TLS v1.3

[Maxxed 2]

I need TLS v1.3 support in my Delphi 2007 application which uses Indy 10.6.2.5520. I found this solution:

 

https://github.com/IndySockets/Indy/pull/299

 

Everything compiled fine, but I get the following run-time error: "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed". I believe I need different DLLs. The version I was able to find is "openssl-1.1.1o-win32". Where can I get the DLLs that work with this above mentioned solution?

 

Or, maybe there is a built-in support of TLS v1.3 in Indy already?

[mezen 13]

Nop, that pull request is still pending, just read

 

"error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed"

The last part is the interessint part, it contains the error message. By default is certificate verification active.

You have two possibilites:

1.) Just ignore the verification and accept every certificate, even if it is a malicious from an attacker...

MyIOHandler.Options.VerifyCertificate := False;

 

2.) Let OpenSSL handle certificate verification

LMyIOHandler.Options.VerifyCertDirectory := 'C:\Path\To\Certificates';
{ OR USE THIS ALTERNATIVE }
LMyIOHandler.Options.CertFile := 'C:\Path\To\MyCertificates.pem';

 

3.) Implement the certificate verification on your own

procedure HandleMyCertificateVerification(Sender: TObject;
    const x509: TIdOpenSSLX509;
    const VerifyResult: Integer;
    const Depth: Integer;
    var Accepted: Boolean);
begin
  Accepted := DoMyVerification(x509);
end;


LMyIOHandler.Options.OnVerify := HandleMyCertificateVerification;

 

[Maxxed 2]

Thank you very much Mezen! Turning off the certificate verification actually helped! It still needs testing but for now I can finally access websites via TLS v1.3 with Indy!

[Maxxed 2]

Hello Mezen. What do I do with this error message:

 

error:141E3152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled

 

I already tried setting AllowUnsafeLegacyRenegotiation to True. It doesn't help.

Edited May 25, 2022 by Maxxed

[BryTack 0]

As this is the only reference I can find to Indy and TLS v1.3, keen to see if I can get this working.  A few questions if I may...

 

I have  Indy 10.6.2.0 - is  Indy 10.6.2.5520 different? Or just a rebuild?  If different, where can I get?

 

#299 states "Only IdCTypes.pas and IdGlobal.pas are modified (the last files in the diff): I added some more types"  So do I just need into download and include these? Any other libraries need to be included?

 

Are there any examples showing how to setup/use  v1.3?

 

And ,,, If not this approach .. are there alternatives to upgrading a working (TLS v1.2) coder to use TLSv1.3

 

Thank you in advance

Bryan

[Remy Lebeau 1255]

1 hour ago, BryTack said:

I have  Indy 10.6.2.0 - is  Indy 10.6.2.5520 different? Or just a rebuild?  If different, where can I get?

Delphi releases ship with the latest Indy available at the time.  10.6.2.0 is actually newer than 10.6.2.5520, it is just that the build number got lost and reset back to 0 when Indy migrated from SVN to GitHub (see https://github.com/IndySockets/Indy/issues/292).

1 hour ago, BryTack said:

#299 states "Only IdCTypes.pas and IdGlobal.pas are modified (the last files in the diff): I added some more types"  So do I just need into download and include these?

I think so, yes.  Though, I have now merged just those two files into the main code, so the PR should now be able to contain only the new units (once the author updates his branch).  So, in theory, you can download the latest main code, and then download the new units on top of it.

1 hour ago, BryTack said:

Any other libraries need to be included?

You will need the updated OpenSSL 1.1x/3.x DLLs.  Indy doesn't provide downloads for those at this time, so you'll have to get them from elsewhere.

[BryTack 0]

Thank you. This is very useful.  Nice to know I'm heading in the correct direction. Likely to see how far I get get later today.

Many thanks

Bryan 

[Todd Grigsby 1]

I downloaded the latest Indy available on github two nights ago -- 10.6.2 -- and it does not work with TLS 1.3.  Any idea when the TLS 1.3 branch will get merged into main?

[Remy Lebeau 1255]

57 minutes ago, Todd Grigsby said:

I downloaded the latest Indy available on github two nights ago -- 10.6.2 -- and it does not work with TLS 1.3

Did you download only the main code, or did you also download the PR #299 code on top of it?

57 minutes ago, Todd Grigsby said:

Any idea when the TLS 1.3 branch will get merged into main?

No ETA at this time. My understanding is that the code works as-is, but still needs to be updated/finalized to include design-time support, added to all of the supported packages, etc.

