Lars Fosdal 1793 Posted February 28, 2019 Rio 10.3.1 Indy TIdSSLIOHandlerSocketOpenSSL seems to not support TLS 1.3. Is there an update anywhere? 1 Share this post Link to post
Lars Fosdal 1793 Posted February 28, 2019 https://stackoverflow.com/questions/50481630/upgrade-indy-library-to-use-latest-openssl-library The answer is still "no". Share this post Link to post
Remy Lebeau 1429 Posted March 1, 2019 The link that Lars provided is a year old, but the answer is still the same. Indy does not yet support OpenSSL 1.1+, and so does not yet support TLS 1.3. It is in the planning stage, no code has been written yet: https://github.com/IndySockets/Indy/issues/183 1 Share this post Link to post
Allen@Grijjy 44 Posted March 1, 2019 (edited) Some thoughts on OpenSsl 1.1.1....We recently finished porting the OpenSsl 1.1.1a headers to Delphi for all platforms (Windows, macOS, Android, iOS and Linux, 32 and 64-bit where appropriate) and may write an article for our grijjy blog on that sometime soon. The challenge is building in a way that works for each Delphi platform, which we also did in the process. Deploying OpenSsl with your app in a way that is uniform for all platforms but does not interfere with legacy OpenSsl that is sometimes part of the OS is also a challenge. The libraries for LibSsl and LibCrypto often cause dynamic linking issues on POSIX platforms when they attempt to reference one another. We solved this with some creative linking that is platform specific. Also it isn't wired into Indy, because we don't use Indy internally, but it shouldn't be too hard (for someone else to do). The other challenge is TLS 1.3 isn't really completely working in OpenSsl 1.1.1 and has a few outstanding issues. You probably don't want to use TLS 1.3 at this time. Edited March 1, 2019 by Allen@Grijjy 3 Share this post Link to post
Guest Posted March 2, 2019 https://github.com/winddriver/Delphi-Cross-Socket here you can found headers and units of MBED_TLS Delphi bound, an embedded $L high quality library that can replace openssl Share this post Link to post
Angus Robertson 577 Posted March 3, 2019 ICS implemented OpenSSL 1.1.1 last year, initially for draft versions of TLSv1.3, then the final version. There are comments in the ICS SSL units about the major changes needed to support 1.1.0 and 1.1.1, and ICS applications support for three major OpenSSL versions, one of which is chosen during initiatisation. Now looking at OpenSSL 3 (or maybe 4) due out later this year, they say before support ceases for OpenSSL 1.0.2 at the end of the year. Angus 1 1 Share this post Link to post
esegece 47 Posted January 31, 2020 Hi, I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested. Delphi and C++ Builder versions from 7 to 10.3.3 are provided. There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1 More Info: https://www.esegece.com/indy Download: https://www.esegece.com/indy/download Hope it helps. Share this post Link to post
Fr0sT.Brutal 900 Posted January 31, 2020 Why so complicated, why don't simply create pull request on Github? Share this post Link to post
esegece 47 Posted January 31, 2020 There are several modifications made in Indy code (not only openssl 1.1, I did more modifications for my library) so if I want to do a pull request first I must split all those changes and this requires more time. I will see if I can do it in my free time. Thanks for your comment, I really appreciate it. Share this post Link to post
mp3freak_en 0 Posted April 22, 2020 Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl. Would be cool if you find some time to send changes to github - by pull request to main indy repository Share this post Link to post
esegece 47 Posted April 22, 2020 Thanks for your suggestion, if I have some time I will do. Sergio Share this post Link to post
Remy Lebeau 1429 Posted April 22, 2020 (edited) 5 hours ago, mp3freak_en said: Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl. Would be cool if you find some time to send changes to github - by pull request to main indy repository There is already work being done to add 1.1.x support. Not by me, codewise, but I'll review and merge it when its ready. Edited April 22, 2020 by Remy Lebeau Share this post Link to post
Remy Lebeau 1429 Posted May 6, 2020 On 4/22/2020 at 10:19 AM, Remy Lebeau said: There is already work being done to add 1.1.x support. Not by me, codewise, but I'll review and merge it when its ready. https://en.delphipraxis.net/topic/2769-indy-openssl-111-tls-13/ At this time, it has not been merged yet, though. Still pending review... Share this post Link to post
nummer8 0 Posted July 30, 2020 On 1/31/2020 at 11:05 AM, esegece said: Hi, I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested. Delphi and C++ Builder versions from 7 to 10.3.3 are provided. There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1 More Info: https://www.esegece.com/indy Download: https://www.esegece.com/indy/download Hope it helps. Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1? Share this post Link to post
Remy Lebeau 1429 Posted July 30, 2020 (edited) 1 hour ago, nummer8 said: Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1? You can download it from the current pull request on GitHub: https://github.com/IndySockets/Indy/pull/299 It has not been merged into Indy's main codebase yet. Edited July 30, 2020 by Remy Lebeau Share this post Link to post
Cobalt747 0 Posted September 16, 2020 I try, but have an error Quote Project Indy_openssl1_1.exe raised exception class EIdOpenSSLConnectError with message 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'. i create a project in folder \Lib\Protocols\OpenSSL\ https://drive.google.com/file/d/1tT84oi9IBi1URrhtbTaD0cnBtv0hFRYQ/view?usp=sharing use openssl libs version 1.1.1.7 Share this post Link to post
Remy Lebeau 1429 Posted September 16, 2020 2 hours ago, Cobalt747 said: I try, but have an error Sorry, I can't help with that. I know nothing about OpenSSL 1.1.x or the new APIs it introduced. I did not write the new SSLIOHandler for 1.1.x. Are you able to access the same server using other apps that use TLS 1.3? Maybe the server's certificate really is faulty. Share this post Link to post
mezen 13 Posted December 10, 2020 On 9/16/2020 at 2:44 PM, Cobalt747 said: I try, but have an error i create a project in folder \Lib\Protocols\OpenSSL\ https://drive.google.com/file/d/1tT84oi9IBi1URrhtbTaD0cnBtv0hFRYQ/view?usp=sharing use openssl libs version 1.1.1.7 The error "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed" means your certificate verification failed. Use IoHandler.Options.VerifyServerCertificate and/or IoHandler.Options.OnVerify Share this post Link to post
Guest Posted December 11, 2020 For mission-critical stuff, n/software. €1200 / annum. But don't you guys spend that anyhow? In lost working hours? Share this post Link to post