Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10

Question

I\'m completely new to SSL and these ciphering stuff but I need to make communicate client and server Delphi XE6 apps running on mobile devices. The TCP communication has to

Answer 1

As I told you in my answer to your same question on the Embarcadero forums, certificates are optional. They are used to allow peers to validate each other's identities, not for encryption. Certificates help avoid man-in-the-middle attacks, by allowing a client to verify it is connected to the correct server it is expecting to be connected to, and vice versa. It is not common for a client to have a certificate, except maybe when making a proprietary system where only authorized clients are allowed to connect. But it is pretty common for servers to have certificates, at least. Certificates can be password-protected, so if you do use them, you have to provide the correct password for the certificate(s) that you are actually using. A certificate's password can't be retrieved from the certificate itself, but if an attacker gains access to your certificate files then you have bigger issues to deal with.

As for SSLv23, it is a wildcard that allows dynamic version negotiation in cases where client and server support different SSL/TLS versions. SSLv23 allows them to figure out and use the highest version common to both parties. If a server needs to support a wide range of clients, it makes sense to use SSLv23 on the server side. Not so much on the client side. Since you control both client and server, you should use use a specific version instead, preferrably TLSv1 or higher.