I did some tests. It seems that the suggestion by pierceng actually works on the client level.
Tested against one of my own websites, which has a self-signed certificate:
https://thaddy.org A browser would initialize refuse the connection with a 443 error, but a small fphttpclient will succeed when VerifySSLCertificate := false and fails when VerifySSLCertificate := true.
Code used is similar to my other post, but with exception handling.
{$mode objfpc}
uses
classes,sysutils,fphttpclient,opensslsockets,fpJson,jsonparser;
var
Client:TFpHttpClient;
List:TStringList;
URL:String = 'https://thaddy.org';
begin
Randomize;
Client := TfpHttpClient.Create(nil);
try
// this is important
Client.AllowRedirect := true;
// optional
Client.RequestHeaders.Add('User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0');
Client.VerifySSLCertificate := Boolean(random(2)); // fails or succeeds based on true/false
List := TStringlist.Create;
try
try
List.Text := Client.Get(URL);
writeln(Client.ResponseStatusText, Client.ResponseStatusCode: 5);
except
On
E:Exception do
writeln(E.Message);
end;
writeln(List.Text);
finally
List.Free;
end;
finally
Client.Free;
end;
end.
Response can be (true):
Connect to thaddy.org:443 failed: SSL error code: 336134278: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Or (false):
OK 200
<html>Apache is functioning normally</html>
Don't worry about security here: apache is configured to only serve static pages.
(unless I am testing CGI delivered pages, but those pages are usually not publicly known and shortlived. There is also no database running on this one.)
Also note - logically - that if the client has the certificate installed it will always succeed! Also tested on a different laptop. The other way around seems to fail everytime, though (a small server, still testing)
This is all as expected. Does that help?