tobygroves
November 5, 2020, 10:46am
1
I need some straightforward advice on secure comms between a RO client and server.
We use Delphi and our server and client currently use an un-encrypted connection as they’re only ever deployed on local networks where it’s not really a concern.
We now have a requirement where the server would be hosted in a VM in the cloud and local clients would need to connect to it across the Internet. This obviously requires a secure connection.
Whilst I played around with SSL stuff a while back, I’m still not very au fait with it all and am not sure what’s possible.
What’s the simplest way I could implement security on the client-server connection? This needs to “just work” with no intervention or configuration from the user as much as possible. Can someone please tell me, as simply as possible, how I could achieve this as I’m getting asked and just don’t have the answer.
Thanks.
EvgenyK
November 5, 2020, 10:54am
2
Hi,
pls read SSL/TLS (Delphi) page
Note:
for Indy and WinHTTP you should provide valid certificate.
for socket servers - they can be generate on fly.
tobygroves
November 5, 2020, 11:00am
3
Yes I’ve read that before but it glosses over some details.
It says the certificate can be auto-generated but how do I do this?
EvgenyK
November 5, 2020, 11:41am
4
just set OpenSSL.SSLEnabled. if no certificate is provided, it will be generated on-fly.OnCertificateGenerating event
tobygroves
November 5, 2020, 2:03pm
5
Ok, I’m using an IndySuperTCPServer component. I’ve dropped the SSL component on the server data module and connected it via the Server.IOHandler property.
I can’t see an OpenSSL or OpenSSL.Enable property anywhere - where is this?
The server starts up ok and is at least opening the OpenSSL DLLs as it throws an exception if they’re not present.
Do I need to do anything on the clients as they won’t connect at all and behave as if the server isn’t there.
EvgenyK
November 5, 2020, 2:07pm
6
tobygroves:
Ok, I’m using an IndySuperTCPServer component. I’ve dropped the SSL component on the server data module and connected it via the Server.IOHandler property.
I can’t see an OpenSSL or OpenSSL.Enable property anywhere - where is this?
this works only for native (socket) servers.
from SSL/TLS (Delphi) article:
Native (socket) servers
You should set OpenSSL.SSLEnabled to True. A certificate can be either loaded from a storage file on startup, or auto-generated the first time the server is run. If provided via file, it should be a PEM certificate. Password for certificate can be specified via correspondent the OnPassword event.
Note: SSL support requires OpenSSL 1.1.x.
Check the Binaries (wiki.openssl) article for sites where you can download OpenSSL binaries.
tobygroves
November 5, 2020, 2:09pm
7
You mean SLL connectivity only works at all for those native (socket) servers and not the Indy ones?
If so what’s all the Indy stuff at the top of the article for?
EvgenyK
November 5, 2020, 2:19pm
8
Hi,
I meaned that autogenerating of certificate and key works only for sockets channels
for Indy-based channels you should set up TIdServerIOHandlerSSLOpenSSL class (i.e. specify certificate, key, etc) manually.
you can find how to set up TIdServerIOHandlerSSLOpenSSL in google.
tobygroves
November 5, 2020, 2:43pm
9
Ok I’ve switched over to TROSuperTcpServer but there doesn’t appear to be an OpenSSL property.
EvgenyK
November 5, 2020, 2:50pm
10
Hi,
what version of SDK are you using?ROVersion.inc
TROSuperTcpServer = class(TROBaseSuperTCPServer)
...
published
..
{$IFDEF DELPHI10UP}{$REGION 'OpenSSL'}{$ENDIF}
property OpenSSL: TROOpenSSL read GetOpenSSL write SetOpenSSL;
/// <summary>
/// Allow to specify fields for self-signed certificate
/// </summary>
property OnCertificateGenerating:TROOpenSSLCertificateGenerating read GetCertificateGenerating write SetCertificateGenerating;
/// <summary>
/// allow to specify default password for encrypted PEM file
/// </summary>
property OnPassword: TROOpenSSLPassword read GetPassword write SetPassword;
/// <summary>
/// allow to use custom validation
/// </summary>
property OnVerifyCeft: TROOpenSSLVerifyCeft read GetVerifyCeft write SetVerifyCeft;
{$IFDEF DELPHI10UP}{$ENDREGION}{$ENDIF}
end;
EvgenyK
November 5, 2020, 2:59pm
12
As I can see, OpenSSL support was added since .1467:
New in .1467, December 5, 2019 (Preview)
Support for OpenSSL 1.1.1 in Delphi
tobygroves
November 5, 2020, 2:59pm
13
Ah ok fair enough, I’ll upgrade a bit later a give it a try.
tobygroves
November 5, 2020, 4:30pm
14
Now I’m getting this when I try to start my server:
Application Error
Exception EROOpenSSLApi in module ClarityServer.exe at 008A9B44.
Where do I get this file? I’ve only ever come across the regular libeay32 and ssleay32 DLLs before.
UPDATE: Never mind, found it
tobygroves
November 5, 2020, 4:36pm
15
Ok well the server is running but the client just won’t connect.
Do I need to do anything on the client other than set SSLEnabled to True on the TROSuperTcpChannel component?
EvgenyK
November 6, 2020, 8:17am
16
Hi,
have you specify supertcps:// protocol instead of supertcp:// like supertcps://localhost:8095/bin ?
tobygroves
November 6, 2020, 9:18am
17
No I hadn’t it was just at the default value of supertcp://localhost:40000 (i’m using port 40000)
I’ve now changed it to supertcps://localhost:40000/bin but still nothing at all.
EvgenyK
November 6, 2020, 9:31am
18
Can you check the MegaDemo example?
tobygroves
November 6, 2020, 11:04am
19
Yes the MegaDemo works, I’ll have a look and try to work out what I’m doing differently
tobygroves
November 6, 2020, 11:52am
20
I can’t see any functional difference between what I’m doing and what the MegaDemo is doing.
The demo doesn’t appear to actually set SSLEnabled = True on the client but it doesn’t matter if I do the same in mine anyway.
The only other difference I can see is the AES envelope in the ROBINMessage in the server - is this required?