Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSLOptions CipherList and TLS
#1
Hi there,


To start off, I know nothing about SSL or TLS.  We have a couple of clients that have requested to add SSL to our Webserver app. The clients are providing access to documents for their customers and will have no control over browser usage.

I am using XE7, IW 14.2.12 and I am trying to run the StandAloneSSL demo.
Downloaded the OpenSSL dll's 1.02q and placed them in the folder with the freshly compiled StandAloneSSL.exe.

With all browsers I am getting the error, this test was with Firefox :

Error code: SSL_ERROR_UNSUPPORTED_VERSION
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox. Enabling TLS 1.0 and TLS 1.1 might allow this connection to succeed.

TLS 1.0 and TLS 1.1 will be permanently disabled in a future release.


The question is what should I assign to the CipherList and or SSLVersions?

TIA,
Craig
Reply
#2
(02-05-2020, 04:45 PM)Craig Burke Wrote: Downloaded the OpenSSL dll's 1.02q

Why not the latest - 1.0.2.u?

(02-05-2020, 04:45 PM)Craig Burke Wrote: The question is what should I assign to the CipherList and or SSLVersions?

Leave the CipherList blank to use the DLL's default ciphers.

Set the SSLVersions to [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] (or whatever the IntraWeb equivalent is).  IntraWeb uses Indy, and by default Indy enables only sslvTLSv1 (TLS 1.0).

Reply
#3
Hi Craig,

The demo is quite old and configured for using SSLv3.
Open ServerController and change the property IWServerController.SSLOptions.SSLVersion to TLSv12. This is also the default for new created projects.

The eventhandler IWServerControllerBaseAfterCreateIOHandler can also be removed. Not needed. I am not even sure if it gets called.

After that the browser will still give you an error on validating the self-signed certificate. Create your own with one of many instructions on the internet.
Indy and Intraweb are not a problem to create a secure tls 1.2 connection between your application and the browser.
Reply
#4
(02-06-2020, 10:35 AM)jeroen.rottink Wrote: Hi Craig,

The demo is quite old and configured for using SSLv3.
Open ServerController and change the property IWServerController.SSLOptions.SSLVersion to TLSv12. This is also the default for new created projects.

The eventhandler IWServerControllerBaseAfterCreateIOHandler can also be removed. Not needed. I am not even sure if it gets called.

After that the browser will still give you an error on validating the self-signed certificate. Create your own with one of many instructions on the internet.
Indy and Intraweb are not a problem to create a secure tls 1.2 connection between your application and the browser.
Thanks Jeroen I will check it out!

- Craig

(02-06-2020, 01:01 AM)rlebeau Wrote:
(02-05-2020, 04:45 PM)Craig Burke Wrote: Downloaded the OpenSSL dll's 1.02q

Why not the latest - 1.0.2.u?

(02-05-2020, 04:45 PM)Craig Burke Wrote: The question is what should I assign to the CipherList and or SSLVersions?

Leave the CipherList blank to use the DLL's default ciphers.

Set the SSLVersions to [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] (or whatever the IntraWeb equivalent is).  IntraWeb uses Indy, and by default Indy enables only sslvTLSv1 (TLS 1.0).
Hi Remy,

Ok, downloaded and using 1.0.2.u.

Any issues with allowing the client to define the CipherList via an .ini file?

Thanks,
-Craig
Reply
#5
(02-06-2020, 06:44 PM)Craig Burke Wrote: Any issues with allowing the client to define the CipherList via an .ini file?

No, not if the user knows how to define ciphers properly and securely.

Reply
#6
(02-07-2020, 01:16 AM)rlebeau Wrote:
(02-06-2020, 06:44 PM)Craig Burke Wrote: Any issues with allowing the client to define the CipherList via an .ini file?

No, not if the user knows how to define ciphers properly and securely.
Thanks Remy!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)