Search the Community

Dear ICS Team First of all, thank you very much for making this great package available. This is an immense effort! I am experimenting with ICS 9.2. I am supposed to program a TLS 1.3 connection between a server and a client program. This basically works. But our security department has required me to only allow certain ciphers and groups. I tried to fulfill this using the SslCipherList and SslCryptoGroups properties (TSslContext) and to test it with the OverbyteIcsSslWebServ example. Unfortunately, it only works partially. 1. Ciphers: in the 'New Ciphers' field I enter 'ECDHE-ECDSA-AES256-GCM-SHA384'. When starting ('Start HTTPS' button), only this one value is actually passed to OpenSSL. I can see this clearly in OverbyteIcsSslBase.pas, line 6675 (SSL_CTX_set_cipher_list). Here only the string 'ECDHE-ECDSA-AES256-GCM-SHA384' is passed to OpenSSL. However, after starting, the program window shows that the following four ciphers are used: TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384. According to our security department, I am not allowed to use the ciphers with CHACHA20. 2. Groups: TSslContext has a property SslCryptoGroups. I assume that this property is intended to specify the groups to use. However, I don't see any effect, no matter what value I specify here. Interestingly, I don't see any use of this property in the code (in OverbyteIcsSslBase.pas). I determined the ciphers and groups that are actually used using the test program sslscan-2.1.4. Please find attached the output of sslscan. Question: How can I exclude the CHACHA cipher and the ffdhe2048 group? Is this possible via ICS or do I have to control this somehow via an openssl configuration file? Thank you very much for the helpful information! sslscan-result.txt

Hello Community, since last week I have been trying to let a TsslWSocket and a TsslWSocketServer communicate with each other. I want to get a long-term stable connection between a TCP client and a TCP server that is secured with TLS1.3. However, after a runtime of a few minutes, the data transfer breaks down. There is a client thread and a server thread. In the respective Execute method I create the socket and initialize it, call Listen (server) or Connect (client) and run the MessageLoop. After a successful SSL handshake, my client sends 128KB data packets to the server. The data arrives at the server, TwSocketClient.onDataAvailable is triggered, the bytes can be read there with TwSocketClient (Sender).Receive (pBuffer ...). When the server has received 128KB, it sends an "ACK" packet to the client (An AnsiString "ACK", 3 bytes). When the client receives the packet, it sends again 128KB of testdata. This works a few thousand, sometimes some tenthousands times, until TwSocketClient.onDataAvailable is suddenly no longer called. There is no OnSessionClosed, no onError, no onException and also no onBgException that would indicate a problem. Apparently the problem is on the client side: A running Wireshark shows an [ACK] packet from the server to the client as last entry. Further clicks on the "Manual Send" button do not lead to any further lines in the Wireshark log. When this state has been reached another client can connect to the server without any problems, so the server is not completely dead. I have no idea what I could do wrong ... Maybe it's not ok to send in the context of another thread? But how is that supposed to work when the client thread is blocked by the MessageLoop? Simultaneous web browsing leads to the problem faster. When I look at any website, it usually takes less than half a minute to see the problem. My test project is attached. I would be interested to know if you have observed the same problem and if anyone has a guess as to what might be the cause ... The project is complete, the Win32 folder also contains the certificate used for testing ... Usage: Enter your own IP address, press the "btCreateStart" button, then the "btSendData Manual Send" button. The "logICStest.log" file in the program directory grows until the problem occurs ... Thanks in advance... P.S: I have already tried not to send after receiving the ACK packet, but cyclically via timer or thread. If you can select both in the test project with checkboxes, the result is the same. The problem does not only occur with TLS1.3, also with TLS1.2. I even think it shows up without encryption, just takes longer ... I crossposted this in the german Delphi-Praxis in german language (https://www.delphipraxis.net/205223-stabile-tcp-verbindung-mit-ics-ich-kriegs-nicht-hin.html)... Test Overbyte ISC Client und Server.7z