Jump to content
Lars Fosdal

TIdSSLIOHandlerSocketOpenSSL and TLS 1.3 ?

By Lars Fosdal, in Network, Cloud and Web

Recommended Posts

Lars Fosdal    1792

Lars Fosdal
Posted

Rio 10.3.1 Indy TIdSSLIOHandlerSocketOpenSSL seems to not support TLS 1.3.

Is there an update anywhere?

  • Like 1

Share this post

Link to post

Allen@Grijjy    44

Allen@Grijjy
Posted (edited)

Some thoughts on OpenSsl 1.1.1....We recently finished porting the OpenSsl 1.1.1a headers to Delphi for all platforms (Windows, macOS, Android, iOS and Linux, 32 and 64-bit where appropriate) and may write an article for our grijjy blog on that sometime soon.  The challenge is building in a way that works for each Delphi platform, which we also did in the process.  Deploying OpenSsl with your app in a way that is uniform for all platforms but does not interfere with legacy OpenSsl that is sometimes part of the OS is also a challenge.  The libraries for LibSsl and LibCrypto often cause dynamic linking issues on POSIX platforms when they attempt to reference one another.  We solved this with some creative linking that is platform specific.  Also it isn't wired into Indy, because we don't use Indy internally, but it shouldn't be too hard (for someone else to do).  The other challenge is TLS 1.3 isn't really completely working in  OpenSsl 1.1.1 and has a few outstanding issues.  You probably don't want to use TLS 1.3 at this time.

Edited by Allen@Grijjy
  • Thanks 3

Share this post

Link to post

Guest   

Guest
Posted

https://github.com/winddriver/Delphi-Cross-Socket here you can found headers and units of MBED_TLS Delphi bound, an embedded $L high quality library that can replace openssl

Share this post

Link to post

Angus Robertson    574

Angus Robertson
Posted

ICS implemented OpenSSL 1.1.1 last year, initially for draft versions of TLSv1.3, then the final version. 

 

There are comments in the ICS SSL units about the major changes needed to support 1.1.0 and 1.1.1, and ICS applications support for three major OpenSSL versions, one of which is chosen during initiatisation.  

 

Now looking at OpenSSL 3 (or maybe 4) due out later this year, they say before support ceases for OpenSSL 1.0.2 at the end of the year. 

 

Angus

  • Like 1
  • Thanks 1

Share this post

Link to post

esegece    47

esegece
Posted

Hi,

 

I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested.

Delphi and C++ Builder versions from 7 to 10.3.3 are provided.

There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1

 

More Info:

https://www.esegece.com/indy

 

Download:

https://www.esegece.com/indy/download

 

Hope it helps. 

Share this post

Link to post

esegece    47

esegece
Posted

There are several modifications made in Indy code (not only openssl 1.1, I did more modifications for my library) so if I want to do a pull request first I must split all those changes and this requires more time. I will see if I can do it in my free time.

Thanks for your comment, I really appreciate it.

Share this post

Link to post

mp3freak_en    0

mp3freak_en
Posted

Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl.

Would be cool if you find some time to send changes to github - by pull request to main indy repository  

 

Share this post

Link to post

esegece    47

esegece
Posted

Thanks for your suggestion, if I have some time I will do.

 

Sergio

Share this post

Link to post

Remy Lebeau    1394

Remy Lebeau
Posted (edited)
5 hours ago, mp3freak_en said:

Missing support for openssl 1.1.1 will get an annoying problem for all of us even there is currently no big security issue in openssl.

Would be cool if you find some time to send changes to github - by pull request to main indy repository  

 

There is already work being done to add 1.1.x support.  Not by me, codewise, but I'll review and merge it when its ready.

Edited by Remy Lebeau

Share this post

Link to post

nummer8    0

nummer8
Posted
On 1/31/2020 at 11:05 AM, esegece said:

Hi,

 

I am the developer of sgcWebSockets and in prior versions I've updated Indy library to support OpenSSL 1.1.1. Some customers have asked to release Indy with OpenSSL 1.1.1 publicly, so now everyone how wants can download full indy package without any limits from my website. At this moment, this indy version is beta, I didn't try all IDE versions and personalities. Source is not included only compiled versions, but I can provide if anyone is interested.

Delphi and C++ Builder versions from 7 to 10.3.3 are provided.

There is small demo which shows how a TIdHTTP component can connect to https server using openssl 1.1.1

 

More Info:

https://www.esegece.com/indy

 

Download:

https://www.esegece.com/indy/download

 

Hope it helps. 

Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1?

 

Share this post

Link to post

Remy Lebeau    1394

Remy Lebeau
Posted (edited)
1 hour ago, nummer8 said:

Hi, What do I have to do to obtain the source code for the indy components that use openssl 1.1.1?

You can download it from the current pull request on GitHub:

 

https://github.com/IndySockets/Indy/pull/299

 

It has not been merged into Indy's main codebase yet.

Edited by Remy Lebeau

Share this post

Link to post

Remy Lebeau    1394

Remy Lebeau
Posted
2 hours ago, Cobalt747 said:

I try, but have an error

Sorry, I can't help with that.  I know nothing about OpenSSL 1.1.x or the new APIs it introduced.  I did not write the new SSLIOHandler for 1.1.x.  Are you able to access the same server using other apps that use TLS 1.3?  Maybe the server's certificate really is faulty.

Share this post

Link to post

mezen    13

mezen
Posted
On 9/16/2020 at 2:44 PM, Cobalt747 said:

I try, but have an error

i create a project in folder \Lib\Protocols\OpenSSL\

https://drive.google.com/file/d/1tT84oi9IBi1URrhtbTaD0cnBtv0hFRYQ/view?usp=sharing

use openssl libs version 1.1.1.7

The error "error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed" means your certificate verification failed. Use IoHandler.Options.VerifyServerCertificate and/or IoHandler.Options.OnVerify

Share this post

Link to post

Guest   

Guest
Posted

For mission-critical stuff, n/software. €1200 / annum. But don't you guys spend that anyhow? In lost working hours?

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Network, Cloud and Web
×