Sid D

On 9/1/2023 at 7:10 AM, David Heffernan said:

There are commercial tools to support this. I sure websearch will find them. As soon as you link to anything that isn't delphi then the desire for a tool for Delphi is a bit pointless. 

Couldn't find one for Delphi.

On 8/31/2023 at 1:29 PM, VLDG said:

we are also looking for this. Any news ?

No, haven't been actively looking lately.  Had to create it manually.

Is there any tool available to create a SBOM for a Delphi Application or DLL?

Thanks

Sid

I just hid the name here. It is a proper name in the subject otherwise.

The Certificate is issued by GoDaddy and works fine with IIS.

Looks like something to do with TIdServerIOHandlerSSLOpenSSL component?

Thanks

Hi Remy,

I have one other question. 

CertFile, KeyFile and RootCertFile (intermediate certificate) are assigned to the TIdServerIOHandlerSSLOpenSSL component. We are running a PCI Scan on the Server and getting the following errors :

Informative Details: depth=0 CN = *.XXXXX.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.XXXXX.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = *.XXXXX.com

verify error:num=21:unable to verify the first certificate

verify return:1 Serial: 3189977664522596489 (0x2c4513c8df4cb089)

What could be the reason for these errors?

Thanks

Sid

It is resolved. It was not locating the file in the Service folder. The resolution was to get the complete folder name at run time (Service start) where this PEM file resides and assign it to the RootCert property.

Thanks

Hi,

I am getting the following error for TIdServerIOHandlerSSLOpenSSL when starting the Windows Service. Running the app as stand-alone server does not throw the error. The error is thrown only when starting this Windows Service.

 Could not load root certificate. error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

The Delphi version used is Delphi 10.1 update 1 and Indy version is 10.6.2.5341. The root file is in pem format.

What can be the reason here?

Thanks

Sid

Hi - I am getting the following error for TIdServerIOHandlerSSLOpenSSL when starting the Windows Service. Running the app as stand-alone server does not throw the error. The error is thrown only when starting this Windows Service.

 Could not load root certificate. error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

The Delphi version used is Delphi 10.1 update 1 and Indy version is 10.6.2.5341. The root file is in pem format.

What can be the reason here?

Thanks

Sid

Hi Remy - I have one other question. In the 'OnConnect' event of TIdTCPServer, is it possible to figure out from the incoming data if the handshake requested is on TLS or plain text? I was wondering if it is possible, then PassThrough = True/False can be set based on that and there will be no need to use the second port.

If possible, can you please provide an example?

Thanks!  

1 hour ago, Remy Lebeau said:

You should double-check that, since you clearly do have an SSL/TLS handshake being performed. TIdServerIOHandlerSSLOpenSSL.Accept() should be creating a new TIdSSLIOHandlerSocketOpenSSL whose PassThrough is True, so the server can then decide when it is best to set it to False (ie, when the client is connected to an implicit SSL port, or after receiving a STARTTLS-style command, etc).

 

Note that there was a bug where PassThrough was initialized as False in TIdSSLIOHandlerSocketBase, that was fixed a few years ago, I think that might have been after 10.6.2.5366.  You might consider upgrading to the latest version from Indy's GitHub repo and see if the problem continues, just to make sure you have all of the latest fixes.

Upon further testing with the following versions:

The error is thrown in the following combination:

Delphi 10.3 Update 3 and Indy version 10.6.2.5366

It works fine with the following versions:

Delphi 10.1 Berlin Update 1 and Indy Version 10.6.2.5341

So, definitely something wrong or bug in Delphi 10.3.3 or Indy version 10.6.2.5366.

1 hour ago, Remy Lebeau said:

That is simply not possible the way you describe.  The ONLY way you can get that error is during an SSL/TLS handshake, which is NOT performed when PassThrough is set to True (ie, pass-through raw data as-is) thus disabling SSL/TLS.  So, you MUST be setting PassThrough to False (ie, intercept data for SSL/TLS processing) in order to get that error.

 

Which version of Indy are you using?  IIRC, there was a bug in old versions where a server would set PassThrough to false for all clients, causing an SSL/TLS handshake for non-SSL/TLS clients.  But that was fixed a LONG time ago.

 

Indy version is 10.6.2.5366. I checked on the Server side, PassThrough is True by default. 

7 hours ago, Remy Lebeau said:

Yes. Define 2 separate ports in the server's Bindings collection, and then in the server's OnConnect event you can cast the AContext.Connection.IOHandler property to TIdSSLIOHandlerSocketBase and set its PassThrough property to True (SSL/TLS disabled) or False (SSL/TLS enabled) based on which port the client connected to, which you can get from the AContext.Binding.Port property.

 

Hi Remy,

If there is no TIdSSLIOHandlerSocketOpenSSL component assigned on the TIdTCPClient side, setting the PassThrough  property to True on the Server side (per you explained above) throws the following error:

First chance exception at $76A6C3A2. Exception class EIdOSSLUnderlyingCryptoError with message
'Error accepting connection with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'.

What can be the reason?

Thanks!

Hi Remy,

If there is no TIdSSLIOHandlerSocketOpenSSL component assigned on the TIdTCPClient side, setting the PassThrough  property to True on the Server side (per you explained above) throws the following error:

First chance exception at $76A6C3A2. Exception class EIdOSSLUnderlyingCryptoError with message
'Error accepting connection with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'.

What can be the reason?

Thanks!

Hi,

I’ve a question about TIdTCPServer and TIdTCPClient.

Can the same TIdTCPServer with SSL/TLS (implemented using TIdServerIOHandlerSSLOpenSSL) support both SSL and non-SSL TIdTCPClients.

By non-SSL TIdTCPClient, I mean that do not support SSL/TLS and do not use TIdSSLIOHandlerSocketOpenSSL component. This is for backwards compatibility.

I'm using Delphi 10.3 and 10.1.

Thanks!