openssl OnVerifyCertificate unusable (TOpenSSLSocketHandler.SSL.PeerCertificate = nil) on current Linux distributions (ssl version >= 3)

fpc main branch: 3.3.1-12117-gc1ec558d

consider the following test program:

program project1;

uses
  Sysutils, Classes, sockets, ssockets, sslsockets, openssl, opensslsockets;


type

  { TApp }

  TApp = class
    Sock: TInetSocket;
    SSLHandler: TSSLSocketHandler;
    constructor Create;
    destructor Destroy; override;
    procedure OnVerify(Sender: TObject; var Allow: Boolean);
  end;

var
  App: TApp;

{ TApp }

constructor TApp.Create;
begin
  SSLHandler := TSSLSocketHandler.GetDefaultHandler;
  SSLHandler.OnVerifyCertificate := @OnVerify;
  //SSLHandler.VerifyPeerCert := True;
  Sock := TInetSocket.Create('test.mosquitto.org', 8883, 1000, SSLHandler);

  writeln('begin connect');
  Sock.Connect;
  writeln('end connect');

end;

destructor TApp.Destroy;
begin
  Sock.Free;
  inherited Destroy;
end;

procedure TApp.OnVerify(Sender: TObject; var Allow: Boolean);
var
  S: TOpenSSLSocketHandler;
begin
  Writeln('OnVerify');
  S := Sender as TOpenSSLSocketHandler;
  writeln('cert assigned: ', Assigned(S.SSL.PeerCertificate));
  writeln('cert info:     ', S.SSL.CertInfo);
end;

begin
  App := TApp.Create;
  App.Free;
end.

If I compile and run this on Ubuntu 22.04 LTS it will output the following because I cannot access the certificate inside the OnVerifyCertificate callback:

$ ./project1 
begin connect
OnVerify
cert assigned: FALSE
cert info:     
end connect

Note that I can connect and transfer data without problems, I just have no means to verify the certificate anymore!

I have seen a commit half a year ago that just changed the version number, it is only in the main branch, which means current fpc release (even fixes) can not use OpenSSL on Linux at all (quite a show stopper IMHO), but I suspect this simple patch was not enough.

If compiled for Windows with libcrypto-1_1-x64.dll and libssl-1_1-x64.dll in the same directory (cannot test 1.1 on Linux, don't have such ancient distribution anymore) it will output the following (which is what I expected to happen, I can access the certificate data from within OnVerifyCertificate just fine):

$ wine project1.exe 
begin connect
OnVerify
cert assigned: TRUE
cert info:     Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            7d:d3:9b:4f:dc:5b:f7:2d:0f:0c:04:7e:b8:f3:23:9e:c1:9b:b7:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=CA, CN=mosquitto.org/emailAddress=roger@atchoo.org
        Validity
            Not Before: Jun  9 11:21:56 2020 GMT
            Not After : Jun  6 11:21:56 2030 GMT
        Subject: C=GB, ST=United Kingdom, L=Derby, O=Mosquitto, OU=Public server, CN=test.mosquitto.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e5:84:b2:2d:99:6d:68:7c:06:9c:a7:f2:15:c9:
                    cb:37:c7:85:23:ae:18:d6:24:f1:7f:dd:3a:80:d8:
                    a9:1c:b3:b4:4a:09:a9:5d:3a:6d:48:8f:5d:79:e1:
                    8d:1a:23:1a:c3:25:8f:fc:2e:0f:44:ba:90:da:11:
                    e4:b8:67:68:c1:ca:2c:9b:a8:99:e9:65:3e:2c:7e:
                    8d:8e:b2:5c:48:53:b2:60:e2:74:f8:ad:bd:c1:f8:
                    d8:82:66:30:b1:dd:ee:e4:97:22:77:cf:b2:ba:b2:
                    1e:6b:a4:b6:3f:87:30:b7:e0:9b:c4:71:18:01:3e:
                    f4:fd:22:ee:bc:37:38:9e:55:93:38:e1:6b:de:dd:
                    99:2b:f8:65:a8:28:fc:e9:46:32:1e:7e:07:79:a9:
                    e5:2e:50:08:a1:a6:59:31:ea:9b:b9:3a:46:6f:ed:
                    a6:80:8d:5c:c9:43:eb:43:24:54:18:fc:02:5f:53:
                    bd:78:ea:85:f9:5c:e7:9c:3a:12:15:0c:69:d3:37:
                    0b:ce:1d:db:67:b7:8a:c6:77:17:5f:97:a6:3b:df:
                    7d:b3:d3:74:44:4b:91:67:79:6f:56:7a:6b:78:1c:
                    1c:ca:7c:1e:5b:b2:88:0a:0c:80:ec:ae:4e:d7:81:
                    c6:60:aa:7b:c7:40:5a:f7:38:77:17:b6:7f:c0:69:
                    4a:21
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         ba:6f:99:ce:e1:29:21:6b:ba:e0:5c:4b:e2:96:fd:2c:1f:37:
         27:8f:df:97:6a:f7:78:4d:35:04:f0:ff:ec:7d:55:e7:b1:ec:
         df:5e:21:f7:1f:e4:d8:23:a9:16:7a:c1:db:bc:b4:6b:b8:0a:
         57:8f:c0:0b:6a:bf:34:82:9d:58:9d:63:f5:e6:c2:22:f5:43:
         8b:ae:60:d6:ed:11:84:a5:92:b4:95:b9:60:96:fd:c5:3a:21:
         89:de:7e:77:e2:70:24:ea:00:bf:90:18:64:5c:a7:95:62:42:
         a4:94:47:d4:0c:9b:e8:18:fa:85:a9:dd:9a:14:b9:ed:bd:d7:
         f9:b1:4d:a9:d6:0a:cf:ee:1d:80:d0:2a:ef:f1:ae:f9:7b:4f:
         d6:6b:96:a2:05:d4:7b:a1:95:92:88:64:3d:d6:6b:66:4a:f7:
         fb:61:b1:a4:27:07:bd:78:60:1e:a5:8a:93:e3:56:79:05:d6:
         3b:49:5f:e0:e3:f5:d7:15:21:13:30:6e:44:0a:99:70:71:b1:
         7e:18:e4:38:f4:85:89:1f:8e:86:93:20:75:93:d7:3f:ff:07:
         b9:42:75:66:4a:8f:b8:f1:35:7c:68:7c:d7:00:91:bf:f3:9b:
         83:80:58:0a:e9:ad:33:f2:06:3c:8e:de:8b:fd:e8:8d:ea:96:
         09:67:7d:a7

end connect