[Todd Grigsby 1]

I downloaded the main code only.  Based on your recommendation, though, I'll break with policy and try out the PR.  Thank you, Remy.

 

[Update] It worked.  I see what you mean about the design time properties.  It doesn't allow for explicitly configuring the IO handler for TLS 1.3, but if I make a connection to a server that implements 1.3, it works.  That's good enough for now.  Thank you, Remy and Mezen, for your hard work!

Edited October 13, 2023 by Todd Grigsby

[FearDC 1]

I'm sorry but I don't understand how to do this properly. I did clone https://github.com/IndySockets/Indy/pull/299 into local directory, added it to library path. I have Delphi 12 and up-to-date IdCTypes.pas and IdGlobal.pas. So what is next? 😛

[DelphiUdIT 132]

4 hours ago, FearDC said:

I'm sorry but I don't understand how to do this properly. I did clone https://github.com/IndySockets/Indy/pull/299 into local directory, added it to library path. I have Delphi 12 and up-to-date IdCTypes.pas and IdGlobal.pas. So what is next? 😛

Look at this: https://github.com/IndySockets/Indy/wiki

Read <Updating Indy> on the right side.

 

I do it more than one year ago and Indy is working also with OpenSSL 3.1.4 (for lot of functions, not for all).

I did it with Delphi 11.x and 'cause actually problems with Embarcadero I have not tried with Delphi 12.

 

Take care that this is not a good moment, is better to wait that Embarcadero restore all services.

 

Bye

[FearDC 1]

Thank you for your reply @DelphiUdIT.

 

I have been reading on Wiki, but I use D12. Currently Indy does not have 290 package it seems. There is a PR#517, but it mentions 280 too many times (btw I left a review comment for that PR author).

 

I was thinking rather some solution like pull/299#issuecomment-675003145 - atleast for now, until 290 is fully supported. I could be a test case for sure, to help finding issues, if there are any.

 

Anyway @DelphiUdIT, could you please tell more about problems that Indy upgrade caused to your D11?

 

Regards.

[DelphiUdIT 132]

2 hours ago, FearDC said:

Anyway @DelphiUdIT, could you please tell more about problems that Indy upgrade caused to your D11?

You can read this: https://en.delphipraxis.net/topic/8569-indy-with-openssl-111-support-is-fine/?do=findComment&comment=72163

 

EDIT:

The "299" repository was archived and it will not be upgraded anymore. This means that all updates from the official Indy repository will not be applied. Trying the route you indicated could be a good solution to temporarily implement compatibility between the official Indy distribution and OpenSSL 1.1.1.
Let us know what's next.

Further note: on the Indy github page if you go to the TAGS there is the official distribution supplied with Delphi 12 with all the packages too... the 290 package is still missing.... However, I think that it can easily be derived from the 280, not It seems to me that the components at design time have changed between Delphi 11 and Delphi 12.

Edited January 31 by DelphiUdIT

[DelphiUdIT 132]

Update on the use of the TLS1_3 protocol in Indy (NOT OFFICIAL FROM Indy Team).

This is an indication coming from the undersigned, who has carried out exactly what is described and verified that there are no problems either with the IDE or with the existing projects by recompiling and executing them.

Conditions:

- Rad Studio Athens 12.0 patch 1 (or Delphi);
- Dowloaded Last GitHub repository Indy source: https://github.com/IndySockets/Indy/archive/refs/tags/Indy-10.6.3.zip
- Donwloaded PR299 (aka NewOpenSSL_PR x OpenSSL 1.1.1): https://github.com/mezen/Indy/archive/refs/heads/NewOpenSSL_PR.zip

Now you need to uninstall Indy from Rad Studio IDE, components and binaries included. YOU DO NOT NEED TO DELETE THE ORIGINAL INDY SOURCES.

 

This is the official link explaining how update Indy:  https://github.com/IndySockets/Indy/wiki/Updating-Indy

ATTENTION:

Do not use THE AUTOMATIC PROCEDURE in the instructions indicated in the previous link. It deletes files that do not belong to the Indy environment.
You have to do what is indicated by hand, but when you get to the REMOVE THE FILES procedure, stop!!!!

