baka0815 12 Posted April 18, 2024 Quote I might consider doing that for a future version of the .cmd script. That would probably require making a separate .txt file of all the known Indy units and then have the .cmd script loop through that file for every platform. Wouldn't that be something that could be automated in the CI of the Indy project (the creation of the cmd, without the txt file I mean)? Share this post Link to post
DelphiUdIT 200 Posted April 18, 2024 (edited) 5 hours ago, baka0815 said: Wouldn't that be something that could be automated in the CI of the Indy project (the creation of the cmd, without the txt file I mean)? In the Embarcadero release, Indy packages, components and other stuffs may be differ from GitHub maintained release. For example IndyIPServer, IndyIPClient and others are not present in the GitHub version. EDIT: also the runtime version may be differ like 12.0 and 12.1 where in the 12.1 release the new WIN64X "platform" exists. Edited April 18, 2024 by DelphiUdIT Share this post Link to post
Remy Lebeau 1458 Posted April 18, 2024 (edited) 14 hours ago, baka0815 said: Wouldn't that be something that could be automated in the CI of the Indy project (the creation of the cmd, without the txt file I mean)? Indy doesn't have a real CI system. But yes, generation of the cmd script could be automated in some way using information that Indy already has (there is already some automation in place to generate the Package projects themselves). To reduce duplication, I could auto-generate a separate cmd script that just deletes the known Indy files in the current directory, and then have Clean_IDE.cmd call that script where needed. 9 hours ago, DelphiUdIT said: In the Embarcadero release, Indy packages, components and other stuffs may be differ from GitHub maintained release. For example IndyIPServer, IndyIPClient and others are not present in the GitHub version. Those files are not part of Indy itself, they are part of an internal wrapper on top of Indy which Embarcadero uses to separate its use of Indy from other Embarcadero code. But, there are other differences Embarcadero does make to Indy itself - most notably, the Packages are changed to use LIBSUFFIX, etc. Edited April 18, 2024 by Remy Lebeau Share this post Link to post
Remy Lebeau 1458 Posted September 16, 2024 (edited) Just FYI, PR 299 (https://github.com/IndySockets/Indy/pull/299) has been abandoned by the author. Going forward, there is a new effort now to update Indy to the latest OpenSSL using a completely new and separate package as an add-on to indy: https://github.com/IndySockets/IndyTLS-OpenSSL The existing OpenSSL code in the main Indy library is being pulled out into this new package for a v1.0 release for existing users, and then it will be updated with the latest OpenSSL APIs in subsequent releases, independent of the main Indy library. Edited September 16, 2024 by Remy Lebeau Share this post Link to post
DelphiUdIT 200 Posted September 16, 2024 The "sasl-oauth" branch will also be useful to enable the use of the OAUTH protocol, especially for email client functions. Share this post Link to post
Tommi Prami 134 Posted September 17, 2024 11 hours ago, Remy Lebeau said: The existing OpenSSL code in the main Indy library is being pulled out into this new package for a v1.0 release for existing users, and then it will be updated with the latest OpenSSL APIs in subsequent releases, independent of the main Indy library. Will get merged to main someday?`Right? Quote But, there are other differences Embarcadero does make to Indy itself - most notably, the Packages are changed to use LIBSUFFIX, etc. Would it be better to get closer to the Embarcadero version, where possible, because every difference will cause some problems and confusion, I think. Also it would make things easier for Embarcadero to merge fixes to their version. etc,... And finally the one with New OpenSSL-stuff... Just my 0.02€ -tee- Share this post Link to post
DelphiUdIT 200 Posted September 17, 2024 1 hour ago, Tommi Prami said: Would it be better to get closer to the Embarcadero version, where possible, because every difference will cause some problems and confusion, I think. The Indy "Crew" sayd that this change will be done in the next version (Indy 11). By now you can only change (may be MUST) that at your hand. This is necessary if you want maintain compatibility with Embarcadero tools and also some thirdy party components that use Indy. But Embarcadero is interested in Indy's progression, so things will be fine (https://www.indyproject.org/2024/08/05/ongoing-work-in-indy-for-openssl-updates/) Share this post Link to post
