Products

Categories
Calendar
Categories:   All Categories
Suggested keywords
x
  Print

SChannel Indy Server Delphi

For years, Delphi developers deploying TLS-enabled servers on Windows have faced the same challenge: bundling the correct OpenSSL libraries with their application. Version mismatches, missing DLLs at runtime, and manual updates after security advisories have been a constant source of friction in production environments.

Starting with sgcWebSockets 2026.3.0, Indy-based server components — TsgcWebSocketServer and TsgcWebSocketHTTPServer — can use Windows SChannel (Secure Channel) as the TLS provider. SChannel is the native Windows TLS implementation built into every version of Windows. It requires no external DLLs, integrates directly with the Windows Certificate Store, and receives security patches automatically through Windows Update.

This article walks through how to configure and deploy SChannel-based servers in your Delphi applications.

Why SChannel on the Server Side?

SChannel eliminates the most common deployment headaches associated with TLS on Windows servers.

Zero External Dependencies
SChannel is built into Windows. No libeay32.dll, no ssleay32.dll, no libcrypto, no libssl. Your installer gets smaller and your deployment gets simpler. 		Windows Certificate Store
Use certificates already installed and managed by the operating system. No need to copy PEM files around — just reference the certificate by its thumbprint. 		Automatic Security Updates
TLS improvements and security patches are applied through Windows Update. No manual library upgrades, no redeployments for OpenSSL CVEs.

Quick Start — 5 Steps

Enabling SChannel on your server requires just a few property changes:

  1. Enable SSL — Set the SSL property to True.
  2. Select SChannel as the IOHandler — Set SSLOptions.IOHandler to iohSChannel.
  3. Choose a TLS version — Set SSLOptions.Version to the desired version. tls1_2 is recommended for most deployments.
  4. Set the port — Set SSLOptions.Port and Port to the listening port (typically 443).
  5. Configure the certificate — Provide a certificate via the Windows Certificate Store (thumbprint) or a PFX file.

Method 1: Certificate from the Windows Store

If your certificate is already installed in the Windows Certificate Store, you only need to provide its thumbprint. This is the recommended approach for production servers and Windows services.

Find the Certificate Thumbprint

Open PowerShell and list the certificates in the Local Machine personal store:

PS C:\> dir cert:\localmachine\my

Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint                                Subject
----------                                -------
C12A8FC8AE668F866B48F23E753C93D357E9BE10  CN=*.mydomain.com
A7F3D2E1B9C84A6D5E0F123456789ABCDEF01234  CN=api.mydomain.com

Copy the 40-character hexadecimal thumbprint of the certificate you want to use.

Configure the Server

var
  oServer: TsgcWebSocketHTTPServer;
begin
  oServer := TsgcWebSocketHTTPServer.Create(nil);

  // Enable TLS with SChannel
  oServer.SSL := True;
  oServer.SSLOptions.IOHandler := iohSChannel;
  oServer.SSLOptions.Version := tls1_2;
  oServer.SSLOptions.Port := 443;
  oServer.Port := 443;

  // Point to the certificate in the Windows Store
  oServer.SSLOptions.SChannel_Options.CertHash :=
    'C12A8FC8AE668F866B48F23E753C93D357E9BE10';
  oServer.SSLOptions.SChannel_Options.CertStoreName := scsnMY;
  oServer.SSLOptions.SChannel_Options.CertStorePath := scspStoreLocalMachine;

  // Start listening
  oServer.Active := True;
end;

Production tip. Always use scspStoreLocalMachine for servers deployed as Windows services. The Local Machine store is accessible regardless of which user account runs the service, whereas scspStoreCurrentUser is tied to the logged-in user's profile.

Certificate Store Options

Store Name Constant Contains
Personal (MY) scsnMY Server certificates with private keys
Root scsnRoot Trusted root certification authorities
Trust scsnTrust Trusted certificates
CA scsnCA Intermediate certification authorities

Method 2: Certificate from a PFX File

If you have a PFX (.pfx or .p12) certificate file, you can load it directly without installing it in the Windows Certificate Store. SChannel will import the certificate at server startup.

var
  oServer: TsgcWebSocketHTTPServer;
begin
  oServer := TsgcWebSocketHTTPServer.Create(nil);

  // Enable TLS with SChannel
  oServer.SSL := True;
  oServer.SSLOptions.IOHandler := iohSChannel;
  oServer.SSLOptions.Version := tls1_2;
  oServer.SSLOptions.Port := 443;
  oServer.Port := 443;

  // Load certificate from a PFX file
  oServer.SSLOptions.CertFile := 'c:\certificates\server.pfx';
  oServer.SSLOptions.Password := 'mypassword';

  // Start listening
  oServer.Active := True;
end;

Have PEM files? SChannel only accepts PFX format. Convert your PEM certificate and private key with a single command:

openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfx

SChannel_Options Reference

The SSLOptions.SChannel_Options sub-property exposes all SChannel-specific server settings.

Property Type Description
CertHash String The 40-character hexadecimal thumbprint of a certificate installed in the Windows Certificate Store.
CertStoreName Enum Which store to search: scsnMY (Personal), scsnRoot, scsnTrust, scsnCA.
CertStorePath Enum Store location: scspStoreLocalMachine (recommended) or scspStoreCurrentUser.
CipherList String Colon-separated list of allowed cipher algorithms (e.g. CALG_AES_256:CALG_AES_128). Leave empty for Windows defaults.
UseLegacyCredentials Boolean When True, uses the legacy SCHANNEL_CRED structure. Enable for Windows Server 2019 and earlier.