Instead, perform these steps:

1) Using Windows Explorer, go to the RAD STUDIO installation BIN directory (normally "C:\Program Files (x86)\Embarcadero\Studio\23.0\bin") and delete the following files:

 

 

Then go to the BIN64 directory and delete the following files:

 

 

Now you need to go to the LIB directory and list all the ID* files of the subdirectories (use the pane at the top right of the explorer to search). I recommend listing the files by NAME.
The list includes a series of files (more than 10000) that will need to be deleted, BUT FROM THIS LIST YOU MUST UNSELECT (i.e. THE FILES SHOULD NOT BE DELETED) the following files:

- all files starting with "FMX", should be 16;
- all files starting with "Vcl", should be 8;
- all files starting with "play", should be 4;
- the "idoc.dcu" files should be 4;
- the "idispids.dcu" files should be 4;

The procedure indicated in the link (Update Indy) would have deleted these last 8 files.

Now that you have deleted the files you will need to open the IDE.

Errors will be generated:

- package "dclemsedge290.bpl" could not be loaded, ignore and select not to reload again.

- the "livepreview290.bpl" package, ignore and select not to reload again.

Other packages may give errors, this depends on the fact that you have components registered in the IDE and that use Indy. You can ignore them and allow them to be reloaded the next time you restart the IDE.

If you want to do a clean job, you should go to TOOL/OPTIONS/LANGUAGE/DELPHI/LIBRARY and from the "Browsing Path" item you will have to eliminate the Indy references (Core, System and Protocol) IN ALL PRESENT PLATFORMS.

Now Indy is no longer present in Delphi.

If you followed my initial instructions you should have downloaded the two zip files indicated.

Unzip the first one (Indy-10.6.3.zip) into a directory. This directory will be the one containing Indy and will be used for all your applications.

Now from the second ZIP file (NewOpenSSL_PR.zip) EXTRACT ONLY the OPENSSL directory found in "Indy/Lib/Protocols" and add it to the directory you created in the previous step, always under Lib/Protocols (so at the end there will be a directory plus, Lib/Protocols/OpenSSL).

You will now have Indy with TLS1_3 enabled and with usable OpenSSL 1.1.1 (and also partially OpenSSL 3.1.x).

Continue with the "Build and Install" paragraph of the link indicated initially.

After finishing, you need to add two paths to Delphi's LIBRARY PATH to follow the ones you entered as in the instructions:

"Lib\Protocols\OpenSSL"
"Lib\Protocols\OpenSSL\Dynamic"

You will now need to recompile (and reinstall) all of your IDE components that use Indy and your projects.

For now the TLS1_3 can only be configured in code (therefore in RUNTIME), not in DesignTime as the IDE components have not been updated.

All your projects however will remain perfectly functional and will use the old TLS1_2 standard and the old OPENSSL 1.0.2 DLLs until you modify the source to include the new standard.

It's late and I'm going to eat now...

 

 

 

UPDATE

 

A note for those who use Indy to develop 64 bit or mixed 32 bit and 64 bit (even if you already know this):

• after having compiled and installed the Indy components (therefore 32 bit), delete the dcu files from the directories (where you unzipped Indy). You can safely delete ALL *.dcu files.

If you leave them, when you go to compile your 64 bit project it will give you an error because the "dcu" are 32 bit.
By deleting the dcu, you will force the recompilation (in your project) of the Indy libraries.

Also remember that in the options of your project a valid path is indicated in the "Unit output directory", this will allow the compiler to generate all the dcu of the project within that directory.

 

 

Edited March 5 by DelphiUdIT

[Remy Lebeau 1255]

11 hours ago, DelphiUdIT said:

Do not use THE AUTOMATIC PROCEDURE in the instructions indicated in the previous link. It deletes files that do not belong to the Indy environment.

Which files does it delete that it shouldn't?

11 hours ago, DelphiUdIT said:

The procedure indicated in the link (Update Indy) would have deleted these last 8 files.

Oh. Nevermind.

Edited March 5 by Remy Lebeau

[FaFaFooey 5]

A software developer that sells websocket components for Delphi has a modified Indy library with TLS 1.3 support for download: https://www.esegece.com/products/sgcindy

 

When you install it, it backs up the current Indy library and then replaces it with the modified Indy library. It has TLS 1.3 support at design time but no source is included if you need that.

Edited March 5 by FaFaFooey

[Rollo62 498]

Why why why is installation and using SSL and TLS still such a big mess in D12?

I have never understood why this important field of development looks so deserted, with only a view of a wide-open junkyard of the many newly invented wheels.

I thought Embarcadero was working on a better integration of OpenSSL/TLS in D12? 

 

[DelphiUdIT 132]

1 hour ago, FaFaFooey said:

A software developer that sells websocket components for Delphi has a modified Indy library with TLS 1.3 support for download: https://www.esegece.com/products/sgcindy

 

When you install it, it backs up the current Indy library and then replaces it with the modified Indy library. It has TLS 1.3 support at design time but no source is included if you need that. 

