REST Datasnap Server Accepting ECDH Ciphers

[MikeMon 12]

Hi

 

I'm using Delphi 12.2 Patch 2.

 

I've set up a REST Datasnap server that uses HTTPS. Using Indy (installed during Delphi installation), it works fine for RSA certificates. 

 

Any guide on how I can set it up to accept ECDH instead of (or in parallel to) RSA ciphers?

 

Moreover, are there any alternatives to Indy that use TLS1.3? BTW, I updated Indy to the latest version following the update instructions, but it messed up my Datasnap server. I had to uninstall and reinstall Delphi. 😞 

 

[esegece 47]

Hello,

 

The sgcWebSockets library, which I'm the developer, has a component to replace the Indy Datasnap Server and add support for other protocols like websocket and use the latest TLS 1.3 version. You can download the trial for Delphi 12 from:

 

https://www.esegece.com/download/sgcWebSockets_D12.zip

 

In the trial, there is a demo in the folder "..sgcWebSockets\Demos\40.DataSnap\Server_Indy_HTTP" that shows how works. The Datasnap server is replaced by TsgcWSHTTPWebBrokerBridgeServer and all the methods and functions are the same.

If you prefer, you can download the compiled sample from:

 

https://www.esegece.com/download/samples/sgcDatasnap.zip

 

When running the sample check the ssl, select openssl 3.0 and TLS1.3. It uses a self-signed certificate, so when clicking the "Open Datasnap" button, the browser will show a warning that the certificate can not be verified, just accept it.

More info:

 

https://www.esegece.com/websockets

 

Kind Regards,

Sergio

[Remy Lebeau 1500]

On 2/5/2025 at 2:12 AM, MikeMon said:

Moreover, are there any alternatives to Indy that use TLS1.3?

There are a few 3rd party GitHub repos that add OpenSSL 3.x/TLS 1.3 to Indy, including:

 

https://github.com/MWASoftware/Indy.proposedUpdate

https://github.com/JPeterMugaas/TaurusTLS

Edited February 6 by Remy Lebeau

[MikeMon 12]

7 hours ago, esegece said:

Hello,

 

The sgcWebSockets library, which I'm the developer, has a component to replace the Indy Datasnap Server and add support for other protocols like websocket and use the latest TLS 1.3 version. You can download the trial for Delphi 12 from:

 

https://www.esegece.com/download/sgcWebSockets_D12.zip

 

In the trial, there is a demo in the folder "..sgcWebSockets\Demos\40.DataSnap\Server_Indy_HTTP" that shows how works. The Datasnap server is replaced by TsgcWSHTTPWebBrokerBridgeServer and all the methods and functions are the same.

If you prefer, you can download the compiled sample from:

 

https://www.esegece.com/download/samples/sgcDatasnap.zip

 

When running the sample check the ssl, select openssl 3.0 and TLS1.3. It uses a self-signed certificate, so when clicking the "Open Datasnap" button, the browser will show a warning that the certificate can not be verified, just accept it.

More info:

 

https://www.esegece.com/websockets

 

Kind Regards,

Sergio

Tx. I'll check it out.

 

1 hour ago, Remy Lebeau said:

There are a few 3rd party GitHub repos that add OpenSSL 3.x/TLS 1.3 to Indy (sorry, I don't have the links on-hand at the moment, I'll add them here in a bit). 

 

 

Tx!!

[MikeMon 12]

@Remy Lebeau

Any guide on how I can set up the Datasnap REST server to accept ECDH (instead of or in parallel to) RSA ciphers without updating the default OpenSSL and Indy versions installed with Delphi to newer versions?

FYI, I've already created the ECDH SSL certificate.

Edited February 7 by MikeMon

[Remy Lebeau 1500]

5 hours ago, MikeMon said:

Any guide on how I can set up the Datasnap REST server to ... 

Sorry I have no idea. I've never worked with Datasnap before and done know if/how it exposes access to configure Indy. 

[DelphiUdIT 209]

6 hours ago, MikeMon said:

Any guide on how I can set up the Datasnap REST server to accept ECDH (instead of or in parallel to) RSA ciphers without updating the default OpenSSL and Indy versions installed with Delphi to newer versions?

In Indy, the valid chipers type accepted by a server connection is setting through the TIdSSLOpenIOHnadlerServer.Options.ChiperList property, for example:

 

//For TLSv1.2 handshake
CipherList := '!EXPORT:!LOW:!aNULL:!eNULL:!RC4:!ADK:!3DES:!DES:!MD5:!PSK:!SRP:!CAMELLIA'+
                      ':ECDHE-RSA-AES128-GCM-SHA256'+
                      ':ECDHE-RSA-AES256-GCM-SHA384'+
                      ':ECDHE-RSA-CHACHA20-POLY1305'+
                      ':ECDHE-ARIA256-GCM-SHA384'+
                      ':ECDHE-ARIA128-GCM-SHA256'+
                      //Weak but used in old products
                      ':ECDHE-RSA-AES256-SHA384';

Search in the property of DataSnap components for IOSSLHandler and set this property. This is correlated to "certifcate file" and "certificate private key" (CertFIle and CertKey property of the Handler).

