true;<br>

              Application.UseSSL := fUseSSL;<br>

              if fUseSSL then<br>

              begin<br>

                Application.CertificateData.KeyPassword :=

            fCertificatePassword;<br>

                Application.CertificateData.HostName :=

            fCertificateHostName;<br>

                Application.CertificateData.Certificate.FileName :=

            fCertificateFileName;<br>

                Application.CertificateData.PrivateKey.FileName :=

            fCertificatePrivateKey;<br>

              end;<br>

              Application.Threaded := True;<br>

              Application.Initialize;<br>

              Application.Run;<br>

            end.<br>

            [/code]<br>

            <br>

            My questions are: <br>

            <b>- How can I modify this example to enforce the use of a

              client certificate?<br>

              - How can I verify a client certificate in the server?</b><br>

            <br>

            In the TLS handshake a client certificate is optional but

            the server can ensure that it is mandatory.<br>

            <br>

            Any help, pointers, sample code is appreciated.<br>

            <br>

            Sincerely,<br>

            <br>

            Jos<br>

          </div>

          _______________________________________________<br>

          fpc-pascal maillist  -  <a

            href="mailto:fpc-pascal@lists.freepascal.org"

            target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">fpc-pascal@lists.freepascal.org</a><br>

          <a

href="https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal"

            rel="noreferrer" target="_blank" moz-do-not-send="true"

            class="moz-txt-link-freetext">https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal</a><br>

        </blockquote>

      </div>

      <br>

      <fieldset class="moz-mime-attachment-header"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

fpc-pascal maillist  -  <a class="moz-txt-link-abbreviated" href="mailto:fpc-pascal@lists.freepascal.org">fpc-pascal@lists.freepascal.org</a>

<a class="moz-txt-link-freetext" href="https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal">https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal</a>

</pre>

    </blockquote>

  </body>

</html>