Their sources are available too (you must pay of course).
I don't know the product, but I don't think they replace the Indy library (I'm almost sure, 'cause if was like you said some functions of IDE should be lost).

 

I think they use the source of Indy to construct their components, so they can insert what they needs, maintain the near compatibility with Indy ...for example they can modified the name of the units leaving the name of classes the same of Indy (I would do it like this).

[DelphiUdIT 132]

8 minutes ago, Rollo62 said:

Why why why is installation and using SSL and TLS still such a big mess in D12?

I have never understood why this important field of development looks so deserted, with only a view of a wide-open junkyard of the many newly invented wheels.

I thought Embarcadero was working on a better integration of OpenSSL/TLS in D12? 

 

I agree with you.
But there are others product like Esegece or ICS for example that do that without Indy.
 

Indy are a "historical value" and it is really simple to create whatever you want for communication over IP (IPv4 or IPv6). And it works in all the platforms.

 

I don't think that Embarcadero will do something about that (I don't remember anything about TLS/SSL on the ROADMAP), but it is may thought.

[Lajos Juhász 238]

2 minutes ago, DelphiUdIT said:

I don't think that Embarcadero will do something about that (I don't remember anything about TLS/SSL on the ROADMAP), but it is may thought.

 

Indy is a 3rd party free library. It is not owned or sponsored by Embarcadero. Embarcadero used it in the past, in recent versions it is replaced by Embarcadero implementation in the IDE and RTL. 

[DelphiUdIT 132]

8 minutes ago, Lajos Juhász said:

Indy is a 3rd party free library. It is not owned or sponsored by Embarcadero. Embarcadero used it in the past, in recent versions it is replaced by Embarcadero implementation in the IDE and RTL. 

Some parts of RadStudio still depends from Indy (and if you replaced the original version you lost them), like the others released in the past.

 

And may be not sponsored, but Indy is referenced in the Embarcadero Wiki, and is released in full with the IDE.

Edited March 5 by DelphiUdIT

[Remy Lebeau 1255]

On 3/4/2024 at 11:12 AM, DelphiUdIT said:

Now you need to go to the LIB directory and list all the ID* files of the subdirectories (use the pane at the top right of the explorer to search). I recommend listing the files by NAME.

The list includes a series of files (more than 10000) that will need to be deleted, BUT FROM THIS LIST YOU MUST UNSELECT (i.e. THE FILES SHOULD NOT BE DELETED) the following files:

- all files starting with "FMX", should be 16;
- all files starting with "Vcl", should be 8;
- all files starting with "play", should be 4;
- the "idoc.dcu" files should be 4;
- the "idispids.dcu" files should be 4;

The procedure indicated in the link (Update Indy) would have deleted these last 8 files.

When I try this step in Delphi 12, there are only 16 files TOTAL listed:

- 8 starting with FMX

- 8 starting with VCL

All 8 are Indy files (and all of them are related to IdAntiFreeze), there are no "play" files, no "idoc.dcu" or "idispids.dcu" files, etc.

 

I'm guessing the missing files are platform-specific files, in which case this step is dependent on the configuration chosen when you install the IDE.  I don't have any non-Windows platforms installed.

 

I'll have to figure out a way to filter out the non-Indy files so they don't get auto-deleted by accident.

[DelphiUdIT 132]

The source of those files (idoc and idispids) are under "source/internet" (from Rad Studio base dir). The date of the files of course are like the others, but internally they are generated on 1998 from typelib. I think they are related to Internet Explorer. I don't know why I have them and you don't. I have all the platforms installed (Rad Studio Enterprise edition).

 

Play* are from android environment.

 

If make a "del Id*" from batch file, only the "idoc and idispids" are interesting, from explorer all the others are presented.

 

You can copy those files (idoc and idispids) to a backup place and restore after delete.

 

Others way is to delete only a list of know files.  Both methods, however, require monitoring of patches and environment updates.

 

Edited March 7 by DelphiUdIT

[Remy Lebeau 1255]

On 3/7/2024 at 12:26 PM, DelphiUdIT said:

If make a "del Id*" from batch file, only the "idoc and idispids" are interesting, from explorer all the others are presented.

 

You can copy those files (idoc and idispids) to a backup place and restore after delete.

I have now updated Clean_IDE.cmd to do exactly that.

On 3/7/2024 at 12:26 PM, DelphiUdIT said:

Others way is to delete only a list of know files.

I might consider doing that for a future version of the .cmd script.  That would probably require making a separate .txt file of all the known Indy units and then have the .cmd script loop through that file for every platform.