Jump to content
Lars Fosdal

TIdSSLIOHandlerSocketOpenSSL and TLS 1.3 ?

Recommended Posts

Rio 10.3.1 Indy TIdSSLIOHandlerSocketOpenSSL seems to not support TLS 1.3.

Is there an update anywhere?

  • Like 1

Share this post


Link to post

Some thoughts on OpenSsl 1.1.1....We recently finished porting the OpenSsl 1.1.1a headers to Delphi for all platforms (Windows, macOS, Android, iOS and Linux, 32 and 64-bit where appropriate) and may write an article for our grijjy blog on that sometime soon.  The challenge is building in a way that works for each Delphi platform, which we also did in the process.  Deploying OpenSsl with your app in a way that is uniform for all platforms but does not interfere with legacy OpenSsl that is sometimes part of the OS is also a challenge.  The libraries for LibSsl and LibCrypto often cause dynamic linking issues on POSIX platforms when they attempt to reference one another.  We solved this with some creative linking that is platform specific.  Also it isn't wired into Indy, because we don't use Indy internally, but it shouldn't be too hard (for someone else to do).  The other challenge is TLS 1.3 isn't really completely working in  OpenSsl 1.1.1 and has a few outstanding issues.  You probably don't want to use TLS 1.3 at this time.

Edited by Allen@Grijjy
  • Thanks 3

Share this post


Link to post
Guest

https://github.com/winddriver/Delphi-Cross-Socket here you can found headers and units of MBED_TLS Delphi bound, an embedded $L high quality library that can replace openssl

Share this post


Link to post

ICS implemented OpenSSL 1.1.1 last year, initially for draft versions of TLSv1.3, then the final version. 

 

There are comments in the ICS SSL units about the major changes needed to support 1.1.0 and 1.1.1, and ICS applications support for three major OpenSSL versions, one of which is chosen during initiatisation.  

 

Now looking at OpenSSL 3 (or maybe 4) due out later this year, they say before support ceases for OpenSSL 1.0.2 at the end of the year. 

 

Angus

  • Like 1
  • Thanks 1

Share this post


Link to post

Hi,

 

I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested.

Delphi and C++ Builder versions from 7 to 10.3.3 are provided.

There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1

 

More Info:

https://www.esegece.com/indy

 

Download:

https://www.esegece.com/indy/download

 

Hope it helps. 

Share this post


Link to post

There are several modifications made in Indy code (not only openssl 1.1, I did more modifications for my library) so if I want to do a pull request first I must split all those changes and this requires more time. I will see if I can do it in my free time.

Thanks for your comment, I really appreciate it.

Share this post


Link to post

Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl.

Would be cool if you find some time to send changes to github - by pull request to main indy repository  

 

Share this post


Link to post

Thanks for your suggestion, if I have some time I will do.

 

Sergio

Share this post


Link to post
5 hours ago, mp3freak_en said:

Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl.

Would be cool if you find some time to send changes to github - by pull request to main indy repository  

 

There is already work being done to add 1.1.x support.  Not by me, codewise, but I'll review and merge it when its ready.

Edited by Remy Lebeau

Share this post


Link to post
On 1/31/2020 at 11:05 AM, esegece said:

Hi,

 

I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested.

Delphi and C++ Builder versions from 7 to 10.3.3 are provided.

There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1

 

More Info:

https://www.esegece.com/indy

 

Download:

https://www.esegece.com/indy/download

 

Hope it helps. 

Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1?

 

Share this post


Link to post
1 hour ago, nummer8 said:

Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1?

You can download it from the current pull request on GitHub:

 

https://github.com/IndySockets/Indy/pull/299

 

It has not been merged into Indy's main codebase yet.

Edited by Remy Lebeau

Share this post


Link to post
2 hours ago, Cobalt747 said:

I try, but have an error

Sorry, I can't help with that.  I know nothing about OpenSSL 1.1.x or the new APIs it introduced.  I did not write the new SSLIOHandler for 1.1.x.  Are you able to access the same server using other apps that use TLS 1.3?  Maybe the server's certificate really is faulty.

Share this post


Link to post
On 9/16/2020 at 2:44 PM, Cobalt747 said:

I try, but have an error

i create a project in folder \Lib\Protocols\OpenSSL\

https://drive.google.com/file/d/1tT84oi9IBi1URrhtbTaD0cnBtv0hFRYQ/view?usp=sharing

use openssl libs version 1.1.1.7

The error "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed" means your certificate verification failed. Use IoHandler.Options.VerifyServerCertificate and/or IoHandler.Options.OnVerify

Share this post


Link to post
Guest

For mission-critical stuff, n/software. €1200 / annum. But don't you guys spend that anyhow? In lost working hours?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×