Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Connecting to server with TLSv1.2


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 9 - Last Post: Aug 7, 2017 2:37 PM Last Post By: Remy Lebeau (Te...
nilesh shinde

Posts: 47
Registered: 10/5/13
Connecting to server with TLSv1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 3, 2017 4:41 AM
Hi,

In my application currently I am using following code to connect server with TLSv1.0. Now there requirement to connect server with TLSv1.2 with ciphers TLS_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA256. I am using Indy10 library in my application with OpenSSL version '1.0.2l'. Could you please update the below code for connecting using TLSv1.2. How to set method, sslversions and cipherlist parameters?


TIdSSLIOHandlerSocketOpenSSL* sslIOHandler;
TIdTCPClient* IdTCPClient;

IdTCPClient = new TIdTCPClient();
IdTCPClient->Host = m_strAddr;
IdTCPClient->Port = m_nPort;

if(m_eWebSocketType == WSS)
{
sslIOHandler = new TIdSSLIOHandlerSocketOpenSSL();
sslIOHandler->OnVerifyPeer = OnVerifyPeer;
sslIOHandler->SSLOptions->VerifyMode << sslvrfPeer;

AnsiString strCertPath = AnsiString(".
Certs
") + m_strAddr;
if ( DirectoryExists(strCertPath))
{
sslIOHandler->SSLOptions->Method = sslvSSLv23;
sslIOHandler->SSLOptions->CertFile = strCertPath + AnsiString("
cert.crt");
sslIOHandler->SSLOptions->KeyFile = strCertPath + AnsiString("
key.key");
}
IdTCPClient->IOHandler = sslIOHandler;
}

IdTCPClient->Connect();


Thanks,
Nilesh
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Connecting to server with TLSv1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 3, 2017 10:10 AM   in response to: nilesh shinde in response to: nilesh shinde
nilesh shinde wrote:

AnsiString strCertPath = AnsiString(".
Certs
") + m_strAddr;

You shouldn't be using a relative path like that. It is relative to
the calling process's current working directory, which can (and usually
does) change value during the process's lifetime. If the "Certs"
folder is relative to your EXE folder, you should be explicit about its
exact location. Always use absolute paths.

sslIOHandler->SSLOptions->Method = sslvSSLv23;

You should be using the SSLVersions property instead of the Method
property. Let Indy handle the Method property for you.

Try this instead:

TIdTCPClient* IdTCPClient = new TIdTCPClient();
IdTCPClient->Host = m_strAddr;
IdTCPClient->Port = m_nPort;
 
if (m_eWebSocketType == WSS)
{
    TIdSSLIOHandlerSocketOpenSSL *sslIOHandler = new
TIdSSLIOHandlerSocketOpenSSL(IdTCPClient);
 
    sslIOHandler->OnVerifyPeer = OnVerifyPeer;
    sslIOHandler->SSLOptions->VerifyMode << sslvrfPeer;
    sslIOHandler->SSLOptions->SSLVersions = TIdSSLVersions() <<
sslvTLSv1 << sslvTLSv1_1 << sslvTLSv1_2;
 
    String strCertPath = ExtractFilePath(Application->ExeName) +
_D("Certs") + String(PathDelim) + m_strAddr + String(PathDelim);
    if (DirectoryExists(strCertPath))
    {
        sslIOHandler->SSLOptions->CertFile = strCertPath +
_D("cert.crt");
        sslIOHandler->SSLOptions->KeyFile = strCertPath + _D("key.key");
    }
 
    IdTCPClient->IOHandler = sslIOHandler;
}
 
IdTCPClient->Connect();


Also note that TIdSSLIOHandlerSocketOpenSSL has an
SSLOptions.CipherList subproperty that you can tweak if needed. See
OpenSSL's documentation for the syntax:

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_cipher_list.html

https://www.openssl.org/docs/manmaster/man1/ciphers.html

--
Remy Lebeau (TeamB)
nilesh shinde

Posts: 47
Registered: 10/5/13
Re: Connecting to server with TLSv1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 12:19 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
When I tried the given code, I got following error.

Project Test.exe raised exception class EIdOSSLConnectError with message 'Error connecting with SSL.
EOF was observed that violates the protocol'.

In the WireShark traces what I found is, in 'Client Hello' packet TLS version is still v1.0. I tried with OpenSSL 1.0.1g, 1.0.1u and 1.0.2l.

~Nilesh

Edited by: nilesh shinde on Aug 4, 2017 2:22 AM

Edited by: nilesh shinde on Aug 4, 2017 2:59 AM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 10:03 AM   in response to: nilesh shinde in response to: nilesh shinde
nilesh shinde wrote:

When I tried the given code, I got following error.

Project Test.exe raised exception class EIdOSSLConnectError with
message 'Error connecting with SSL. EOF was observed that violates
the protocol'.

That means the server is closing the socket connection on its end,
which likely means it doesn't like your SSL/TLS handshake so it is
rejecting the connection. And it sounds like it is not sending back a
TLS alert to describe the reason for the rejection (TLS version
mismatch, no matching ciphers, etc) before closing the connection.

In the WireShark traces what I found is, in 'Client Hello' packet TLS
version is still v1.0.

Look again. The handshake itself is in a particular version (usually
in an SSLv2 compatible format), but it should indicate that a higher
version is supported. When enabling multiple TLS versions, Indy uses
an SSLv23 handshake, which allows for dynamic version negotiation.

--
Remy Lebeau (TeamB)
nilesh shinde

Posts: 47
Registered: 10/5/13
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 10:56 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
My server is configured to accept TLS 1.2 only. Where as client hello packet has TLS version as 1.0. How I can make it as 1.2, so that server will accept the connection request.

Edited by: nilesh shinde on Aug 4, 2017 10:56 AM
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 11:31 AM   in response to: nilesh shinde in response to: nilesh shinde
nilesh shinde wrote:

My server is configured to accept TLS 1.2 only.

Well, then you should be setting the SSLOPtions.SSLVersions property to
sslvTLS1_2 only.

--
Remy Lebeau (TeamB)
nilesh shinde

Posts: 47
Registered: 10/5/13
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 11:44 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
I tried that as well, but still client hello has version 1.0.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 12:38 PM   in response to: nilesh shinde in response to: nilesh shinde
nilesh shinde wrote:

I tried that as well, but still client hello has version 1.0.

Are you using an up-to-date version of Indy? Do the
IsOpenSSL_TLSv1_1_Available() and IsOpenSSL_TLSv1_2_Available()
functions in IdSSLOpenSSLHeaaders.hpp return true or false? If false,
Indy will silently fallback to TLS 1.0.

--
Remy Lebeau (TeamB)
nilesh shinde

Posts: 47
Registered: 10/5/13
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 4, 2017 7:19 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Let me check if IsOpenSSL_TLSv1_2_Available() return true or false.
I am using Indy 10 libraries shipped with RAD Studio XE5. These libraries are numbered with 190. Are these libraries updated and How I can get the update for these libraries.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Connecting to server with TLSv1.2 [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 7, 2017 2:37 PM   in response to: nilesh shinde in response to: nilesh shinde
nilesh shinde wrote:

I am using Indy 10 libraries shipped with RAD Studio XE5.

Then you are using an outdated version of Indy and should upgrade to a
newer version.

These libraries are numbered with 190.

All XE5 packages are prefixed with 190. That is the package version
number for XE5.

Are these libraries updated

No.

How I can get the update for these libraries.

Instructions are on Indy's website:

http://www.indyproject.org/Sockets/Docs/Indy10Installation.aspx

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02