These are chat archives for IndySockets/Indy

15th
May 2017
DelphiWorlds
@DelphiWorlds
May 15 2017 11:52
@rlebeau When you have time, can you clarify something for me? Using another (Windows) NNTP client, I get this error when attempting to connect:
"Error connecting with SSL. - error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small"
When I researched this earlier, it seems to indicate that EMBT have not updated their SSL libraries on the forums server. I'd like to be able to send a rocket their way and have someone fix it, if that is indeed the case
(If it isn't clear: I mean connecting to EMBTs newsgroups)
Remy Lebeau
@rlebeau
May 15 2017 17:47
@DelphiWorlds The DH error is a known issue, and a simple workaround: https://forums.embarcadero.com/thread.jspa?threadID=249192#884029 "A simple client fix is to change the OpenSSL cipher list to exclude DH ciphers, by adding :!DH: within the existing cipher list, I've just changed mine to: 'ALL:!ADH:!DH:RC4+RSA:+SSLv2:@STRENGTH' and now the latest OpenSSL 1.1.0e connects". You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property for that.
DelphiWorlds
@DelphiWorlds
May 15 2017 19:32
Is there a particular message in that thread that refers to these details? when I go to that link, it takes me to the first message.
Remy Lebeau
@rlebeau
May 15 2017 19:58
@DelphiWorlds The link I gave you above should jump right to the specific message that explains the issue and the CipherList workaround (the jump works fine for me). If your browser is not jumping to that message, your browser is being stupid. Just read the message from Angus Robertson on Apr 20 2017, it explains the DH issue and gives the workaround
DelphiWorlds
@DelphiWorlds
May 15 2017 20:22
Why is the workaround necessary for EMBT's server?
DelphiWorlds
@DelphiWorlds
May 15 2017 20:34
Never mind.. the answer is in his details.. which I have already read before. I blame the 'flu that I'm recovering from ;-)
Remy Lebeau
@rlebeau
May 15 2017 20:36
@DelphiWorlds Yes, per the discussion: "The essential issue is the server is using DHParams with less than 768
bits
, which are needed to support DH ciphers. To prevent the Logjam attack, OpenSSL 1.0.2e and later will not connect
with DHParams less than 768 bits, giving dh key too small
... The proper fix would be to create new DHParams for the Jive server,
with 1,024 bits or later
"
DelphiWorlds
@DelphiWorlds
May 15 2017 20:39
thanks