Search the Community

Dear ICS Team First of all, thank you very much for making this great package available. This is an immense effort! I am experimenting with ICS 9.2. I am supposed to program a TLS 1.3 connection between a server and a client program. This basically works. But our security department has required me to only allow certain ciphers and groups. I tried to fulfill this using the SslCipherList and SslCryptoGroups properties (TSslContext) and to test it with the OverbyteIcsSslWebServ example. Unfortunately, it only works partially. 1. Ciphers: in the 'New Ciphers' field I enter 'ECDHE-ECDSA-AES256-GCM-SHA384'. When starting ('Start HTTPS' button), only this one value is actually passed to OpenSSL. I can see this clearly in OverbyteIcsSslBase.pas, line 6675 (SSL_CTX_set_cipher_list). Here only the string 'ECDHE-ECDSA-AES256-GCM-SHA384' is passed to OpenSSL. However, after starting, the program window shows that the following four ciphers are used: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384. According to our security department, I am not allowed to use the ciphers with CHACHA20. 2. Groups: TSslContext has a property SslCryptoGroups. I assume that this property is intended to specify the groups to use. However, I don't see any effect, no matter what value I specify here. Interestingly, I don't see any use of this property in the code (in OverbyteIcsSslBase.pas). I determined the ciphers and groups that are actually used using the test program sslscan-2.1.4. Please find attached the output of sslscan. Question: How can I exclude the CHACHA cipher and the ffdhe2048 group? Is this possible via ICS or do I have to control this somehow via an openssl configuration file? Thank you very much for the helpful information! sslscan-result.txt