tobygroves
(tobygroves)
November 5, 2020, 10:46am
1
I need some straightforward advice on secure comms between a RO client and server.
We use Delphi and our server and client currently use an un-encrypted connection as they’re only ever deployed on local networks where it’s not really a concern.
We now have a requirement where the server would be hosted in a VM in the cloud and local clients would need to connect to it across the Internet. This obviously requires a secure connection.
Whilst I played around with SSL stuff a while back, I’m still not very au fait with it all and am not sure what’s possible.
What’s the simplest way I could implement security on the client-server connection? This needs to “just work” with no intervention or configuration from the user as much as possible. Can someone please tell me, as simply as possible, how I could achieve this as I’m getting asked and just don’t have the answer.
Thanks.
EvgenyK
(Evgeny Karpov)
November 5, 2020, 10:54am
2
Hi,
pls read SSL/TLS (Delphi) page
Note:
for Indy and WinHTTP you should provide valid certificate.
for socket servers - they can be generate on fly.
tobygroves
(tobygroves)
November 5, 2020, 11:00am
3
Yes I’ve read that before but it glosses over some details.
It says the certificate can be auto-generated but how do I do this?
EvgenyK
(Evgeny Karpov)
November 5, 2020, 11:41am
4
just set OpenSSL.SSLEnabled
. if no certificate is provided, it will be generated on-fly.
you can specify some details for this certificate via the OnCertificateGenerating
event
tobygroves
(tobygroves)
November 5, 2020, 2:03pm
5
Ok, I’m using an IndySuperTCPServer component. I’ve dropped the SSL component on the server data module and connected it via the Server.IOHandler property.
I can’t see an OpenSSL or OpenSSL.Enable property anywhere - where is this?
The server starts up ok and is at least opening the OpenSSL DLLs as it throws an exception if they’re not present.
Do I need to do anything on the clients as they won’t connect at all and behave as if the server isn’t there.
EvgenyK
(Evgeny Karpov)
November 5, 2020, 2:07pm
6
tobygroves:
Ok, I’m using an IndySuperTCPServer component. I’ve dropped the SSL component on the server data module and connected it via the Server.IOHandler property.
I can’t see an OpenSSL or OpenSSL.Enable property anywhere - where is this?
this works only for native (socket) servers.
from SSL/TLS (Delphi) article:
Native (socket) servers
You should set OpenSSL.SSLEnabled
to True. A certificate can be either loaded from a storage file on startup, or auto-generated the first time the server is run. If provided via file, it should be a PEM certificate. Password for certificate can be specified via correspondent the OnPassword
event.
Note: SSL support requires OpenSSL 1.1.x
.
Check the Binaries (wiki.openssl) article for sites where you can download OpenSSL binaries.
tobygroves
(tobygroves)
November 5, 2020, 2:09pm
7
You mean SLL connectivity only works at all for those native (socket) servers and not the Indy ones?
If so what’s all the Indy stuff at the top of the article for?
EvgenyK
(Evgeny Karpov)
November 5, 2020, 2:19pm
8
Hi,
I meaned that autogenerating of certificate and key works only for sockets channels
for Indy-based channels you should set up TIdServerIOHandlerSSLOpenSSL
class (i.e. specify certificate, key, etc) manually.
you can find how to set up TIdServerIOHandlerSSLOpenSSL
in google.
tobygroves
(tobygroves)
November 5, 2020, 2:43pm
9
Ok I’ve switched over to TROSuperTcpServer but there doesn’t appear to be an OpenSSL property.
EvgenyK
(Evgeny Karpov)
November 5, 2020, 2:50pm
10
Hi,
what version of SDK are you using?
check ROVersion.inc
TROSuperTcpServer = class(TROBaseSuperTCPServer)
...
published
..
{$IFDEF DELPHI10UP}{$REGION 'OpenSSL'}{$ENDIF}
property OpenSSL: TROOpenSSL read GetOpenSSL write SetOpenSSL;
/// <summary>
/// Allow to specify fields for self-signed certificate
/// </summary>
property OnCertificateGenerating:TROOpenSSLCertificateGenerating read GetCertificateGenerating write SetCertificateGenerating;
/// <summary>
/// allow to specify default password for encrypted PEM file
/// </summary>
property OnPassword: TROOpenSSLPassword read GetPassword write SetPassword;
/// <summary>
/// allow to use custom validation
/// </summary>
property OnVerifyCeft: TROOpenSSLVerifyCeft read GetVerifyCeft write SetVerifyCeft;
{$IFDEF DELPHI10UP}{$ENDREGION}{$ENDIF}
end;
EvgenyK
(Evgeny Karpov)
November 5, 2020, 2:59pm
12
As I can see, OpenSSL support was added since .1467:
New in .1467, December 5, 2019 (Preview)
Support for OpenSSL 1.1.1 in Delphi
tobygroves
(tobygroves)
November 5, 2020, 2:59pm
13
Ah ok fair enough, I’ll upgrade a bit later a give it a try.
tobygroves
(tobygroves)
November 5, 2020, 4:30pm
14
Now I’m getting this when I try to start my server:
Application Error
Exception EROOpenSSLApi in module ClarityServer.exe at 008A9B44.
Cannot load libcrypto-1_1.dll.
Where do I get this file? I’ve only ever come across the regular libeay32 and ssleay32 DLLs before.
UPDATE: Never mind, found it
tobygroves
(tobygroves)
November 5, 2020, 4:36pm
15
Ok well the server is running but the client just won’t connect.
Do I need to do anything on the client other than set SSLEnabled to True on the TROSuperTcpChannel component?
EvgenyK
(Evgeny Karpov)
November 6, 2020, 8:17am
16
Hi,
have you specify supertcps:// protocol instead of supertcp:// like supertcps://localhost:8095/bin ?
tobygroves
(tobygroves)
November 6, 2020, 9:18am
17
No I hadn’t it was just at the default value of supertcp://localhost:40000 (i’m using port 40000)
I’ve now changed it to supertcps://localhost:40000/bin but still nothing at all.
EvgenyK
(Evgeny Karpov)
November 6, 2020, 9:31am
18
Can you check the MegaDemo example?
it allows to use SSL for socket channels
tobygroves
(tobygroves)
November 6, 2020, 11:04am
19
Yes the MegaDemo works, I’ll have a look and try to work out what I’m doing differently
tobygroves
(tobygroves)
November 6, 2020, 11:52am
20
I can’t see any functional difference between what I’m doing and what the MegaDemo is doing.
The demo doesn’t appear to actually set SSLEnabled = True on the client but it doesn’t matter if I do the same in mine anyway.
The only other difference I can see is the AES envelope in the ROBINMessage in the server - is this required?