Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: How to setup Indy Server / Client to use SSL if Client wishes it?



Permlink Replies: 7 - Last Post: Jan 9, 2018 1:05 PM Last Post By: Remy Lebeau (Te...
Daniel Liljeberg

Posts: 5
Registered: 6/6/08
How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 5:51 AM
I have read about SSL with Indy in C++ Builder 2010 in the reply to: https://stackoverflow.com/questions/21768381/cannot-connect-to-indy-ssl-tcp-server

Getting this to work doesn't seem very hard. But what I don't seem to be able to find an answer to is how I would go about it if I want the Client to decide is SSL should be used. My idea is to have a selection box in the client where they can choose to use SSL or not.
Then when they make their connection to the Server I would like them to initialize the SSL encryption if the client has checked this box. This means that there might be other clients that don't have this option selected and they should use an unencrypted connection (which is already in place today and works fine).
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 6:49 AM   in response to: Daniel Liljeberg in response to: Daniel Liljeberg
Daniel Liljeberg wrote:

Getting this to work doesn't seem very hard. But what I don't seem to
be able to find an answer to is how I would go about it if I want the
Client to decide is SSL should be used.

The client and server must establish an unencrypted connection first
(SSLIOHandler::PassThrough is set to true on both ends), and then the
client can send an explicit command to the server if and when it wants
to create an SSL/TLS session. If the server responds to the command
with a success reply, then both parties start the SSL/TLS handshake
(set SSLIOHandler::PassThrough to false).

This is commonly known as STARTTLS in many Internet protocols, like
POP3, SMTP, IMAP, etc.

--
Remy Lebeau (TeamB)
Daniel Liljeberg

Posts: 5
Registered: 6/6/08
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 7:02 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Daniel Liljeberg wrote:

Getting this to work doesn't seem very hard. But what I don't seem to
be able to find an answer to is how I would go about it if I want the
Client to decide is SSL should be used.

The client and server must establish an unencrypted connection first
(SSLIOHandler::PassThrough is set to true on both ends), and then the
client can send an explicit command to the server if and when it wants
to create an SSL/TLS session. If the server responds to the command
with a success reply, then both parties start the SSL/TLS handshake
(set SSLIOHandler::PassThrough to false).

This is commonly known as STARTTLS in many Internet protocols, like
POP3, SMTP, IMAP, etc.

--
Remy Lebeau (TeamB)

Yea, I was thinking about something like this. You don't know of any direct code example for this? Will the Client just fire of the STARTTLS request and then the CLient and Server "sort it out" or do I have to handle the actual steps of handling that request, enabling SSL etc on the Server?

p.s.
Noticed I jumped the gun a bit. I just assumed the code was using Indy.... Turns out it uses the old deprecated SckComp.hpp with TClientSocket and TServerSocket which I don't think have support for SSL. Wonder how much work it would be to swap it for Indy sockets... It's quite a large system :P. Otherwise, one could perhaps SSL encrypt the data manually and send it using the existing connections.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 7:14 AM   in response to: Daniel Liljeberg in response to: Daniel Liljeberg
Daniel Liljeberg wrote:

You don't know of any direct code example for this?

Plenty of examples have been posted before.

Will the Client just fire of the STARTTLS request and then the CLient
and Server "sort it out" or do I have to handle the actual steps of
handling that request, enabling SSL etc on the Server?

Obviously, you have to write code to handle it on both ends. You have
to code the client to send the command, read the response, and set the
PassThrough to false. You have to code the server to read the command,
send the response, and set the PassThrough to false.

Noticed I jumped the gun a bit. I just assumed the code was using
Indy.... Turns out it uses the old deprecated SckComp.hpp with
TClientSocket and TServerSocket which I don't think have support for
SSL.

No, they do not.

Wonder how much work it would be to swap it for Indy sockets...

Not very hard. But, do note that Indy uses blocking sockets, so if you
are using the TClientSocket/TServerSocket in non-blocking mode, you
might have to change some other code to account for the different
paradigm.

