For years, Delphi developers deploying TLS-enabled servers on Windows have faced the same challenge: bundling the correct OpenSSL libraries with their application. Version mismatches, missing DLLs at runtime, and manual updates after security advisories have been a constant source of friction in production environments.
Starting with sgcWebSockets 2026.3.0, Indy-based server components — TsgcWebSocketServer and TsgcWebSocketHTTPServer — can use Windows SChannel (Secure Channel) as the TLS provider. SChannel is the native Windows TLS implementation built into every version of Windows. It requires no external DLLs, integrates directly with the Windows Certificate Store, and receives security patches automatically through Windows Update.
This article walks through how to configure and deploy SChannel-based servers in your Delphi applications.
Why SChannel on the Server Side?
SChannel eliminates the most common deployment headaches associated with TLS on Windows servers.
|
Zero External Dependencies SChannel is built into Windows. No libeay32.dll, no ssleay32.dll, no libcrypto, no libssl. Your installer gets smaller and your deployment gets simpler. |
Windows Certificate Store Use certificates already installed and managed by the operating system. No need to copy PEM files around — just reference the certificate by its thumbprint. |
Automatic Security Updates TLS improvements and security patches are applied through Windows Update. No manual library upgrades, no redeployments for OpenSSL CVEs. |
Quick Start — 5 Steps
Enabling SChannel on your server requires just a few property changes:
- Enable SSL — Set the
SSLproperty toTrue. - Select SChannel as the IOHandler — Set
SSLOptions.IOHandlertoiohSChannel. - Choose a TLS version — Set
SSLOptions.Versionto the desired version.tls1_2is recommended for most deployments. - Set the port — Set
SSLOptions.PortandPortto the listening port (typically 443). - Configure the certificate — Provide a certificate via the Windows Certificate Store (thumbprint) or a PFX file.
Method 1: Certificate from the Windows Store
If your certificate is already installed in the Windows Certificate Store, you only need to provide its thumbprint. This is the recommended approach for production servers and Windows services.
Find the Certificate Thumbprint
Open PowerShell and list the certificates in the Local Machine personal store:
PS C:\> dir cert:\localmachine\my
Directory: Microsoft.PowerShell.Security\Certificate::localmachine\my
Thumbprint Subject
---------- -------
C12A8FC8AE668F866B48F23E753C93D357E9BE10 CN=*.mydomain.com
A7F3D2E1B9C84A6D5E0F123456789ABCDEF01234 CN=api.mydomain.comCopy the 40-character hexadecimal thumbprint of the certificate you want to use.
Configure the Server
var
oServer: TsgcWebSocketHTTPServer;
begin
oServer := TsgcWebSocketHTTPServer.Create(nil);
// Enable TLS with SChannel
oServer.SSL := True;
oServer.SSLOptions.IOHandler := iohSChannel;
oServer.SSLOptions.Version := tls1_2;
oServer.SSLOptions.Port := 443;
oServer.Port := 443;
// Point to the certificate in the Windows Store
oServer.SSLOptions.SChannel_Options.CertHash :=
'C12A8FC8AE668F866B48F23E753C93D357E9BE10';
oServer.SSLOptions.SChannel_Options.CertStoreName := scsnMY;
oServer.SSLOptions.SChannel_Options.CertStorePath := scspStoreLocalMachine;
// Start listening
oServer.Active := True;
end;Production tip. Always use scspStoreLocalMachine for servers deployed as Windows services. The Local Machine store is accessible regardless of which user account runs the service, whereas scspStoreCurrentUser is tied to the logged-in user's profile.
Certificate Store Options
| Store Name | Constant | Contains |
|---|---|---|
| Personal (MY) | scsnMY |
Server certificates with private keys |
| Root | scsnRoot |
Trusted root certification authorities |
| Trust | scsnTrust |
Trusted certificates |
| CA | scsnCA |
Intermediate certification authorities |
Method 2: Certificate from a PFX File
If you have a PFX (.pfx or .p12) certificate file, you can load it directly without installing it in the Windows Certificate Store. SChannel will import the certificate at server startup.
var
oServer: TsgcWebSocketHTTPServer;
begin
oServer := TsgcWebSocketHTTPServer.Create(nil);
// Enable TLS with SChannel
oServer.SSL := True;
oServer.SSLOptions.IOHandler := iohSChannel;
oServer.SSLOptions.Version := tls1_2;
oServer.SSLOptions.Port := 443;
oServer.Port := 443;
// Load certificate from a PFX file
oServer.SSLOptions.CertFile := 'c:\certificates\server.pfx';
oServer.SSLOptions.Password := 'mypassword';
// Start listening
oServer.Active := True;
end;Have PEM files? SChannel only accepts PFX format. Convert your PEM certificate and private key with a single command:
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxSChannel_Options Reference
The SSLOptions.SChannel_Options sub-property exposes all SChannel-specific server settings.
| Property | Type | Description |
|---|---|---|
| CertHash | String | The 40-character hexadecimal thumbprint of a certificate installed in the Windows Certificate Store. |
| CertStoreName | Enum | Which store to search: scsnMY (Personal), scsnRoot, scsnTrust, scsnCA. |
| CertStorePath | Enum | Store location: scspStoreLocalMachine (recommended) or scspStoreCurrentUser. |
| CipherList | String | Colon-separated list of allowed cipher algorithms (e.g. CALG_AES_256:CALG_AES_128). Leave empty for Windows defaults. |
| UseLegacyCredentials | Boolean | When True, uses the legacy SCHANNEL_CRED structure. Enable for Windows Server 2019 and earlier. |
TLS Version Configuration
Control which TLS protocol version the server accepts through the SSLOptions.Version property.
