Jump to content
mezen

Indy & OpenSSL 1.1.1 & TLS 1.3

Recommended Posts

Hi,

when you read the title, you probably already had the standard answer in your head: "Does not work with Indy, supports only OpenSSL 1.0.2 at most and thus no TLS 1.3".
I can reassure you, that is not my point. Or actually even more precisely: That is exactly my point 😉

 

I've spent "a little" time writing the Indy support for OpenSSL 1.1.1 and TLS 1.3, and added a push request to Indy:  #299. At the same time I have fixed a few issues that have been posted to GitHub (see PR).

I wrote 2 new IO handlers ( one for server and one for client), the old ones are unchanged to avoid conflicts.


Everything was written and tested in Delphi Berlin 10.1.2 on Win32 and Win64. I have neither macOS nor iOS nor Linux nor Android, nor FreePascal, nor older (or newer) Delphi versions. I have tried to keep older Delphi versions in mind to ensure that it will run on them, but there have been no tests on my part.

I have tested it extensively in small test applications with other servers/clients. In addition, I built it into a large Real World program with TCP server/client, SMTP/IMAP/POP clients, FTP client, HTTP client, and it also ran there without problems.

 

Unfortunately the nice man, who has provided new binary files of OpenSSL under indy.fulgan.com has said that he does not offer versions > 1.0.2 anymore. So I used the versions of slWebPro in the beginning (they even still work on WinXP), later I used the versions of Overbyte, because they do not have any external dependencies (and are digitally signed, but no XP anymore^^). But both worked without problems.

 

All files are located in the subfolder "Lib/Protocols/OpenSSL". There are also subfolders "static" and "dynamic" which offers quite extensive imports of the OpenSSL API, once for static linking, once for dynamic loading/unloading. For dynamic loading there are also possibilities in the "IdOpenSSLLoader.pas" to trigger the loading/unloading itself, if you need the API outside of the IO handler (e.g. for your own x509 generation).
To save me the double writing of the imports, I wrote a kind of intermediate code in the folder "Intermediate", which I let generate with "GenerateCode" to the two variants. The tool "GenerateCode" is only a simple string customization and actually only designed for Berlin, so I didn't bother about downward compatibility. As a normal user of the IO handlers you don't need them, only if you make changes to the API implementation.


So and now comes your. It would be nice if one or the other would test this, so that it is not only WOMM certified, but can withstand more real situations.
For me it also works with the Indy, which comes with Delphi Berlin, when I create another unit, which provides some new Indy types and functions. Of course some units have to be adapted locally to use the new unit.

Edited by mezen
  • Like 5
  • Thanks 2

Share this post


Link to post
9 hours ago, mezen said:

I've spent "a little" time writing the Indy support for OpenSSL 1.1.1 and TLS 1.3, and added a push request to Indy:  #299. At the same time I have fixed a few issues that have been posted to GitHub (see PR).

And I do appreciate that work, and I will review it when I have time to do so (I wasn't able to get to it this past weekend, like I had hoped to).

Share this post


Link to post

Any news on TLS 1.3 support?

We will be needing it this autumn as the APIs we access will make it a mandatory requirement.

Share this post


Link to post
15 hours ago, Lars Fosdal said:

Any news on TLS 1.3 support?

Still a work in progress.  Mezen's pull request for a new SSLIOHandler for OpenSSL 1.1.x is still pending review, I just have not had time lately to review it yet, but you can download and try it for yourself.

 

Edited by Remy Lebeau

Share this post


Link to post

Guys, you do a really good job, seriously who works for free in this world? I see less people doing it every day :( I have some program downloaded +100 000 without one donate

I can't donate but i can say THANKS YOU!!!

Share this post


Link to post
On 6/4/2020 at 9:15 PM, Remy Lebeau said:

Still a work in progress.  Mezen's pull request for a new SSLIOHandler for OpenSSL 1.1.x is still pending review, I just have not had time lately to review it yet, but you can download and try it for yourself.

 

How can I help?  I need to get higher than TLS 1.2.  My websites are being flagged as having too weak of encryption.

Share this post


Link to post
Quote

I need to get higher than TLS 1.2.  My websites are being flagged as having too weak of encryption.

Flagged by whom?  TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. 

 

Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. 

 

Angus

 

Share this post


Link to post
On 7/27/2021 at 1:50 AM, Angus Robertson said:

Flagged by whom?  TLS 1.2 is perfectly good provided you disable a lot of weak ciphers and hashes. 

 

Most IIS sites are still only TLS 1.2, Microsoft does not support TLS 1.3 until Windows Server 2022. 

 

Angus

 

Sorry, I mistyped.  I need to get to TLS 1.2.

Share this post


Link to post
On 7/30/2021 at 4:45 PM, Jason Wharton said:

Sorry, I mistyped.  I need to get to TLS 1.2.

Then you should be fine using the latest Indy with OpenSSL 1.0.2, as it supports TLS 1.2

Share this post


Link to post
On 8/2/2021 at 11:25 AM, Remy Lebeau said:

Then you should be fine using the latest Indy with OpenSSL 1.0.2, as it supports TLS 1.2

Yes, correct.  I was mistaken.

 

I finally discovered that my path to the Open SSL binaries was not configured correctly and so Indy was resorting to TLS 1.0.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×