Jump to content
jaenicke

Http client - verify certificate chain (ICS, Indy, ...)

Recommended Posts

Hello,

 

I tried to verify a certificate chain when accessing a simple https page (for example https://www.google.de). I tried ICS and Indy, but as both use OpenSSL I got the same error 20:

Quote

unable to get local issuer certificate

I know what this means. OpenSSL does not access the local certificate store under Windows and thus cannot find the root certificate locally. I know, that I can provide a certificate manually, so it can be checked.

 

But why is this neccessary? ICS has code to access the Windows certificate store and verifying the peer is an absolute routine task. I searched for hours to find such functionality, because I cannot believe, that this basic task needs so much manual work. I found OCSP functionality and other cool stuff (code to verify a cert chain in ICS, ...), but not what I needed (verification of the root cert in the chain as well using the system store).

 

So my question is:

Did I not find this functionality or is it really missing? I would have expected this to work just by activating peer verification in both frameworks (so the AOk parameter should be set to true, when the OnVerifyPeer events are called).

 

Thank you in advance

Kind regards

Sebastian

Share this post


Link to post

ICS ships with four different root certificate stores to allow chain verification, three as files, one as linked unit. 

 

How they are used depends on the component you are using, older and low level components need extra code to check the certificate chain, if you use the TSslHttpRest component it is all built in, you decide whether to use a root store or the Windows store, look at the OverbyteIcsHttpRestTst.dpr sample to see it all working.

 

Angus

 

Share this post


Link to post

Thank you! 

I had found out, that the rest component has more functionality than the HttpCli, but had overlooked the property CertVerMethod.

Edited by jaenicke

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×