Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: SSL support clarifications with Delphi 10.1 Berlin (Windows platform)


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 4 - Last Post: Oct 12, 2016 10:08 AM Last Post By: Jean-Fabien Con...
Jean-Fabien Con...

Posts: 14
Registered: 9/8/01
SSL support clarifications with Delphi 10.1 Berlin (Windows platform)  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 12:14 AM
I'm looking for some clarifications regarding SSL support in Delphi 10.1 Berlin, including OpenSSL deployment requirements (Windows platform).

Indy:

1) According to http://docwiki.embarcadero.com/RADStudio/Berlin/en/Openssl, if built-in Indy is used then OpenSSL is needed, and thus must be deployed along with the Delphi app - correct?
2) According to http://docwiki.embarcadero.com/RADStudio/Berlin/en/Securing_the_Network_Connections_of_Your_Multi-Device_Apps, the built-on REST Client Library relies on Indy, so OpenSSL still needed - correct?
3) Indy consumes OpenSSL DLLs available at http://indy.fulgan.com/SSL/ - it goes up to OpenSSL version 1.0.2 there so does that mean that Indy does not support OpenSSL version 1.1.0?

TNetHTTPClient:

4) Apparently, TNetHTTPClient doesn't rely on OpenSSL, so no deployment needed - correct?

Overbyte ICS:

5) According to http://wiki.overbyte.be/wiki/index.php/ICS_Download, ICS relies on OpenSSL (and thus must be deployed along the Delphi app) and OpenSSL version up to 1.1.0 is supported - correct?

Misc.:

6) Regarding OpenSSL deployment, best practice is to ship the OpenSSL DLLs in the folder where the Delphi app is installed so it's well contained - correct?

Thanks.
Angus Robertson

Posts: 205
Registered: 3/17/00
Re: SSL support clarifications with Delphi 10.1 Berlin (Windows platform)  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 6:29 AM   in response to: Jean-Fabien Con... in response to: Jean-Fabien Con...
1) According to
http://docwiki.embarcadero.com/RADStudio/Berlin/en/Openssl, if
built-in Indy is used then OpenSSL is needed, and thus must be
deployed along with the Delphi app - correct?

Yes, Indy needs OpenSSL DLLs. And you need to deploy new versions every
few months to keep security fixes up to date.

it goes up to OpenSSL version 1.0.2 there so does that mean that
Indy does not support OpenSSL version 1.1.0?

I don't believe Indy supports 1.1.0 yet, it's a lot of development
effort.

4) Apparently, TNetHTTPClient doesn't rely on OpenSSL, so no
deployment needed - correct?

This uses Windows SChannel so does not need extra DLLs, but you then
have to use the Windows tools, APIs and scripts to install SSL
certificates. But security fixes are by Windows Update.

Overbyte ICS:
ICS relies on OpenSSL (and thus must be deployed along the Delphi app)
and OpenSSL version up to 1.1.0 is supported - correct?

Yes, again you need to deploy OpenSSL DLLs and keep them updated, and
ICS support OpenSSL 1.1.0 and later (I did the work necessary).

GetIt for Seattle and Berlin have just been updated with ICS V8.34
which includes OpenSSL 1.1.0b DLLs, or it can be downloaded from:

http://wiki.overbyte.be/wiki/index.php/ICS_Download

6) Regarding OpenSSL deployment, best practice is to ship the
OpenSSL DLLs in the folder where the Delphi app is installed so
it's well contained - correct?

Since there may be several different applications running various
versions of OpenSSL on the PC, it is sensible to install it in the
application directory, and ensure your application only opens that
version, which the latest ICS can do. Otherwise there may be a random
version in the system path, that may not be compatible with your
application. OpenSSL has been removing exports with each new version,
meaning old applications can not open new versions.

Angus
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: SSL support clarifications with Delphi 10.1 Berlin (Windowsplatform)  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 10:04 AM   in response to: Angus Robertson in response to: Angus Robertson
Angus wrote:

Yes, Indy needs OpenSSL DLLs.

To be accurate, Indy defaults to OpenSSL, but does not require it if
you plug in another SSL/TLS engine via a custom IOHandler class.

--
Remy Lebeau (TeamB)
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: SSL support clarifications with Delphi 10.1 Berlin (Windows platform)  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 3, 2016 10:02 AM   in response to: Jean-Fabien Con... in response to: Jean-Fabien Con...
Jean-Fabien wrote:

Indy:

1) According to
http://docwiki.embarcadero.com/RADStudio/Berlin/en/Openssl, if
built-in Indy is used then OpenSSL is needed, and thus must be
deployed along with the Delphi app - correct?

Only if you use Indy's TIdSSLIOHandlerSocketOpenSSL component, which is Indy's
default cross-platform SSL/TLS component. However, Indy uses a plugin architecture
for SSL/TLS, so it is not locked in to OpenSSL specifically. There are other
3rd party SSL/TLS engines available besides OpenSSL. Eldos SecureBlackbox,
for instance (https://www.eldos.com/sbb/), which happens to also provide
its own IOHandler component for Indy. Or, you could write a custom IOHandler
component that wraps any SSL/TLS engine you want, for example Microsoft's
SChannel API (which is actually a TODO item for a future Indy release as
an alternative to OpenSSL on Windows).

2) According to
http://docwiki.embarcadero.com/RADStudio/Berlin/en/Securing_the_Networ
k_Connections_of_Your_Multi-Device_Apps, the built-on REST Client
Library relies on Indy, so OpenSSL still needed - correct?

Yes and no, depending on your version of RADStudio. Embarcadero has started
moving some of its technologies away from Indy in favor of its own implementations.
In those cases, it does not reply on Indy or OpenSSL. However, there are
some things that still use Indy and thus OpenSSL, yes.

3) Indy consumes OpenSSL DLLs available at http://indy.fulgan.com/SSL/

It can consume any standard OpenSSL DLLs, regardless of where they are downloaded
from. The DLLs provided at Fulgan have simply been compiled without a dependancy
on Microsoft's Visual Studio libraries, for instance. Other OpenSSL distributions
may have been compiled with different configurations.

- it goes up to OpenSSL version 1.0.2 there so does that mean that
Indy does not support OpenSSL version 1.1.0?

Correct. Indy does not support 1.1.0 at this time. The OpenSSL team has
made major API changes/breakages in 1.1.0, and Indy has not been updated
to account for that yet. And there is no ETA on if/when Indy will be updated
for to support 1.1.0.

4) Apparently, TNetHTTPClient doesn't rely on OpenSSL, so no
deployment needed - correct?

If it does not depend on OpenSSL, then no.

5) According to http://wiki.overbyte.be/wiki/index.php/ICS_Download,
ICS relies on OpenSSL (and thus must be deployed along the Delphi app)
and OpenSSL version up to 1.1.0 is supported - correct?

Yes, ad specifically stated on that page: "OpenSSL 1.0.1 and later are only
supported by ICS v8... OpenSSL 1.1.0 is a major new version with new DLL
file names and many different exports, and requires ICS V8.33 or later."

6) Regarding OpenSSL deployment, best practice is to ship the OpenSSL
DLLs in the folder where the Delphi app is installed so it's well
contained - correct?

Yes, that is the best option.

--
Remy Lebeau (TeamB)
Jean-Fabien Con...

Posts: 14
Registered: 9/8/01
Re: SSL support clarifications with Delphi 10.1 Berlin (Windows platform)  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Oct 12, 2016 10:08 AM   in response to: Jean-Fabien Con... in response to: Jean-Fabien Con...
Angus and Remy, thanks for the detailed and clear information.
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02