Remy Lebeau 1458 Posted September 17, 2024 9 hours ago, Tommi Prami said: Will get merged to main someday?`Right? The OpenSSL code that is currently in the main library is being pulled out completely into its own separate package that uses the main library. This way, future updates to OpenSSL are more isolated and can be worked on and committed independently outside of the main library. 9 hours ago, Tommi Prami said: Would it be better to get closer to the Embarcadero version, where possible, because every difference will cause some problems and confusion, I think. Also it would make things easier for Embarcadero to merge fixes to their version. etc,... And finally the one with New OpenSSL-stuff... Yes, that is the plan. I've already asked Embarcadero for details about the changes they make to their bundled release of Indy. 1 Share this post Link to post
Remy Lebeau 1458 Posted September 17, 2024 7 hours ago, DelphiUdIT said: The Indy "Crew" sayd that this change will be done in the next version (Indy 11). By now you can only change (may be MUST) that at your hand. The "crew" is me. Since Indy 11 has been pending for a very long time, I've been considering lately about updating Indy 10 just to bring it more inline with Embarcadero's releases (ie, adding LIBSUFFIX, etc) sooner rather than later. Dropping older compilers, etc will still wait for Indy 11 for now. 3 Share this post Link to post
ioan 45 Posted Monday at 07:15 PM Any guide on how to install the Indy version that supports TLS 1.3, while keeping the default installation also? Also, after installing it, how do I enable, for example a TIdTCPServer to accept both, TLS 1.2 and 1.3 connections? Share this post Link to post
DelphiUdIT 200 Posted Monday at 09:18 PM (edited) 2 hours ago, ioan said: Also, after installing it, how do I enable, for example a TIdTCPServer to accept both, TLS 1.2 and 1.3 connections? You will have the options enabled (TIdOpenSSLIOHandlerServr.Option) with: TLSVersionMinimum := TIdOpenSSLVersion.TLSv1_2; TLSVersionMaximum := TIdOpenSSLVersion.TLSv1_3; If you want you can test with SSL Labs https://www.ssllabs.com/ssltest/ the basic HTTPS server made with Indy 'cloud.dyn-o-saur.com' (it's down now, tomorrow in the morning (CET) will be online again). It works with OpenSSL 3.1.4 2 hours ago, ioan said: Any guide on how to install the Indy version that supports TLS 1.3, while keeping the default installation also? No, I don't have any. I always deleted the bundle version and install the github version. The bundle compiled files (Bpl, Dcu, etc ...) are in the same paths of delphi system libraries, I think you must move them from there. So you must maintain them and the github version switching the windows registry. I think that @shineworld has done those steps. Edited Monday at 09:20 PM by DelphiUdIT Share this post Link to post
Remy Lebeau 1458 Posted Monday at 10:00 PM 2 hours ago, ioan said: Any guide on how to install the Indy version that supports TLS 1.3 Such a version has NOT been released yet. Still a work in progress. The next Indy version that is pending release (10.7) will be splitting off all OpenSSL support into a new package, IndyTLSOpenSSL, as an add-on to the main Indy packages. It has its own repo: https://github.com/IndySockets/IndyTLS-OpenSSL v1.0 will focus on backwards compatibility as users update their existing projects to include this new package without changing the rest of their code. Then v2.0 will be for adding OpenSSL 3.x. In the meantime, there are a few 3rd party projects already available now that bring OpenSSL 3.x to the current Indy. 2 hours ago, ioan said: while keeping the default installation also? You cannot have multiple versions installed together. The GitHub version is not compatible as-is with the default bundled version. You will have to use one or the other. 2 hours ago, ioan said: Also, after installing it, how do I enable, for example a TIdTCPServer to accept both, TLS 1.2 and 1.3 connections? I can't answer that. Each 3rd party project that has been released so far has its own way of doing things. Use what is appropriate for whatever project you decide to use. What will end up in the new IndyTLSOpenSSL package is not finalized yet. 1 Share this post Link to post