| Value | Protocol | Recommendation |
|---|---|---|
tls1_3 |
TLS 1.3 | Best security. Use when all clients support it. |
tls1_2 |
TLS 1.2 | Recommended for most production deployments. |
tls1_1 |
TLS 1.1 | Legacy. Avoid unless required by old clients. |
tls1_0 |
TLS 1.0 | Deprecated. Not recommended. |
tlsUndefined |
TLS 1.0 – 1.2 | Accepts any of TLS 1.0, 1.1, or 1.2. |
// Enforce TLS 1.2 minimum for modern security
oServer.SSLOptions.Version := tls1_2;
// Or use TLS 1.3 for the strongest encryption
oServer.SSLOptions.Version := tls1_3;Cipher Suite Configuration
By default, SChannel uses the system-wide cipher configuration managed by Windows. For environments that require tighter control, you can restrict the allowed algorithms.
// Restrict to AES-256 and AES-128 only
oServer.SSLOptions.SChannel_Options.CipherList :=
'CALG_AES_256:CALG_AES_128';Leave the CipherList property empty to accept the Windows default cipher configuration. This is suitable for most deployments, as Windows maintains a secure default set that is updated through Windows Update.
Caution. Restricting ciphers too aggressively may prevent some clients from connecting. Test thoroughly against your expected client base before deploying custom cipher lists in production.
Legacy Windows Compatibility
The component uses the modern SCH_CREDENTIALS API by default. On older Windows versions (Server 2019 and earlier) that do not support this API, you can fall back to the legacy credential structure.
// Enable legacy mode for Windows Server 2019 and earlier
oServer.SSLOptions.SChannel_Options.UseLegacyCredentials := True;In most cases, the component detects the Windows version automatically and selects the appropriate API. Use the UseLegacyCredentials property only if the server fails to start on an older Windows version.
SChannel vs. OpenSSL — When to Use Each
Both TLS providers are fully supported. The right choice depends on your deployment platform and operational requirements.
| Feature | SChannel | OpenSSL |
|---|---|---|
| External DLLs required | No | Yes |
| Windows Certificate Store | Native | Not supported |
| Automatic security updates | Yes (Windows Update) | Manual library update |
| Cross-platform | Windows only | Windows, Linux, macOS |
| Certificate formats | PFX + Windows Store | PEM, PFX |
| TLS 1.0 – 1.3 | Yes | Yes |
Bottom line. If your server runs exclusively on Windows, SChannel is the simpler, more maintainable choice. If you need cross-platform support, use iohOpenSSL. Switching between the two requires changing only the IOHandler property — no other code changes are needed.
Complete Example: Secure WebSocket Server
A fully configured WebSocket server using SChannel with a certificate from the Windows Certificate Store.
uses
sgcWebSocket_Server, sgcWebSocket_Classes;
var
oServer: TsgcWebSocketHTTPServer;
begin
oServer := TsgcWebSocketHTTPServer.Create(nil);
Try
// Server configuration
oServer.Port := 443;
// TLS configuration with SChannel
oServer.SSL := True;
oServer.SSLOptions.IOHandler := iohSChannel;
oServer.SSLOptions.Version := tls1_2;
oServer.SSLOptions.Port := 443;
// Certificate from Windows Certificate Store
oServer.SSLOptions.SChannel_Options.CertHash :=
'C12A8FC8AE668F866B48F23E753C93D357E9BE10';
oServer.SSLOptions.SChannel_Options.CertStoreName := scsnMY;
oServer.SSLOptions.SChannel_Options.CertStorePath := scspStoreLocalMachine;
// Assign WebSocket event handlers
oServer.OnConnect := OnClientConnect;
oServer.OnDisconnect := OnClientDisconnect;
oServer.OnMessage := OnClientMessage;
// Start the server
oServer.Active := True;
WriteLn('Secure WebSocket server listening on port 443 (SChannel TLS 1.2)');
WriteLn('Press Enter to stop...');
ReadLn;
Finally
oServer.Active := False;
oServer.Free;
End;
end;Works with Both Server Components
SChannel is available on both Indy-based server components. The configuration is identical.
| Component | Description |
|---|---|
TsgcWebSocketHTTPServer |
WebSocket server with built-in HTTP server. Ideal for combined WebSocket + REST APIs. |
TsgcWebSocketServer |
Pure WebSocket server based on Indy TCP. Best for dedicated WebSocket endpoints. |
Important Notes
- Windows only. SChannel is a Windows API. For cross-platform servers (Linux, macOS), use OpenSSL (
iohOpenSSL). - Private key required. The server certificate must include its private key. When using the Windows Certificate Store method, the certificate must have been imported with its private key.
- PFX format only. SChannel accepts PFX (.pfx / .p12) certificate files. If you have PEM files, convert them to PFX first using the
openssl pkcs12command. - Local Machine store for services. Use
scspStoreLocalMachinefor production servers so the certificate is available regardless of the user account. - Edition availability. Server-side SChannel is available in the Professional, Enterprise, and All-Access editions of sgcWebSockets.