Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 07 22:34
    rlebeau commented #147
  • Dec 07 14:17
    aminalinezhad commented #368
  • Dec 07 14:15
    aminalinezhad commented #368
  • Dec 07 14:13
    aminalinezhad commented #368
  • Dec 07 06:02
    drtimothyjennings commented #147
  • Dec 06 15:28
    webaddicto commented #390
  • Dec 06 15:27
    webaddicto commented #390
  • Dec 02 17:36
    rlebeau edited #392
  • Dec 01 19:05
    rlebeau opened #392
  • Dec 01 19:05
    rlebeau labeled #392
  • Dec 01 19:05
    rlebeau milestoned #392
  • Dec 01 19:05
    rlebeau labeled #392
  • Dec 01 01:43
    rlebeau edited #181
  • Nov 30 15:37
    webaddicto commented #390
  • Nov 30 15:27
    webaddicto commented #390
  • Nov 30 14:10
    dhewg commented #299
  • Nov 30 13:32
    mezen synchronize #299
  • Nov 29 19:27
    rlebeau edited #391
  • Nov 29 19:27
    rlebeau labeled #391
  • Nov 29 19:27
    rlebeau labeled #391
Remy Lebeau
@rlebeau
@jpluimers for "max total connections", TIdTCPServer has a MaxConnections property. For "connections per second", you will have to implement your own throttling in the TIdTCPServer.OnConnect event, disconnecting new connections that arrive too quickly. For "traffic size per second", you can assign a TIdInterceptThrottler object to a connection's Intercept property.
mezen
@mezen
Exist somewhere a tutorial (or a bunch of) how to use Indy with OpenSSL (1.0.2) with (nearly) secure settings? (For example how to use only secure ciphers, how to use PFS, how to use certificates from windows certificate store, correct setting for verify depth and what i am still not aware of)
Ludwig Behm
@lbehm
@mezen Server or client?
mezen
@mezen
I am interested in both
Ludwig Behm
@lbehm
I should really make a public repo someday... I don't know about client side but for the server implementation you will have to set something like this:
TIdCustomHTTPServer *Server = /*get you IndyServer Instance here*/;
TIdServerIOHandlerSSLOpenSSL *SSLHandler;
if (Server->IOHandler == NULL)
    Server->IOHandler = SSLHandler = new TIdServerIOHandlerSSLOpenSSL();
else
    SSLHandler = (TIdServerIOHandlerSSLOpenSSL*) Server->IOHandler;
SSLHandler->SSLOptions->RootCertFile = "";
SSLHandler->SSLOptions->CertFile = "path/to/cert.pem";
SSLHandler->SSLOptions->KeyFile = "path/to/cert.key";
SSLHandler->SSLOptions->Mode = Idsslopenssl::sslmServer;
SSLHandler->SSLOptions->VerifyDepth = 0;
SSLHandler->SSLOptions->SSLVersions = TIdSSLVersions();
SSLHandler->SSLOptions->SSLVersions << sslvTLSv1 << sslvTLSv1_1 << sslvTLSv1_2;
SSLHandler->SSLOptions->CipherList = "ALL:!LOW:!SSLv2:!aNULL:!aECDH:!eNULL:!EXP:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH";
Server->OnQuerySSLPort = (TIdHTTPQuerySSLPortEvent)&IdQuerySSLPortHandler; // Callback to decide if we are on https port

// Adding the following list of headers in every response
//"X-Content-Type-Options:nosniff;X-Frame-Options:DENY;Strict-Transport-Security:max-age=31536000;\"Content-Security-Policy:style-src 'self' 'unsafe-inline'; img-src 'self' data:; default-src 'self';\";\"X-XSS-Protection:1; mode=block\""
// I read them in from config file, pass them through a TStringList('"', ';') with NameValueSeparator=':' and append them in every Response with ResponseInfo->CustomHeaders->Assign()
mezen
@mezen
For choosing the ciphers I am following the advice from the german Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI).
Also with your source you dont have PFS, for this I am using
type
  TIdSSLContextAccessor = class(TIdSSLContext);

