Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Delphi Indy SSL parameters

Tags:

ssl

delphi

indy

This is a continuation of Indy server supports SSL 2, but it should not.

Using Delphi XE Berlin 10.1, I have found two CipherList strings that meet the basic requirements of level A encryption strength:

TLSv1:TLSv1.2:SSLv3:!RC4:!NULL-MD5:!NULL-SHA:!NULL-SHA256:!DES-CBC-SHA:!DES-CBC3-SHA:!IDEA-CBC-SHA


ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Testing with Qualys SSLlabs shows the same results for them: they are strong, but:

  • forward secrecy is not supported.

  • some of the older browsers (in particular, IE8 on XP and Win7) will not connect (some of my users - government, hospitals - may still be using those. You may argue that those users have bigger problems than to worry about RC4 and DES, but that is not what this post is about).

When I check my bank's service with Qualys, I notice that they do support all of the old browsers. My question is: how to configure Indy's TIdServerIOHandlerSSLOpenSSL so that my server will do the same?

In the current configuration, I have:

Method := sslvTLSv1_2;
SSLVersions := [sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2];

I notice that the Qualys report says that my server supports TLS 1.2 only, while my bank seems to support TLS 1.1 and TLS 1.0 as well. They use an RSA2048 key with SHA256withRSA signature. But so do I. I use the latest OpenSSL DLLs. The cipherList is from Hynek Sclawack (hynek.me/articles), updated 10 days ago.

And yet: no older browsers, no forward secrecy. What have I missed?

like image 342
user3212191 Avatar asked May 09 '26 07:05

user3212191

1 Answers

A few months ago my tests on Qualys Labs got an A grade, including Forward Secrecy. This was the CipherList used (Cipher List is too long for a comment, so here it goes as an answer): 

CipherList := 'ECDHE-RSA-AES256-GCM-SHA384:'+            
  'ECDHE-RSA-AES128-GCM-SHA256:'+            
  'ECDHE-RSA-AES256-SHA384:'+                
  'ECDHE-RSA-AES128-SHA256:'+                
  'ECDHE-RSA-AES256-SHA:'+                   
  'ECDHE-RSA-AES128-SHA:'+                   
  'DHE-RSA-AES256-GCM-SHA384:'+              
  'DHE-RSA-AES256-SHA256:'+                  
  'DHE-RSA-AES256-SHA:'+                     
  'DHE-RSA-AES128-GCM-SHA256:'+              
  'DHE-RSA-AES128-SHA256:'+                  
  'DHE-RSA-AES128-SHA:'+                     
  'DES-CBC3-SHA:'+                           
  '!ADH:!EXP:!RC4:!eNULL@STRENGTH';
like image 183
Alexandre M Avatar answered May 10 '26 19:05

Alexandre M
Sign in to Comment

Related questions

Debugger seems to be unable to connect to Android FM Application
How do I get the SOAP response when there was an exception?
Retrieving Outlook 'Inbox' and 'Sent' folders in Delphi using OLE

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!