TLS Version Configuration

Control which TLS protocol version the server accepts through the SSLOptions.Version property.

Value Protocol Recommendation
tls1_3 TLS 1.3 Best security. Use when all clients support it.
tls1_2 TLS 1.2 Recommended for most production deployments.
tls1_1 TLS 1.1 Legacy. Avoid unless required by old clients.
tls1_0 TLS 1.0 Deprecated. Not recommended.
tlsUndefined TLS 1.0 – 1.2 Accepts any of TLS 1.0, 1.1, or 1.2. 
// Enforce TLS 1.2 minimum for modern security
oServer.SSLOptions.Version := tls1_2;

// Or use TLS 1.3 for the strongest encryption
oServer.SSLOptions.Version := tls1_3;

Cipher Suite Configuration

By default, SChannel uses the system-wide cipher configuration managed by Windows. For environments that require tighter control, you can restrict the allowed algorithms.

// Restrict to AES-256 and AES-128 only
oServer.SSLOptions.SChannel_Options.CipherList :=
  'CALG_AES_256:CALG_AES_128';

Leave the CipherList property empty to accept the Windows default cipher configuration. This is suitable for most deployments, as Windows maintains a secure default set that is updated through Windows Update.

Caution. Restricting ciphers too aggressively may prevent some clients from connecting. Test thoroughly against your expected client base before deploying custom cipher lists in production.

Legacy Windows Compatibility

The component uses the modern SCH_CREDENTIALS API by default. On older Windows versions (Server 2019 and earlier) that do not support this API, you can fall back to the legacy credential structure.

// Enable legacy mode for Windows Server 2019 and earlier
oServer.SSLOptions.SChannel_Options.UseLegacyCredentials := True;

In most cases, the component detects the Windows version automatically and selects the appropriate API. Use the UseLegacyCredentials property only if the server fails to start on an older Windows version.

SChannel vs. OpenSSL — When to Use Each

Both TLS providers are fully supported. The right choice depends on your deployment platform and operational requirements.

Feature SChannel OpenSSL
External DLLs required No Yes
Windows Certificate Store Native Not supported
Automatic security updates Yes (Windows Update) Manual library update
Cross-platform Windows only Windows, Linux, macOS
Certificate formats PFX + Windows Store PEM, PFX
TLS 1.0 – 1.3 Yes Yes

Bottom line. If your server runs exclusively on Windows, SChannel is the simpler, more maintainable choice. If you need cross-platform support, use iohOpenSSL. Switching between the two requires changing only the IOHandler property — no other code changes are needed.

Complete Example: Secure WebSocket Server

A fully configured WebSocket server using SChannel with a certificate from the Windows Certificate Store.

uses
  sgcWebSocket_Server, sgcWebSocket_Classes;

var
  oServer: TsgcWebSocketHTTPServer;
begin
  oServer := TsgcWebSocketHTTPServer.Create(nil);
  Try
    // Server configuration
    oServer.Port := 443;

    // TLS configuration with SChannel
    oServer.SSL := True;
    oServer.SSLOptions.IOHandler := iohSChannel;
    oServer.SSLOptions.Version := tls1_2;
    oServer.SSLOptions.Port := 443;

    // Certificate from Windows Certificate Store
    oServer.SSLOptions.SChannel_Options.CertHash :=
      'C12A8FC8AE668F866B48F23E753C93D357E9BE10';
    oServer.SSLOptions.SChannel_Options.CertStoreName := scsnMY;
    oServer.SSLOptions.SChannel_Options.CertStorePath := scspStoreLocalMachine;

    // Assign WebSocket event handlers
    oServer.OnConnect := OnClientConnect;
    oServer.OnDisconnect := OnClientDisconnect;
    oServer.OnMessage := OnClientMessage;

    // Start the server
    oServer.Active := True;

    WriteLn('Secure WebSocket server listening on port 443 (SChannel TLS 1.2)');
    WriteLn('Press Enter to stop...');
    ReadLn;
  Finally
    oServer.Active := False;
    oServer.Free;
  End;
end;

Works with Both Server Components

SChannel is available on both Indy-based server components. The configuration is identical.

Component Description
TsgcWebSocketHTTPServer WebSocket server with built-in HTTP server. Ideal for combined WebSocket + REST APIs.
TsgcWebSocketServer Pure WebSocket server based on Indy TCP. Best for dedicated WebSocket endpoints.

Important Notes

  • Windows only. SChannel is a Windows API. For cross-platform servers (Linux, macOS), use OpenSSL (iohOpenSSL).
  • Private key required. The server certificate must include its private key. When using the Windows Certificate Store method, the certificate must have been imported with its private key.
  • PFX format only. SChannel accepts PFX (.pfx / .p12) certificate files. If you have PEM files, convert them to PFX first using the openssl pkcs12 command.
  • Local Machine store for services. Use scspStoreLocalMachine for production servers so the certificate is available regardless of the user account.
  • Edition availability. Server-side SChannel is available in the Professional, Enterprise, and All-Access editions of sgcWebSockets.
Tags:
Delphi CBuilder .NET
×
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

Anthropic API Delphi

About the author

Admin

Admin

Admin
Author's recent posts
More posts from author

Related Posts