function SSL_CTX_set_ecdh_auto(ctx: PSSL_CTX; m: TIdC_LONG): TIdC_LONG; inline;
const
  SSL_CTRL_SET_ECDH_AUTO = 94;
begin
  Result := SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, m, nil);
end;

procedure PatchSSLContext(const AContext: TIdSSLContext);
var
  ctx: PSSL_CTX;
begin
  ctx := TIdSSLContextAccessor(AContext).fContext;
  // SSL_OP_CIPHER_SERVER_PREFERENCE:
  // When choosing a cipher, use the server's preferences instead of the
  // client preferences. When not set, the SSL server will always follow the
  // clients preferences. When set, the SSL/TLS server will choose following
  // its own preferences.
  // SSL_OP_SINGLE_DH_USE:
  // Always create a new key when using temporary/ephemeral DH parameters
  // (see SSL_CTX_set_tmp_dh_callback). This option must be used to prevent
  // small subgroup attacks, when the DH parameters were not generated using
  // "strong" primes (e.g. when using DSA-parameters, see dhparam). If
  // "strong" primes were used, it is not strictly necessary to generate a new
  // DH key during each handshake but it is also recommended.
  // SSL_OP_SINGLE_DH_USE should therefore be enabled whenever
  // temporary/ephemeral DH parameters are used.
  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE or SSL_OP_SINGLE_DH_USE);
  // SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION:
  // Allow legacy insecure renegotiation between OpenSSL and unpatched clients or servers
  SSL_CTX_clear_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  SSL_CTX_set_ecdh_auto(ctx, 1);
end;
I found some stuff on my own, but with every problem I find, I am more unsure what problems also exists but I am still not aware of. Because of this I hoped somewhere exist a tutorial with more information :(
Jeroen Wiert Pluimers
@jpluimers
@rlebeau thanks a lot!
Sam B
@SamBirnbaum
Using Delphi XE5 and Indy IdHTTP and IdSSLOpenSSL and receiving HTTP1.1 error 502 Bad Gateway. Has anyone else ran into this and if yes, what is the solution if any? I have used this before and it has worked flawlessly. Seems to be a problem with one particular web server. Any help would be appreciated. Thanks in advance.
Kudzu
@czhower
502 is not an error from Indy, its an error code from the server that Indy is passing back to you.
"The 502 Bad Gateway error is an HTTP status code that means that one server on the internet received an invalid response from another server."
Sam B
@SamBirnbaum
@czhower Thanks. I did research that and that is what I read, but I was wondering if that some settings in the Indy component can contribute to this problem. I don't have a problem accessing other websites with Indy. I did notice that there are newer dlls (libeay32.dll, ssleay32.dll) than what I currently have and could that be the cause.
@czhower I am currently using version 1.0.0g of the dlls and the new version is 1.0.2k. Do you know if the newer versions will function correctly with programs developed with the Indy components shipped with Delphi XE5 ?
Kudzu
@czhower
@rlebeau would be the one to speak about SSL versions.
Sam B
@SamBirnbaum
@czhower Thanks. Just tried the new versions with the site that is giving me the problem and the error persists. I will try the newer versions with other sites and will update with the results.
Sam B
@SamBirnbaum
@czhower Ok, tried the newer versions accessing the sites that did NOT give me any problem before and all worked well. So It seems that this particular site might have an internal problem. Thanks again for your response and help.
Kudzu
@czhower
glad to help
mezen
@mezen
In HTTP the error code range 5xx is for server errors, as a HTTP client you cant do anything about most time :-\
Kudzu
@czhower
actually all 3 letter codes are server responses.... 2xx status, 3xx temp errors, 4xx perm errors, 5xx internal errors
Ludwig Behm
@lbehm
@czhower of course all http response codes are responses from the server. But 4xx for example are specific for problems with the client request.
Kudzu
@czhower
No, 3xx are temporary errors that can be remedied by respodnign to teh 3xx by the client. Check the RFC :)
Either htye have reworded or wikipedia has it wrong
originally it was 1xx info, 2xx status, 3xx temp error, 4xx perm error, 5xx software bugs / unknown
mezen
@mezen

