Http client - verify certificate chain (ICS, Indy, ...)

[jaenicke 13]

Hello,

 

I tried to verify a certificate chain when accessing a simple https page (for example https://www.google.de). I tried ICS and Indy, but as both use OpenSSL I got the same error 20:

Quote

unable to get local issuer certificate

I know what this means. OpenSSL does not access the local certificate store under Windows and thus cannot find the root certificate locally. I know, that I can provide a certificate manually, so it can be checked.

 

But why is this neccessary? ICS has code to access the Windows certificate store and verifying the peer is an absolute routine task. I searched for hours to find such functionality, because I cannot believe, that this basic task needs so much manual work. I found OCSP functionality and other cool stuff (code to verify a cert chain in ICS, ...), but not what I needed (verification of the root cert in the chain as well using the system store).

 

So my question is:

Did I not find this functionality or is it really missing? I would have expected this to work just by activating peer verification in both frameworks (so the AOk parameter should be set to true, when the OnVerifyPeer events are called).

 

Thank you in advance

Kind regards

Sebastian

[Angus Robertson 526]

ICS ships with four different root certificate stores to allow chain verification, three as files, one as linked unit. 

 

How they are used depends on the component you are using, older and low level components need extra code to check the certificate chain, if you use the TSslHttpRest component it is all built in, you decide whether to use a root store or the Windows store, look at the OverbyteIcsHttpRestTst.dpr sample to see it all working.

 

Angus

 

[jaenicke 13]

Thank you! 

I had found out, that the rest component has more functionality than the HttpCli, but had overlooked the property CertVerMethod.

Edited January 16, 2023 by jaenicke