It's quite a large system :P. Otherwise, one could perhaps SSL
encrypt the data manually and send it using the existing connections.

You could, yes. You can do that with OpenSSL if you use its BIO API so
you stay in control of the actual socket I/O and just push/pull data
through the encryption engine. Or, you can use Microsoft's
SChannel/Crypto API to do something similar.

--
Remy Lebeau (TeamB)
Daniel Liljeberg

Posts: 5
Registered: 6/6/08
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 10:22 AM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Daniel Liljeberg wrote:

You don't know of any direct code example for this?

Plenty of examples have been posted before.

Will the Client just fire of the STARTTLS request and then the CLient
and Server "sort it out" or do I have to handle the actual steps of
handling that request, enabling SSL etc on the Server?

Obviously, you have to write code to handle it on both ends. You have
to code the client to send the command, read the response, and set the
PassThrough to false. You have to code the server to read the command,
send the response, and set the PassThrough to false.

Noticed I jumped the gun a bit. I just assumed the code was using
Indy.... Turns out it uses the old deprecated SckComp.hpp with
TClientSocket and TServerSocket which I don't think have support for
SSL.

No, they do not.

Wonder how much work it would be to swap it for Indy sockets...

Not very hard. But, do note that Indy uses blocking sockets, so if you
are using the TClientSocket/TServerSocket in non-blocking mode, you
might have to change some other code to account for the different
paradigm.

It's quite a large system :P. Otherwise, one could perhaps SSL
encrypt the data manually and send it using the existing connections.

You could, yes. You can do that with OpenSSL if you use its BIO API so
you stay in control of the actual socket I/O and just push/pull data
through the encryption engine. Or, you can use Microsoft's
SChannel/Crypto API to do something similar.

--
Remy Lebeau (TeamB)

Of course, it's non-blocking :P
There was a new component replacing these deprecated ones in the later version of C++ Builder were there not? Don't remember their names right now. Do they support SSL natively?
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 11:13 AM   in response to: Daniel Liljeberg in response to: Daniel Liljeberg
Daniel Liljeberg wrote:

Of course, it's non-blocking :P
There was a new component replacing these deprecated ones in the
later version of C++ Builder were there not?

Yeah - Indy ;-)

In actuality, you are likely referring to the TTcpClient and TTcpServer
components in the Sockets unit. They are first introduced in D6/Kylix,
and have since been deprecated as well in favor of Indy.

Do they support SSL natively?

No.

--
Remy Lebeau (TeamB)
Daniel Liljeberg

Posts: 5
Registered: 6/6/08
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 12:21 PM   in response to: Remy Lebeau (Te... in response to: Remy Lebeau (Te...
Remy Lebeau (TeamB) wrote:
Daniel Liljeberg wrote:

Of course, it's non-blocking :P
There was a new component replacing these deprecated ones in the
later version of C++ Builder were there not?

Yeah - Indy ;-)

In actuality, you are likely referring to the TTcpClient and TTcpServer
components in the Sockets unit. They are first introduced in D6/Kylix,
and have since been deprecated as well in favor of Indy.

Do they support SSL natively?

No.

--
Remy Lebeau (TeamB)

I guess it's Indy then :)... You don't know of any wrapper for C++ Builder that encapsulates Indy sockets and presents the "legacy" interface so one could perhaps use it as a "drop-in replacement". The best thing is of course to rewrite it, but the time just isn't there at the moment.
Remy Lebeau (Te...


Posts: 9,447
Registered: 12/23/01
Re: How to setup Indy Server / Client to use SSL if Client wishes it?
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 9, 2018 1:05 PM   in response to: Daniel Liljeberg in response to: Daniel Liljeberg
Daniel Liljeberg wrote:

I guess it's Indy then :)...

Just because TClientSocket/TServerSocket are deprecated doesn't mean
you can't use them with SSL. I have projects that do.

You don't know of any wrapper for C++ Builder that encapsulates Indy
sockets and presents the "legacy" interface so one could perhaps use
it as a "drop-in replacement".

No.

--
Remy Lebeau (TeamB)
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02