Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Indy v10, TLS v1.2, and OpenSSL versions.


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 6 - Last Post: Jan 27, 2017 12:48 PM Last Post By: Remy Lebeau (Te...
Jako Grobler

Posts: 45
Registered: 6/26/15
Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 26, 2017 10:29 AM
Hi!

Is there any news on Indy v10 and OpenSSL v1.1.0xxx? There was a post on Oct 16 last year that indicated it is forthcoming but no ETA since it requires quite a huge change in order to support it. The reason I am asking is because our SMTP provider has completely disabled SSLv3 now.

However, it seems that OpenSSL v1.0.1xxx is always testing for SSLv3, even with TLS v1.2! I found this by logging the SSL status events from Indy v10. At that point the SMTP connection aborts. I only set the Indy SMTP method to sslvTLSv1_2 since that method automatically sets the SSLOptions to match. I do not explictly set the SSLOptions. I checked and the SSLOptions become [sslvTLSv1_2], so no SSL options in there. Still, something is trying to verify SSLv3 support on the server:

SSL status: "SSLv3 read server hello A"
SSL negotiation failed.

Using Delphi Berlin Update 2, Indy v10, and OpenSSL 1.0.1j.

As I understand it:

TLS v1 and v1.1 use SSLv3 for encryption.
TLS v1.2 does not require SSLv3.

Again, as I understand it OpenSSL v.1.1.0xxx allows for TLS v1.2 without attempting to check for SSLv3 support on the server. I cannot verify this because I cannot figure out how to tell Indy or OpenSSL 1.0.1j not to use SSLv3 during the TLS v1.2 connection and authentication process.

Then again, I may be completely confused! Lol! Any help to clarify is most welcome!

Kind regards,
Jako Grobler
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 26, 2017 11:43 AM   in response to: Jako Grobler in response to: Jako Grobler
Jako wrote:

Is there any news on Indy v10 and OpenSSL v1.1.0xxx?

No. OpenSSL 1.1.0 is still not supported, and likely will not be supported
anytime in the near future due to a lack of time and manpower needed to rewrite
Indy's code to account for the API changes made in OpenSSL 1.1.0. For now,
you can use OpenSSL 1.0.2, which will be supported by the OpenSSL team for
several more years (oddly, support for 1.1.0 will end before 1.0.2).

There was a post on Oct 16 last year that indicated it is forthcoming
but no ETA since it requires quite a huge change in order to support it.

Exactly, and AFAIK no work has started on it yet. I maintain Indy, but JP
Mugaas wrote most of Indy's modern OpenSSL code, and he has not been working
on Indy code for awhile. If anyone wants to volunteer, I'm all for it.
I doubt I'll be able to get to it myself.

The reason I am asking is because our SMTP provider has completely
disabled SSLv3 now.

However, it seems that OpenSSL v1.0.1xxx is always testing for SSLv3,
even with TLS v1.2! I found this by logging the SSL status events from
Indy v10. At that point the SMTP connection aborts. I only set the
Indy SMTP method to sslvTLSv1_2 since that method automatically sets
the SSLOptions to match.

OpenSSL 1.0.1 and 1.0.2 both support TLS 1.2.

If you set Indy to use sslvTLSv1_2 only, it will attempt to use the TLS 1.2
functions in the OpenSSL DLLs. However, if Indy not able to access those
functions (for instance, because they don't exist), Indy will silently fall
back to TLS 1.0 instead, which is essentially SSL 3.1.

I do not explictly set the SSLOptions.

Indy defaults to sslvTLSv1 (TLS 1.0), not sslvTLSv1_2 (TLS 1.2).

Still, something is trying to verify SSLv3 support on the server:

TLS 1.x is basically SSL 3.x, and those status messages are coming from OpenSSL
itself, which refers to TLS1 as SSL3 in its source code. Don't let the status
messages fool you. If you really want to know the actual protocol being
used, use a packt sniffer like Wireshark and look at the version numbers
being transmitted in the SLS/TLS handshake.

Again, as I understand it OpenSSL v.1.1.0xxx allows for TLS v1.2
without attempting to check for SSLv3 support on the server. I cannot
verify this because I cannot figure out how to tell Indy or OpenSSL
1.0.1j not to use SSLv3 during the TLS v1.2 connection and
authentication process.

