Let's Encrypt DST Root CA X3 Expiration

[Andsup]

Hi,
Issue: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

My windows 10 application is developped with delphi and indy 10.6.2 and so Openssl 1.0.x.
The server is a php application under Apache running on windows 10.

Will that EOL impact the TLS flow ?

Do I need to upgrade to an indy version with the support for openssl 1.1.x ?

Thanks for your advice,
André.

[rlebeau]

You will not need to update Indy itself, just the SSLIOHandler that you use with your TCP connections. OpenSSL 1.1.x is being supported by this SSLIOHandler, which is still in development, but will eventually be merged into the main codebase when ready.

[Andsup]

Thanks Remy.

I'm a step futher with compiled/running version on OpenSSL 1.1.1.

But until now I have to set Options.VerifyServerCertificate to false.
With this flag set to yes, the following error is always raised:
1416F086:SSL routines:tls_process_server_certificate:certificate verify failed.

How to validate the server certificate ?

Thanks for your help,
André.

[rlebeau]

Did you install the server's root certificate(s) into OpenSSL? TIdSSLIOHandlerSocketOpenSSL has RootCertFile, CertFile, and VerifyDirs properties for that task. And an OnVerifyPeer event for custom validations.

I don't know the equivalents in the new 1.1.x SSLIOHandler, I haven't looked at that code yet (I'm not the one writing it).

[Andsup]

You are right : solved.

Something wrong with my files in the Verify Certificate directory so I switched to a bundle of the “pem” in one file.
(bundle file copied from a linux machine)

Application is stable with the new code (dynamic mode) with openssl111k dlls and TLSv1.3.

A latest comment:
Function and variable names are not constant with the previous version.
Examples:

• options vs SSLOptions
• OnVerifyPeer vs options.OnVerify

Not a big deal, but maybe to realign before the merge.

Thanks for your support,
André