These are chat archives for IndySockets/Indy

12th
Dec 2016
Mauro Botta
@maurobotta
Dec 12 2016 11:41
@rlebeau Hi Remy, Have you any update for TLS 1.2 support of Indy ?

from EMB forum : https://forums.embarcadero.com/thread.jspa?messageID=870089&#870089

Apple will require TLS v 1.2 from 1 Jan 2017, Delphi don't support it ( DataSnap - App ), are there any workaround ?
I need that DataSnap TCP mode ( standalone .exe server ) support TLS 1.2 on Berlin Update 2
Remy thank you for Indy support, Are there any update for it ?

Any link:

https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/
https://plus.google.com/103013776067604117964/posts/b3Si46bjnwA
https://indy.fulgan.com/indy10.changelog.txt

Ludwig Behm
@lbehm
Dec 12 2016 13:17
@maurobotta Are we talking about HTTPS? If so, it should be possible.
I don't know about Delphi, but in C++ (Berlin Update1) I simply set ((TIdServerIOHandlerSSLOpenSSL*) Server->IOHandler)->SSLOptions->SSLVersions = TIdSSLVersions(32);
Ohh do you mean direct TCP-Socket-Connections on port 211? I think Apple only cares about HTTPS. So you should be fine
Remy Lebeau
@rlebeau
Dec 12 2016 17:45
@maurobotta Indy has supported TLS 1.2 for awhile now. If Embarcadero does not use TLS 1.2 in DataSnap, that is on them.
@devimplode SSLVersions = TIdSSLVersions(32); is not good syntax to use, it is dependant on an implementation detail of how Sets are laid out in memory. You should use SSLVersions = TIdSSLVersions() << sslvTLSv1_2; instead
Ludwig Behm
@lbehm
Dec 12 2016 17:51
@rlebeau I tried that... (yes I read the manual =D ) but didn't get it to work. Does my attempt create problems in the memory?
Remy Lebeau
@rlebeau
Dec 12 2016 17:54
@devimplode the syntax I showed works fine. Your type-cast will technically work, no problem with memory, but it isn't very readable or well known. I didn't even know Set had a constructor like that until I just now looked at it.
Ludwig Behm
@lbehm
Dec 12 2016 17:57
@rlebeau thanks for the infos!^^ The goal was to make it configurable. My result:
_SSLProtocols_ = 0;
TStringList *protoList = new TStringList('"', ':');
protoList->DelimitedText = "tlsv1:tlsv1_1:tlsv1_2";
if (protoList->IndexOf("ssl2") >= 0)
    _SSLProtocols_ = _SSLProtocols_ | 1 /*((int)Idsslopenssl::TIdSSLVersion::sslvSSLv2)*/;
if (protoList->IndexOf("ssl3") >= 0)
    _SSLProtocols_ = _SSLProtocols_ | 2 /*((int)Idsslopenssl::TIdSSLVersion::sslvSSLv3)*/;
if (protoList->IndexOf("tlsv1") >= 0)
    _SSLProtocols_ = _SSLProtocols_ | 8 /*((int)Idsslopenssl::TIdSSLVersion::sslvTLSv1)*/;
if (protoList->IndexOf("tlsv1_1") >= 0)
    _SSLProtocols_ = _SSLProtocols_ | 16 /*((int)Idsslopenssl::TIdSSLVersion::sslvTLSv1_1)*/;
if (protoList->IndexOf("tlsv1_2") >= 0)
    _SSLProtocols_ = _SSLProtocols_ | 32 /*((int)Idsslopenssl::TIdSSLVersion::sslvTLSv1_2)*/;

SSLHandler->SSLOptions->SSLVersions = TIdSSLVersions(_SSLProtocols_);
Remy Lebeau
@rlebeau
Dec 12 2016 18:19
This is the intended way to use it:
TIdSSLVersions _SSLProtocols_;
...
_SSLProtocols_ = TIdSSLVersions();
TStringList *protoList = new TStringList('"', ':');
protoList->DelimitedText = "tlsv1:tlsv1_1:tlsv1_2";
if (protoList->IndexOf("ssl2") != -1)
    _SSLProtocols_ << sslvSSLv2;
if (protoList->IndexOf("ssl3") != -1)
    _SSLProtocols_ << sslvSSLv3;
if (protoList->IndexOf("tlsv1") != -1)
    _SSLProtocols_ << sslvTLSv1;
if (protoList->IndexOf("tlsv1_1") != -1)
    _SSLProtocols_ << sslvTLSv1_1;
if (protoList->IndexOf("tlsv1_2") != -1)
    _SSLProtocols_ << sslvTLSv1_2;

SSLHandler->SSLOptions->SSLVersions = _SSLProtocols_;
Ludwig Behm
@lbehm
Dec 12 2016 18:51
yep, it works now - thank you @rlebeau !
Ludwig Behm
@lbehm
Dec 12 2016 19:00
when we're talking about ssl... how hard would it be to implement ocsp stapling? =)
Remy Lebeau
@rlebeau
Dec 12 2016 20:05
@devimplode never heard of it