[Synalist] HTTPS with two way authentication

[ckd <ckd...@gm...>]

I'm trying to send a POST request using HTTPS and can't figure out how to
get two way authentication working. I have some clues and bits of
information but I can't put it all together.

I'm starting off with a PFX cert and a cert password (given to me). This
code runs without error:

uses
ssl_openssl

  Socket := TTCPBlockSocket.Create;
  Socket.SSL.PFXfile := 'c:\certs\mycert.pfx';
  Socket.SSL.KeyPassword := 'mycertpw';
  Socket.Connect('www.aidap.naimes.faa.gov', '443'); <-- LastError is 0
  Socket.SSLDoConnect; <-- LastError is 0

    if Socket.LastError = 0 then
      begin
        HttpPostURL(url, urldata, data);
        data.SaveToFile('C:\foo.txt');
      end;

At this point, foo.txt contains html with the message 'Your client is not
allowed to access the requested object.'.

If I put the socket.connect url into Firefox I get an identical message.

If I drag the pfx file into Internet Explorer, follow the wizard (entering
the pfx pw), then enter the url into IE, I actually connect and get a log
in screen and no errors.

It is possible to do this programatically, there is some discussion here:

http://rap.ucar.edu/staff/paddy/cacerts/

That mentions installing the cert using javac InstallCert. I know that's
not a requirement - if the cert has been imported with IE then Java can
access the cert store somehow.

I've looked through the plugin code and think the solution involves PKCS,
SunX509, stores, and maybe the CertCAFile. The cryptlib doc says:

If you need to use server what verifying client certificates, then use
TCustomSSL <http://synapse.ararat.cz/doc/help/blcksock.TCustomSSL.html>.
CertCAFile<http://synapse.ararat.cz/doc/help/blcksock.TCustomSSL.html#CertCAFile>as
PKCS#15 file with public keyas of allowed clients. Clients with
non-matching certificates will be rejected by cryptLib.

I'm not sure if that applies to the openssl lib as well, or if it does how
to apply that. Any hints or ideas would be greatly appreciated!

-ckd