Droesjba

Most likely the exception indeed is caused by an error in my code. I'm trying discover what I've done wrong. Have I forgotten something? 

The reason I don't use the pfx file is in the fact that our customers have to be able to use their own certificates. This is accomplished by specifying the thumbprint of the certificate the customer wants to use.

This is not something I have made up myself. Other programs from the company I work for act in the same way.

So specifying a thumbprint and looking it up in the Windows Certificate Store is imposed on me.

Perhaps you can answer if the following use of the SslCertX509 property should work or not:

After finding the right (i) certificate I define:

  FSslCertX509 := TX509Base.Create(nil);
  FSslCertX509 := TX509Base(lMsX509List);   sad but true: I've added square bracket i square bracket  here after lMsM509List but it disappears every time

   .....
  WSslSocketServer.SslContext.SslCertX509 := FSslCertX509;

So you are attempting to use a certificate from the Windows store as a server certificate? 

Yes

How did you set the private key for this certificate. You can not extract private keys from the Windows store?  Server certificates are useless without a private key.

From the pem file I've created a pfx file including a private key and a password. I've imported this pfx file in Windows certificate store using MMC (Microsoft Management Console).

I use the LoadFromStore method to read from the Windows Certificate Store. This fills a TMsX509List in which I lookup the thumbprint (and find it).

That gives me the number of the certificate in the TMsX509List.

So the question is: What do I have to do to make use of the SslCertX509 property of TSslContext (from OverbyteIcsWSocket).

Making use of the SslCertFile property seems to work OK, why can't I reach the same result when using the SslCertX509 property?

The server gives an exception (access vioalation) at line 15182 of OverbyteIcsWSocket.pas
The certificate is a server certificate, the client uses no certificate.

I have a client (Windows service) using TSslWSocket and a server (also a Windows service) using TSslWSocketServer. I'm trying to add SSL to the communication between the two services.

Step A:

In the server I'm using a certificate:

...SslContext.SslCertFile := 'C:\Temp\SSL\cert.pem';

So far, so good. In the OnSslVerifyPeer event of TSslWSocket I'm detecting that the certificate is self-signed which is correct.

Step B:

Instead of using ...SslContext.SslCertfile I'm using ...SslContext.SslCertX509

This SslCertX509 is retrieved from the Windows certificate store (see topic 

After finding the right certificate I define:

  FSslCertX509 := TX509Base.Create(nil);
  FSslCertX509 := TX509Base(lMsX509List);

  .....
  WSslSocketServer.SslContext.SslCertX509 := FSslCertX509;

The server gives an exception (access vioalation) at line 15182 of OverbyteIcsWSocket.pas (see code snippet below):

When I'm using the debugger and enter FSslCertX509.IsCertLoaded then the result is False, so no certificate seems to be loaded.

Nevertheless the statement at line 15812 seems to be executed. When I'm hoovering over "IsCertLoaded" at line 15811 I see:

"unknown exception 3402A6AC at 24748B14".

Any suggestions?

Yes, that's it!

Disabling this statement in the PemTool leads to the exception.

Thanks!

I'm using the LoadFromStore method. My program raises an exception (Access violation at address 00000000).

This occurs in method MsCertToX509 of OverbyteIcsMsSslUtils.pas

To be precise: at line 307 in the statement:  

Result := d2i_X509(nil, @p, x.cbCertEncoded);

So the function d2i_X509 of OverbyteIcsLIBEAY.pas seems to be the origin of the exception.

The PemTool sample works fine, no problems. My program has administrator rights.

Any suggestions?

Given a certain Thumbprint, does ICS offer support for finding the certificate with the given thumbprint from the Windows certificate store? (for Local Machine)

I've studied the demos but that doesn't answer all my questions.

For instance: Our code uses the OnDnsLookupDone event. I've added the OnSslHandshakeDone event.

Questions:

1) Is there a relationship between these two events?

2) Must the eventhandlers of these events have a relationship or dependancy?

We use TWSocket which uses the OnDnsLookupDone event. I have replaced TWSocket by TSslWSocket (childclass of TWSocket).

SSL is conditional, depending on a setting. In case SSL is applicable, which extra events do I use and in which order?