You mean RFC2616? https://tools.ietf.org/html/rfc2616#section-6

3xx: Redirection - Further action must be taken in order to complete the request

Ludwig Behm
@lbehm
@czhower I mean it should be obvious that 301 Moved Permanently can't be a temporary error.
@mezen better ref which is kinda current internet standard: https://tools.ietf.org/html/rfc7231#section-6.4
Kudzu
@czhower
Its a "temporary" error in the fact that the client can fix it by following instructions - which cant happen with 4 or 5.
Ludwig Behm
@lbehm
@czhower I think you are looking for something like "remediable error"
if not: rfc or didn't happen!? ^_^
Kudzu
@czhower
I think I'm thinking of anotehr doc that outlines how tcp text servers in tgeneral are supposed to follow and HTTP does follow it. I can't find it now, but I've bene working wtih the RFCs since the early 90s (and then many of the current ones were from the 70s/80s) and I'm sure one of the early ones put it forth this way, and most like NNTP etc follow or get it close (SMTP) etc
Kudzu
@czhower
and then there is the horrible aberation - pop3
Remy Lebeau
@rlebeau
Not all 3xx responses are redirects. 304 in particular is a response to a conditional GET to indicate the requested resource has not changed since the last time it was requested so the client can keep using its previously cached copy.
Kudzu
@czhower
exactly - a "fixable" condition.
although some might say that is a redirect too, to a cached copy
Sam B
@SamBirnbaum
@rlebeau Hi, regarding the 502 error that I am receiving, according to the IT person at the site that I am trying to access using Indy, they don't see and problems on their end. Is it possible for you to try to access 'HTTPS://api.iextrading.com/1.0/tops?symbols=AAPL%2b' using Indy and see if you receive the same gateway error 502. Would appreciate all the help I can receive. Thanks in advance. Sam
Remy Lebeau
@rlebeau
@SamBirnbaum works fine for me, I get a JSON document that says '[null]'
Sam B
@SamBirnbaum
What version of Indy are you using ? I am using the version with XE5. Any special settings in the handler or the the IdHTTP component ? I can access the site using the browser without a problem but get this error through the program.
Tried to use the REST client and I get the same error.
Sam B
@SamBirnbaum
Is it possible for you to create a simple exe with one button it to execute on my PC. I would love to see if it some setting here that is causing this.
If your program works, then its something with my version of delphi xe5 that is causing this problem with this site.
Remy Lebeau
@rlebeau
@SamBirnhaum I'm using the latest nightly snapshot, and using all defaults in TIdHTTP
Sam B
@SamBirnbaum
@rlebeau snapshot of what ?
Remy Lebeau
@rlebeau
@SamBirnhaum SVN snapshot of Indy
Sam B
@SamBirnbaum
@rlebeau is it on github ?
Remy Lebeau
@rlebeau
@SamBirnbaum no, on Indy's own SVN server. http://www.indyproject.org/Sockets/Docs/Indy10Installation.aspx
Sam B
@SamBirnbaum
@rlebeau Do I first remove this component from Delphi and install this new version, or just install it over this version ?
@SamBirnbaum read the instructions
@SamBirnbaum but first, I suggest you compare the HTTP request that the browser sends to the HTTP request that TIdHTTP sends, see what the differences are
Sam B
@SamBirnbaum
@rlebeau Thank you very much. I will certainly read the instructions. Quick question, how can I compare what the browser sends (Fox) vs the TIdHTTP ?
Remy Lebeau
@rlebeau
@SamBirnbaum pretty much every modern browser has a debug tool for viewing the raw HTTP messages being exchanged. On the Indy side, since you are dealing with HTTPS, you can either use a debugging proxy like Fiddler, or simply attach one of the TIdLog... components to the TIdHTTP.Intercept property.