 

[MikeMon 12]

1 hour ago, DelphiUdIT said:

In Indy, the valid chipers type accepted by a server connection is setting through the TIdSSLOpenIOHnadlerServer.Options.ChiperList property, for example:

 

//For TLSv1.2 handshake
CipherList := '!EXPORT:!LOW:!aNULL:!eNULL:!RC4:!ADK:!3DES:!DES:!MD5:!PSK:!SRP:!CAMELLIA'+
                      ':ECDHE-RSA-AES128-GCM-SHA256'+
                      ':ECDHE-RSA-AES256-GCM-SHA384'+
                      ':ECDHE-RSA-CHACHA20-POLY1305'+
                      ':ECDHE-ARIA256-GCM-SHA384'+
                      ':ECDHE-ARIA128-GCM-SHA256'+
                      //Weak but used in old products
                      ':ECDHE-RSA-AES256-SHA384';

Search in the property of DataSnap components for IOSSLHandler and set this property. This is correlated to "certifcate file" and "certificate private key" (CertFIle and CertKey property of the Handler).

 

I'm using TIdServerIOHandlerSSLOpenSSL and have tried using the CipherList above. It doesn't work. I get the following message:

 

Error: 1053760: error:10000410:SSL routines: OPENSSL_internal: SSLV3_ALERT_HANDSHAKE_FAILURE:..\..\..\..\src\third_party\boringssl\src\ssl\tls_record.cc:592:SSL alert number 40

[Angus Robertson 606]

The reference in the error to BoringSSL is interesting, this is a Google fork of OpenSSL that is now incompatible with OpenSSL due to the many changes Google has made, but OpenSSL is currently adding BoringSSL Quantum ciphers to the next release of OpenSSL, so it goes around in circles.

 

No-one can advise you on new ciphers without knowing which specific version of OpenSSL (or BoringSSL) you are using.  For instance, the CHARH20/POLY1305 ciphers were not in older versions of OpenSSL.  I did a quick search of my Embarcadero directories and can not find any OpenSSL DLLs. 

 

Angus

 

[DelphiUdIT 209]

2 hours ago, Angus Robertson said:

For instance, the CHARH20/POLY1305 ciphers were not in older versions of OpenSSL.  I did a quick search of my Embarcadero directories and can not find any OpenSSL DLLs. 

This is available on OpenSSL 1.0.2u, the last SSL available that works on Indy bundle with Rad Studio.

3 hours ago, MikeMon said:

I'm using TIdServerIOHandlerSSLOpenSSL and have tried using the CipherList above. It doesn't work. I get the following message:

You are using SSLv3 this is deprecated and should not be used. YOU MUST USE TLSv1.2.

Set IOHandler to use TLSv1.2 (in the options):

SSLVersion := [sslvTLSv1_2]

 

[MikeMon 12]

25 minutes ago, DelphiUdIT said:

This is available on OpenSSL 1.0.2u, the last SSL available that works on Indy bundle with Rad Studio.

You are using SSLv3 this is deprecated and should not be used. YOU MUST USE TLSv1.2.

Set IOHandler to use TLSv1.2 (in the options):

SSLVersion := [sslvTLSv1_2]

 

Actually I AM using sslvTLSv1_2.

[Angus Robertson 606]

I'm aware Indy officially only supports OpenSSL 1.0.2, but that version would never give the reported error message mentioning BoringSSL, so something unusual is happening here. 

 

Angus

[DelphiUdIT 209]

23 hours ago, MikeMon said:

Actually I AM using sslvTLSv1_2.

What is the target of your application ?

[MikeMon 12]

1 hour ago, DelphiUdIT said:

What is the target of your application ?

I’ve been using an RSA SSL certificate until now for my API server. However a new client is asking to use ECDH ciphers

to connect to it. So, I’ve created an ECDH SSL certificate to make it happen. Haven’t had luck making it work yet!! FYI, the new certificate is loading fine.

[Remy Lebeau 1500]

15 hours ago, Angus Robertson said:

I'm aware Indy officially only supports OpenSSL 1.0.2, but that version would never give the reported error message mentioning BoringSSL, so something unusual is happening here.

It could happen if the app is running on Android 6+ where BoringSSL has replaced OpenSSL but might use the old OpenSSL .so filenames. 

[MikeMon 12]

5 hours ago, Remy Lebeau said:

It could happen if the app is running on Android 6+ where BoringSSL has replaced OpenSSL but might use the old OpenSSL .so filenames. 

No Android involved!!