Need some advice on secure comms

I need some straightforward advice on secure comms between a RO client and server.

We use Delphi and our server and client currently use an un-encrypted connection as they’re only ever deployed on local networks where it’s not really a concern.

We now have a requirement where the server would be hosted in a VM in the cloud and local clients would need to connect to it across the Internet. This obviously requires a secure connection.

Whilst I played around with SSL stuff a while back, I’m still not very au fait with it all and am not sure what’s possible.

What’s the simplest way I could implement security on the client-server connection? This needs to “just work” with no intervention or configuration from the user as much as possible. Can someone please tell me, as simply as possible, how I could achieve this as I’m getting asked and just don’t have the answer.



pls read SSL/TLS (Delphi) page


  • for Indy and WinHTTP you should provide valid certificate.
  • for socket servers - they can be generate on fly.

Yes I’ve read that before but it glosses over some details.

It says the certificate can be auto-generated but how do I do this?

just set OpenSSL.SSLEnabled. if no certificate is provided, it will be generated on-fly.
you can specify some details for this certificate via the OnCertificateGenerating event

Ok, I’m using an IndySuperTCPServer component. I’ve dropped the SSL component on the server data module and connected it via the Server.IOHandler property.

I can’t see an OpenSSL or OpenSSL.Enable property anywhere - where is this?

The server starts up ok and is at least opening the OpenSSL DLLs as it throws an exception if they’re not present.

Do I need to do anything on the clients as they won’t connect at all and behave as if the server isn’t there.

this works only for native (socket) servers.

from SSL/TLS (Delphi) article:

You mean SLL connectivity only works at all for those native (socket) servers and not the Indy ones?

If so what’s all the Indy stuff at the top of the article for?


I meaned that autogenerating of certificate and key works only for sockets channels

for Indy-based channels you should set up TIdServerIOHandlerSSLOpenSSL class (i.e. specify certificate, key, etc) manually.

you can find how to set up TIdServerIOHandlerSSLOpenSSL in google.

Ok I’ve switched over to TROSuperTcpServer but there doesn’t appear to be an OpenSSL property.


what version of SDK are you using?

  TROSuperTcpServer = class(TROBaseSuperTCPServer)
    property OpenSSL: TROOpenSSL read GetOpenSSL write SetOpenSSL;
    /// <summary>
    ///   Allow to specify fields for self-signed certificate
    /// </summary>
    property OnCertificateGenerating:TROOpenSSLCertificateGenerating read GetCertificateGenerating write SetCertificateGenerating;
    /// <summary>
    ///   allow to specify default password for encrypted PEM file
    /// </summary>
    property OnPassword: TROOpenSSLPassword read GetPassword write SetPassword;
    /// <summary>
    ///   allow to use custom validation
    /// </summary>
    property OnVerifyCeft: TROOpenSSLVerifyCeft read GetVerifyCeft write SetVerifyCeft;

As I can see, OpenSSL support was added since .1467:

New in .1467, December 5, 2019 (Preview)

  • Support for OpenSSL 1.1.1 in Delphi

Ah ok fair enough, I’ll upgrade a bit later a give it a try.

Now I’m getting this when I try to start my server:

Application Error

Exception EROOpenSSLApi in module ClarityServer.exe at 008A9B44.
Cannot load libcrypto-1_1.dll.

Where do I get this file? I’ve only ever come across the regular libeay32 and ssleay32 DLLs before.

UPDATE: Never mind, found it

Ok well the server is running but the client just won’t connect.

Do I need to do anything on the client other than set SSLEnabled to True on the TROSuperTcpChannel component?


have you specify supertcps:// protocol instead of supertcp:// like supertcps://localhost:8095/bin ?

No I hadn’t it was just at the default value of supertcp://localhost:40000 (i’m using port 40000)

I’ve now changed it to supertcps://localhost:40000/bin but still nothing at all.

Can you check the MegaDemo example?
it allows to use SSL for socket channels

Yes the MegaDemo works, I’ll have a look and try to work out what I’m doing differently

I can’t see any functional difference between what I’m doing and what the MegaDemo is doing.

The demo doesn’t appear to actually set SSLEnabled = True on the client but it doesn’t matter if I do the same in mine anyway.

The only other difference I can see is the AES envelope in the ROBINMessage in the server - is this required?