(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]i am trying to understand the usage of TLS / ssl with idtcpserver and client
That is kind of a broad topic.
(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]i am trying to make the client to communicate only through my client application, and prevent bad guys from communicating to my tcpserver from client they make .
To do that, you would have to issue a certificate to each of your authorized clients, and then make the server validate a client's certificate when it connects to your server. If you don't do this, then any SSL/TLS-enabled client will be able to communicate with your server, and the only validation the server will be able to do is either checking for known/allowed client IP addresses, or require clients to submit user credentials for the server to authenticate (which you should probably do anyway even with validated certificates).
(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]i read and search about this matter and all results refers to using TLS/ssl
Yes.
(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]how could i do that using idtcpserver properly
Before activating the server at runtime, assign a
TIdServerIOHandlerSSLOpenSSL to the
TIdTCPServer.IOHandler property, and configure it as needed.
Among its available options are
sslvrfPeer,
sslvrfFailIfNoPeerCert, and
sslvrfClientOnce flag. On the server side, you will likely want to use all of them. There is also an
OnVerifyPeer event available, if you want to perform custom validation of any particular details of a client's certificate data.
Once a client has connected, in the
TIdTCPServer.OnConnect or
TIdTCPServer.OnExecute event, you can type-cast the
AContext.Connection.IOHandler to
TIdSSLIOHandlerSocketOpenSSL (or at least to
TIdSSLIOHandlerSocketBase) and set its
PassThrough property to False when you are ready to initiate an SSL/TLS handshake with the client (
PassThrough is True by default to allow initially unencrypted communications, for protocols that support
STARTTLS-like functionality). If the handshake fails, an exception will be raised, and if you let
TIdTCPServer handle it than the client will be disconnected.
(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]do i need ssl certificate ?
If you want to validate identities, yes. The server
should have a certificate, so clients can validate they are connected to the correct/legitimate server and not to a man-in-the-middle attacker. Clients
may have certificates too, so the server can validate they are who they claim to be.
(10-08-2018, 09:09 AM)Madammar Wrote: [ -> ]what is the correct dll's to use ?
ssleay32.dll and
libeay32.dll, which are available for Indy at
https://indy.fulgan.com/SSL/.