shineworld 79 Posted Tuesday at 09:23 AM 11 hours ago, DelphiUdIT said: The bundle compiled files (Bpl, Dcu, etc ...) are in the same paths of delphi system libraries, I think you must move them from there. So you must maintain them and the github version switching the windows registry. I think that @shineworld has done those steps. I've downloaded (cloned) Indy repository from github (https://github.com/IndySockets/Indy.git). Manually copied needed file in a source folder of my project. Added that folder in the project search path. Created the class only with code (no IDE objects placement) so I use only custom sources for Indy. This permitted me to add changes and work with latest git repository code, without remove native Indy tools from IDE. 1 Share this post Link to post
ioan 45 Posted Tuesday at 01:13 PM 3 hours ago, shineworld said: I've downloaded (cloned) Indy repository from github (https://github.com/IndySockets/Indy.git). Manually copied needed file in a source folder of my project. What 3rd party projects did you use for TLS 1.3 with Indy? Share this post Link to post
shineworld 79 Posted Tuesday at 04:52 PM Currently, working is only TLS 1.2, but there is a git to add TLS 1.3 ( https://github.com/JPeterMugaas/TaurusTLS.git ) I've downloaded and checket it but I haven't yet need time to try to extract sources use it... I try then from some weeks (I'm in releasing of current software version). Share this post Link to post
ioan 45 Posted Tuesday at 06:13 PM 1 hour ago, shineworld said: Currently, working is only TLS 1.2, but there is a git to add TLS 1.3 ( https://github.com/JPeterMugaas/TaurusTLS.git ) I've downloaded and checket it but I haven't yet need time to try to extract sources use it... I try then from some weeks (I'm in releasing of current software version). I ended up using this guide: The only changes required: uses IdOpenSSLVersion, IdOpenSSLIOHandlerServer; DefaultCipher = 'ECDHE-ECDSA-AES128-GCM-SHA256:' + 'ECDHE-PSK-CHACHA20-POLY1305:' + 'ECDHE-ECDSA-AES256-GCM-SHA384: '+ 'ECDHE-ECDSA-CHACHA20-POLY1305:' + 'ECDHE-RSA-AES256-GCM-SHA384:'+ 'ECDHE-RSA-AES128-GCM-SHA256:'+ 'DHE-RSA-AES256-GCM-SHA384:'+ 'DHE-RSA-AES128-GCM-SHA256:'+ 'DHE-PSK-AES256-GCM-SHA384:' + 'DHE-PSK-AES128-GCM-SHA256:' + '!ADH:!EXP:!RC4:!eNULL@STRENGTH'; // block 3DES / DES / RC2 / IDEA IdOpenSSLIOHandlerServer := TIdOpenSSLIOHandlerServer.Create(nil); IdOpenSSLIOHandlerServer.Options.TLSVersionMinimum := TIdOpenSSLVersion.TLSv1_2; IdOpenSSLIOHandlerServer.Options.TLSVersionMaximum := TIdOpenSSLVersion.TLSv1_3; IdOpenSSLIOHandlerServer.Options.CipherList := DefaultCipher; IdOpenSSLIOHandlerServer.Options.CertFile := fCertPath + 'cert.pem'; IdOpenSSLIOHandlerServer.Options.VerifyCertificate := fCertPath + 'root.pem'; IdOpenSSLIOHandlerServer.Options.CertKey := fCertPath + 'key.pem'; IdTCPServerTLS := TIdTCPServer.Create(nil); IdTCPServerTLS.IOHandler := IdOpenSSLIOHandlerServer; IdTCPServerTLS.ContextClass := TMyContext; IdTCPServerTLS.DefaultPort := fATAPort; IdTCPServerTLS.OnConnect := IdTCPServerNOTLSConnect; IdTCPServerTLS.OnDisconnect := IdTCPServerNOTLSDisconnect; IdTCPServerTLS.OnExecute := IdTCPServerNOTLSExecute; IdTCPServerTLS.Active := true; Share this post Link to post
DelphiUdIT 200 Posted Tuesday at 06:38 PM 12 minutes ago, ioan said: DefaultCipher = 'ECDHE-ECDSA-AES128-GCM-SHA256:' + 'ECDHE-PSK-CHACHA20-POLY1305:' + 'ECDHE-ECDSA-AES256-GCM-SHA384: '+ 'ECDHE-ECDSA-CHACHA20-POLY1305:' + 'ECDHE-RSA-AES256-GCM-SHA384:'+ 'ECDHE-RSA-AES128-GCM-SHA256:'+ 'DHE-RSA-AES256-GCM-SHA384:'+ 'DHE-RSA-AES128-GCM-SHA256:'+ 'DHE-PSK-AES256-GCM-SHA384:' + 'DHE-PSK-AES128-GCM-SHA256:' + '!ADH:!EXP:!RC4:!eNULL@STRENGTH'; // block 3DES / DES / RC2 / IDEA If you use the OpenSSL 1.1.1 or 3.1.x, I suggest to use this: //CipherList are used in TLSv1_2 CipherList := '!EXPORT:!LOW:!aNULL:!eNULL:!RC4:!ADK:!3DES:!DES:!MD5:!PSK:!SRP:!CAMELLIA'+ ':ECDHE-RSA-AES256-GCM-SHA384'+ ':ECDHE-RSA-AES128-GCM-SHA256'+ ':ECDHE-RSA-CHACHA20-POLY1305'+ ':ECDHE-ARIA256-GCM-SHA384'+ ':ECDHE-ARIA128-GCM-SHA256'+ //Weak !! but necessary for old products ':ECDHE-RSA-AES256-SHA384'+ ''; //CipherSuites are used in TLSv1_3 CipherSuites := ''+ 'TLS_AES_256_GCM_SHA384'+ ':TLS_CHACHA20_POLY1305_SHA256'+ ':TLS_AES_128_GCM_SHA256'+ ':TLS_AES_128_CCM_8_SHA256'+ ':TLS_AES_128_CCM_SHA256'+ ''; If you use only old OpenSSL 1.0.2u (limited to TLS 1.2): CipherList := '!EXPORT:!LOW:!aNULL:!eNULL:!RC4:!ADK:!3DES:!DES:!MD5:!PSK:!SRP:!CAMELLIA'+ ':ECDHE-RSA-AES128-GCM-SHA256'+ ':ECDHE-RSA-AES256-GCM-SHA384'+ ':ECDHE-RSA-CHACHA20-POLY1305'+ ':ECDHE-ARIA256-GCM-SHA384'+ ':ECDHE-ARIA128-GCM-SHA256'+ //Weak ':ECDHE-RSA-AES256-SHA384'+ //To use this two you must generate the DHPARAMS file with OpenSSL utility //':DHE-RSA-AES128-GCM-SHA256'+ //':DHE-RSA-AES256-GCM-SHA384'+ ''; 1 Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
