Menu
GitHub has stopped supporting TLS v1.0 and v1.1 (https://githubengineering.com/crypto-deprecation-notice/), so my code no longer wants to download from it. I have checked and it seems I need to make Indy use TLS v1.2, as stated here: Using Indy 10 IdHTTP with TLS 1.2.
I have already updated the OpenSSL DLLs to the latest from http://indy.fulgan.com/SSL/, and Indy seems to load them fine, but I still get an error.
The error I get:
How can I make Indy use TLS v1.2 if I dynamically create Indy objects in a worker thread?
Current Code:
constructor TDownload.Create(CreateSuspended: Boolean; aurl, afilename: string);
begin
inherited Create(CreateSuspended);
httpclient := TIdHTTP.Create(nil);
httpclient.Request.UserAgent := 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36';
httpclient.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(httpclient);
httpclient.HandleRedirects := True;
httpclient.OnWorkBegin := idhttp1WorkBegin;
httpclient.OnWork := idhttp1Work;
url := aurl;
filename := afilename;
end;
639
Java 1.5 was release before therefore no TLS 1.2 support. For Oracle Java v1. 7 is required for TLS 1.2: blogs.oracle.com/java-platform-group/entry/…
2? (SSL) Forces curl to use TLS version 1.2 or later when connecting to a remote TLS server. Added in 7.34.
Currently i need to change a connection to one of our server to use only TLS 1.2, at the moment we are using TLS 1.0 As handler for IdHTTP , IdSSLIOHandlerSocketOpenSSL is being used.
There are three tasks for enabling TLS 1.2 on clients: 1 Update Windows and WinHTTP 2 Ensure that TLS 1.2 is enabled as a protocol for SChannel at the operating system level 3 Update and configure the .NET Framework to support TLS 1.2
You already created them. how will I avoid disabling 10.1.1, which I might need for DataSnap in the future? Basically, you can't. But you can re-enable it when needed. It doesn't look like I can have two versions of Indy installed in the IDE at the same time. No, you can't. But you can install packages on a per-project basis.
For your reference, TLS 1.2 was first introduced into .Net Framework 4.5.1 and 4.5.2 with the following hotfix rollups: Configure .NET Framework to support strong cryptography.
You need to enable the sslvTLSv1_2 flag in the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property (only sslvTLSv1 (TLS v1.0) is enabled by default), eg:
TIdSSLIOHandlerSocketOpenSSL(httpclient.IOHandler).SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
Also note that you might have to also update the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property to enable TLS v1.2 ciphers. Refer to the OpenSSL documentation for the actual syntax. By default, Indy uses 'AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH' if you don't specify your own CipherList value.
Edit: Indy no longer specifies a default cipher list. If the SSLOptions.CipherList property is empty, OpenSSL is now allowed to use whatever default cipher list it wants instead.
62
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