Yes, you do, because you are already doing it. If you set Indy to use a
specific SSL/TLS version, it disables earlier versions. For instance, using
TLS 1.2 (even with the fallback to TLS 1.0) will disable SSL v2 and SSL v3.

--
Remy Lebeau (TeamB)
Jako Grobler

Posts: 45
Registered: 6/26/15
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 26, 2017 12:54 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Thanks, Remy!

Next, tested with OpenSSL 1.0.2j and:

ssloptions := TIdSSLIOHandlerSocketOpenSSL(smtp.IOHandler).SSLOptions;
ssloptions.Method := sslvTLSv1;
ssloptions.SSLVersions := [sslvTLSv1];

Log:

SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server hello A"
Error connecting with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

I even tried setting the ciphers:

ssloptions := TIdSSLIOHandlerSocketOpenSSL(smtp.IOHandler).SSLOptions;
ssloptions.Method := sslvTLSv1;
ssloptions.SSLVersions := [sslvTLSv1];
ssloptions.CipherList := 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA';

At least it does not simply abort, like before, but I do not understand what is triggering the "SSL3_GET_RECORD:wrong version number".
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 26, 2017 1:19 PM   in response to: Jako Grobler in response to: Jako Grobler
Jako wrote:

Next, tested with OpenSSL 1.0.2j

FYI, 1.0.2k was released today.

ssloptions.Method := sslvTLSv1;
ssloptions.SSLVersions := [sslvTLSv1];

The Method and SSLVersions properties are mutually exclusive. Setting one
changes the other, so don't set them both, set one or the other.

Error connecting with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

As it should be, if the SMTP server does not allow TLS 1.0, which is what
you are telling Indy to use.

sslvTLSv1 is for TLS 1.0
sslvTLSv1_1 is for TLS 1.1
sslvTLSv1_2 is for TLS 1.2
etc...

I do not understand what is triggering the "SSL3_GET_RECORD:
wrong version number".

You are not using a TLS version that the server is expecting.

--
Remy Lebeau (TeamB)
Jako Grobler

Posts: 45
Registered: 6/26/15
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 27, 2017 7:59 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Thank you, Remy! I have learned a lot from you.

I have tried sslvTLSv1, sslvTLSv1_1, and sslvTLSv1_2 each on their own, still no luck. Same error.

The server was specifically set up for us and I think it is broken on port 587. The "SSL3_GET_RECORD:wrong version number" message was leading us down the wrong path. We suspected the certificates, the ciphers, anything SSL related.

Now it seems that the port on that server is not sending the response that OpenSSL is expecting to find. I suspect there is something that OpenSSL is expecting to see in order to know which TLS is supported, and that is not happening. Using port 443 instead actually gets us further! It gives a status of "SSL initiated" then hangs because there is no SMTP connector on that port, but at least it connects properly.

Since this is no longer an Indy question I am marking this thread answered. The head scratching continues...
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 27, 2017 12:48 PM   in response to: Jako Grobler in response to: Jako Grobler
Jako wrote:

The server was specifically set up for us and I think it is broken on
port 587. The "SSL3_GET_RECORD:wrong version number" message
was leading us down the wrong path. We suspected the certificates,
the ciphers, anything SSL related.

This is why I suggest you use a packet sniffer, like Wireshark, to see the
actual SMTP and SSL/TLS traffic, then you can see exactly what is going on.

Do you have the TIdSMTP.UseTLS property set to utUseExplicitTLS when connecting
to port 587? That port is not initially encrypted with SSL/TLS when a client
connects, the client must send an unencrypted SMTP 'STARTTLS' command first
before sending an SSL/TLS handshake.

Using port 443 instead actually gets us further!

Port 443 is initially encrypted with SSL//TLS when the client connects, so
the TIdSMTP.UseTLS property must be set to utUseImplicitTLS on that port.

--
Remy Lebeau (TeamB)
Angus Robertson

Posts: 205
Registered: 3/17/00
Re: Indy v10, TLS v1.2, and OpenSSL versions.  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 27, 2017 12:24 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
For now, you can use OpenSSL
1.0.2, which will be supported by the OpenSSL team for several
more years (oddly, support for 1.1.0 will end before 1.0.2).

1.1.0 has a short life because it's due to be replaced by 1.1.1 in
April adding support for TLS 1.3.

OpenSSL ceased support for 1.0.1 last December.

Angus
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02