Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 10 - Last Post: Sep 6, 2017 4:39 PM Last Post By: Remy Lebeau (Te...
Ahmed Sayed

Posts: 173
Registered: 8/9/07
What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 24, 2017 2:08 AM
Hello,

I already know how to use indy with certificates to make
an ssl connection between client and server. But what I
don't understand is how DHParams or CipherList works
and what they are used for. What is DHParams or Ciphersuits?
How can i use them properly with indy as searched a lot but
with no luck

Any help will be appreciated.

--
The limits of my language mean the limits of my world
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 24, 2017 10:51 AM   in response to: Ahmed Sayed in response to: Ahmed Sayed
Ahmed Sayed

Posts: 173
Registered: 8/9/07
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Aug 24, 2017 10:57 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Thanks but after reading all this. What should I do to
make things work with Indy TIdHttpServer?

I don't want Chrome to complain about weak ciphers or
key exchange.
--
The limits of my language mean the limits of my world
bernard roussely

Posts: 106
Registered: 2/8/05
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 2, 2017 2:19 AM   in response to: Ahmed Sayed in response to: Ahmed Sayed
Ahmed Sayed wrote:
Thanks but after reading all this. What should I do to
make things work with Indy TIdHttpServer?

I don't want Chrome to complain about weak ciphers or
key exchange.

Hi,

For key sizes, you want to have a look at https://www.keylength.com/en/compare/

Regarding algorithms, you may have noticed that OpendSSL supports a hodgepodge of good and broken algorithms. TLS 1.2 is a serious improvement over previous versions and if you want to be conservative, stick to AES128 or 256 (GCM is better), SHA256 and RSA2048 or more. This may exclude of few browser versions of your users but is safe with proper implementation.

bernard

Ahmed Sayed

Posts: 173
Registered: 8/9/07
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 2, 2017 4:33 AM   in response to: bernard roussely in response to: bernard roussely
Thanks but I still don't know how to do so using indy?
I have this cipher used in Apache when i try to use for indy
HIGH:MEDIUM:!MD5:!RC4:!3DES

Its like indy is rejecting it.

What properties values should i set to in indy components
to make this work.

--
The limits of my language mean the limits of my world
bernard roussely

Posts: 106
Registered: 2/8/05
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 4, 2017 12:06 PM   in response to: Ahmed Sayed in response to: Ahmed Sayed
HIGH:MEDIUM:!MD5:!RC4:!3DES

Looks like the server is rejecting the LOW option that you seem to have.
Try to put HIGH in the SSLOptions::CipherList field of the TIdServerIOHandlerSSLOpenSSL component.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 5, 2017 12:00 PM   in response to: Ahmed Sayed in response to: Ahmed Sayed
Ahmed Sayed wrote:

Its like indy is rejecting it.

Indy doesn't reject anything. Remember, SSL/TLS is not implemented by
Indy itself. It uses external SSL/TLS libraries instead, like OpenSSL.
Indy is just passing configuration values to the chosen library.

--
Remy Lebeau (TeamB)
Ahmed Sayed

Posts: 173
Registered: 8/9/07
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 6, 2017 8:22 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
What i meant was that the browser or server is rejecting
to communicate with my web server when i set Method to
TLSv1.2 and cipher list to:

HIGH:MEDIUM:!MD5:!RC4:!3DES

Chrome gives me this:

Obsolete connection settings

The connection to this site uses a strong protocol (TLS 1.2),
an obsolete key exchange (RSA), and a strong cipher
(AES_128_GCM).

And when remove it nothing changes. Knowing that its
the same cipher used by Apache 2.4 when connect to it

Chrome gives me this:

Secure connection
The connection to this site is encrypted and authenticated
using a strong protocol (TLS 1.2), a strong key exchange
(ECDHE_RSA with X25519), and a strong cipher (AES_256_GCM).

So, Now what is the difference between Indy and Apache or
between SSL libraries included with Apache and Indy's SSLs?

--
The limits of my language mean the limits of my world
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 6, 2017 10:41 AM   in response to: Ahmed Sayed in response to: Ahmed Sayed
Ahmed Sayed wrote:

Secure connection
The connection to this site is encrypted and authenticated
using a strong protocol (TLS 1.2), a strong key exchange
(ECDHE_RSA with X25519), and a strong cipher (AES_256_GCM).

AFAIK, X25519 was added to OpenSSL in 1.1.0, which Indy does not
support yet. The latest OpenSSL that Indy does support is 1.0.2.

--
Remy Lebeau (TeamB)
Ahmed Sayed

Posts: 173
Registered: 8/9/07
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 6, 2017 12:43 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Yes. But even in Apache with older versions of OpenSSL

Chrome did show the same Secure connection result but with
different key exchange or cipher.

How can I reach the same with Indy? All I want is chrome to
to say "Secure connection" instead of "Obsolete connection settings"

--
The limits of my language mean the limits of my world
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: What is the most secured configuration for TIdHttpServer with TLSv 1.2 !!!  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 6, 2017 4:39 PM   in response to: Ahmed Sayed in response to: Ahmed Sayed
Ahmed Sayed wrote:

Yes. But even in Apache with older versions of OpenSSL

Chrome did show the same Secure connection result but with
different key exchange or cipher.

How can I reach the same with Indy? All I want is chrome to
to say "Secure connection" instead of "Obsolete connection settings"

I can't answer that. You will have to review Chrome's source code to
see how it configures OpenSSL.

Also note that Google plans to take OpenSSL out of Chrome (if it hasn't
already):

https://arstechnica.com/information-technology/2014/07/google-dumps-plans-for-openssl-in-chrome-takes-own-boring-road/

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02