[fpc-pascal] client certificate mandatory and verification

Tony Whyman tony.whyman at mccallumwhyman.com
Wed Apr 10 11:21:11 CEST 2024


If you want to use OpenSSL then you might be interesting in trying out 
my proposed update to the Indy components. This is to support the latest 
versions of OpenSSL and can be downloaded from:

https://github.com/MWASoftware/Indy.proposedUpdate

There is a test case in Test/OpenSSL/openssl-server which is based on 
the use of the Indy http server and OpenSSL which includes a test case 
where a client certificate must be validated by the server. This appears 
to work on both Linux and Windows and hopefully other platforms.

On 10/04/2024 01:34, Flávio Etrusco via fpc-pascal wrote:
> Hello,
>
> This doesn't seem to have an easy solution right now. Many of the 
> functions needed to set up openssl for this doesn't even seem to have 
> imports in the FPC package.
> You'd then have to import the functions and implement a custom 
> TSSLSocketHandler, and then hook it using either
> (fphttpapp.)Application.HTTPHandler.HTTPServer.OnGetSocketHandler or 
> TSSLSocketHandler.SetDefaultHandlerClass();
>
> Some pointers:
> https://stackoverflow.com/questions/4261369/openssl-verify-peer-client-certificate-in-c
> https://stackoverflow.com/questions/21050366/testing-ssl-tls-client-authentication-with-openssl
> https://stackoverflow.com/questions/16291809/programmatically-verify-certificate-chain-using-openssl-api
> https://stackoverflow.com/questions/3412032/how-do-you-verify-a-public-key-was-issued-by-your-private-ca
>
> Best regards,
> Flávio
>
>
> Em sáb., 23 de mar. de 2024 às 08:47, Jos Wegman via fpc-pascal 
> <fpc-pascal at lists.freepascal.org> escreveu:
>
>     Hi,
>
>     Out of the info on the wiki I created a simple Webserver with a
>     server-certificate.
>     To get this code working you need to create the necessary certificate.
>     For this I used xca from https://hohnstaedt.de but you can use
>     OpenSSL to do the same.
>
>
>     [code=pascal]
>     program webserver;
>
>     {$mode objfpc}{$H+}
>
>     uses
>       {$ifdef UNIX}
>       cthreads, cmem,
>       {$endif}
>       fphttpapp,
>       httpdefs,
>       httproute,
>       opensslsockets;
>
>     var
>       fUseSSL: boolean;
>     const
>       fCertificatePassword: string = 'hello';
>       fCertificateHostName: string = 'localhost';
>       fCertificateFileName: string = 'Server.crt';
>       fCertificatePrivateKey: string = 'Server.key';
>
>       procedure route1(aReq: TRequest; aResp: TResponse);
>       begin
>         aResp.Content := '<html><body><h1>Route 1 The
>     Default</h1></body></html>';
>       end;
>
>       procedure route2(aReq: TRequest; aResp: TResponse);
>       begin
>         aResp.Content := '<html><body><h1>Route 2</h1></body></html>';
>       end;
>
>     begin
>       HTTPRouter.RegisterRoute('/', @route1);
>       HTTPRouter.RegisterRoute('/2', @route2);
>       Application.Port := 1999;
>       fUseSSL :=true;
>       Application.UseSSL := fUseSSL;
>       if fUseSSL then
>       begin
>         Application.CertificateData.KeyPassword := fCertificatePassword;
>         Application.CertificateData.HostName := fCertificateHostName;
>         Application.CertificateData.Certificate.FileName :=
>     fCertificateFileName;
>         Application.CertificateData.PrivateKey.FileName :=
>     fCertificatePrivateKey;
>       end;
>       Application.Threaded := True;
>       Application.Initialize;
>       Application.Run;
>     end.
>     [/code]
>
>     My questions are:
>     *- How can I modify this example to enforce the use of a client
>     certificate?
>     - How can I verify a client certificate in the server?*
>
>     In the TLS handshake a client certificate is optional but the
>     server can ensure that it is mandatory.
>
>     Any help, pointers, sample code is appreciated.
>
>     Sincerely,
>
>     Jos
>     _______________________________________________
>     fpc-pascal maillist  - fpc-pascal at lists.freepascal.org
>     https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
>
>
> _______________________________________________
> fpc-pascal maillist  -fpc-pascal at lists.freepascal.org
> https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/fpc-pascal/attachments/20240410/c7c4b299/attachment.htm>


More information about the fpc-pascal mailing list