Is there some clear documentation for SSL/TLS encryption?


(tobygroves) #1

I’m looking to add encryption to our server and am thoroughly confused.

I know this was supposedly revamped/rewritten in v9 but this appears to be only .NET, is that the case?

I’ve found the sdk_ssl.zip example which works but this uses the IndyServer object contained within the TROIndyHTTPServer component and which doesn’t appear to be available in most of the servers. We’re using both HTTP and TCP server channels and I need to be able to add encryption to both.

All of the servers appear to have an Encryption property with several properties but I’ve no idea how these work or whether they’re related to SSL/TLS encryption.

Any help appreciated here as I’m totally lost.


(EvgenyK) #2

Hi,

Synapse-based servers have no proper SSL/TLS support.
Indy-based servers, TROWebBrokerServer & TROWinHttpServer - have.

All Indy-based servers have Server property where you can specify TIdServerIOHandlerSSLOpenSSL with certificate details.

TROWebBrokerServer - SSL/TLS can be specified in IIS server
TROWinHttpServer - SSL/TLS can be specified via netsh utility

also you can add message envelope like TROAESEncryptionEnvelope to your messages


(tobygroves) #3

Ok I’ll have a look. I’m using the TROSynapseSuperTCPServer at present for TCP but I’m prepared to change if necessary.

I thought the TROSuperTCPServer was the Indy-based equivalent but there doesn’t appear to be a Server property here. The TROIndyTCPServer has an IOServer property but I’m not sure what the other differences are between the “Super” and “non-Super” channels.

As an experiment, I tried switching to the basic TROIndyTCPServer/Channel, without any SSL stuff, just to see if everything still worked and hit some problems. The TROIndyTCPChannel seems to be missing the Active and ClientID properties of the Synapse component, why is this and where can I get hold of the client id?


(EvgenyK) #4

it has public Server property so it wasn’t shown in Object Inspector:

  TROSuperTCPServer = class(TROBaseSuperTCPServer)
...
  public
    property Server: TIdTCPServer read GetServer;
  end;

IndyServer here is also TIdTCPServer object.

You can set ClientID in Message component.
TROIndyTCPChannel hasn’t Active property because this property have no sense: this channel allows only to send something to server and receive response. it is way how to TCP works.


(tobygroves) #5

Ok I’ve switched out the synapse components for the TROSuperTCPServer which works fine.

When I then try to add the SSL logic, I’m getting a “Could not load SSL library” error.

I’ve basically copied across all the code from the sdk_ssl.zip example, and the two DLLs are in the EXE folder. I’ve also tried updating the two DLLs to more recent versions but to no avail.


(tobygroves) #6

It looks like this might be an Indy/SSL incompatibility. From what I can tell, early versions of Indy10 needed custom DLLs but later versions reverted to using the standard ones.

I’m on Delphi Tokyo 10.2.3 which seems to contain Indy 10.6.2 so shouldn’t this work with the standard SSL DLLs? I’ve tried downloading ones for OpenSSL 1.0.2p but get the same error?

I also can’t explain why the sdk_ssl.zip example works fine.


(EvgenyK) #7

have you implemented client/server-side events?


(tobygroves) #8

Not sure what you mean exactly. Yes I’m using events on the server to notify clients of changes etc.


(EvgenyK) #9

try to add

function TServerForm.IdServerIOHandlerSSLOpenSSL1VerifyPeer(
  Certificate: TIdX509; AOk: Boolean; ADepth: Integer): Boolean;
begin
   Result := True;
end;

will it change something or not?


(tobygroves) #10

No, still the same error unfortunately


(EvgenyK) #11

can you create a simple testcase that reproduces this issue?
I’ll review it


(tobygroves) #12

Well I’m trying to convert the sdk_ssl example to use the SuperTCPServer/Channel to see if that works or not


(tobygroves) #13

Ok I’ve converted the example to the TROSuperTCPServer/Channel and it works fine with the same SSL DLLs.

I now have no idea why my server can’t load the DLLs - I’m obviously doing something different but I can’t see what.


(tobygroves) #14

Found it - some other code of mine which I’d forgotten about was calling IdOpenSSLSetLibPath and screwing everything up. If I remove this then the server loads without an error (haven’t tested further functionality yet) but I do get a small memory leak on shutdown (TIdSSLContext and three UnicodeStrings)


(tobygroves) #15

All seems to work now, although I need to track down those memory leaks.

How can I verify that the comms are actually using SSL encryption?


(EvgenyK) #16

try to use wireshark or similar tool for capturing traffic
by other hand, you can try to communicate from unsecured client to secured server