Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Indy SSLOptions



Permlink Replies: 3 - Last Post: May 15, 2017 4:11 PM Last Post By: Remy Lebeau (Te...
Asger Joergensen

Posts: 370
Registered: 11/18/08
Indy SSLOptions
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 14, 2017 4:29 AM
Hi

I'm trying to learn how to set up the Indy SSL IO handler and I can't seem to
find it explained anywhere, most of all I'm interested in supporting as many
mail servers as possible.

default SSLVersions is set to sslvTLSv1 and Method is the same, but if I select
sslvTLSv1_1 and sslvTLSv1_2 as well Method is autoselected to sslvSSLv23 which
is not selected as a version, I find that very confusing.

If I go the other way and set Method to sslvSSLv23 everything in SSLVersions
are selected except sslvSSLv23, I find that even more confusing.

Any one that can explain this ?

Or just tell me how to set it to cover most mail servers both IMAP and POP.

Does i make any sense to let the user select / set which version to use e.g. ?

IdSSLIOHandlerSocketOpenSSL->SSLOptions->Method = userchoice;


Or is that negotiated automatically by Indy ?

Thanks in advance
Best regards
Asger

Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Indy SSLOptions
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 15, 2017 12:03 PM   in response to: Asger Joergensen in response to: Asger Joergensen
Asger wrote:

I'm trying to learn how to set up the Indy SSL IO handler and I can't
seem to find it explained anywhere

That is because it is not really documented anywhere.

default SSLVersions is set to sslvTLSv1 and Method is the same, but
if I select sslvTLSv1_1 and sslvTLSv1_2 as well Method is autoselected
to sslvSSLv23 which is not selected as a version, I find that very
confusing.

If I go the other way and set Method to sslvSSLv23 everything in
SSLVersions are selected except sslvSSLv23, I find that even more
confusing.

It is not confusing once you understand that SSLv23 is not an actual protocol
version, it is OpenSSL's wildcard for enabling dynamic protocol version negotiation
during the SSL/TLS handshake.

If you try to enable SSLv23 in the SSLVersions property, Indy will just strip
it out, and if the result is blank than all supported protocol versions will
be selected instead.

If you set the Method property to SSLv23 directly, Indy will select all supported
protocol versions in the SSLVersions property.

This is by design.

The Method property represents the actual OpenSSL protocol API that the IOHandler
uses internally to communicate with the peer, whereas the SSLVersions property
represents the protocol version(s) that the API will use. That is why setting
the SSLVersions property to a single protocol version will set the Method
property to a matching API, but setting the SSLVersions property to multiple
protocol versions will set the Method property to the SSLv23 API.

SSLv23 can be used on the client-side, but it is better used on the server-side
instead, to allow clients of different protocol versions to connect (or at
least for it to accept their handshakes, and then reject any unsupported
versions). Clients should connect using specific protocol versions instead.

Does i make any sense to let the user select / set which version to
use e.g. ?

It can be, when users are in control of their own servers, or at least know
what version(s) the server actually supports. Which is why Indy allows the
properties to be customized. For instance, if you know a server supports
TLS 1.2, there is no point in enabling TLS 1.0, TLS 1.1, and TLS 1.2 and
letting OpenSSL negotiate TLS 1.2. On the other hand, if you don't know,
then you should negotiate when possible. But that is no always possible
(some servers don't enable negotiation), so you should be prepared to resort
to re-attempting the connection using individual versions one at a time if
connecting with negotiation fails.

Or is that negotiated automatically by Indy ?

Negotiation is only handled by SSLv23 inside of OpenSSL itself, not by Indy
at all.

--
Remy Lebeau (TeamB)
Asger Joergensen

Posts: 370
Registered: 11/18/08
Re: Indy SSLOptions
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 15, 2017 2:59 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Hi Remy

Remy Lebeau (TeamB) wrote:

This is by design.

Ok, so far i think i get it.:-)

Clients should connect using specific protocol versions instead.

which is done by setting the Method, right ?

Does it make any sense to let the user select / set which version to
use e.g. ?

It can be, when users are in control of their own servers, or at least know
what version(s) the server actually supports. Which is why Indy allows the
properties to be customized. For instance, if you know a server supports
TLS 1.2, there is no point in enabling TLS 1.0, TLS 1.1, and TLS 1.2 and
letting OpenSSL negotiate TLS 1.2. On the other hand, if you don't know,
then you should negotiate when possible.

My users are not in control, most of them are small business owners with no
computer knowledge, but I have a test button in the mail setup dialog, so they
can change settings until they find something that works.

My default for IMAP is port 993, UseImplicitTLS and Method = sslvTLSv1_2

I have a dropdown where they can choose one of these, for the UseTLS:
utUseImplicitTLS
utUseRequireTLS
utUseExplicitTLS

and another dropdown where they can chose between these, for the Method:
sslvTLSv1
sslvTLSv1_1
sslvTLSv1_2

The user can also write any port number

I hope this can cover most of all normal mail providers, but to be honest I don't
really know, except I do know that it can work on one.com and on gmail.com.

I sure will appreciate any input that can make this better.

Thanks for helping
Best regards
Asger
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: Indy SSLOptions
Click to report abuse...   Click to reply to this thread Reply
  Posted: May 15, 2017 4:11 PM   in response to: Asger Joergensen in response to: Asger Joergensen
Asger wrote:

Clients should connect using specific protocol versions instead.
which is done by setting the Method, right ?

Or the SSLVersions. Setting one updates the other, as you noticed. You
can set SSLVersions to a single version, or to multiple versions. You can
set Method to only a single version.

I have a dropdown where they can choose one of these, for the UseTLS:

utUseImplicitTLS
utUseRequireTLS
utUseExplicitTLS

Remove utUseRequireTLS from your list, it is generally not used client-side.

Better would be if you remove the dropdown completely, and just configure
the UseTLS property based on the selected port. You don't need to let the
user specify the implicit/explicit type unless the server is using non-standard
ports.

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02