【问题标题】:How to enable Perfect Forward Secrecy In Indy 10?如何在 Indy 10 中启用完美前向保密?
【发布时间】:2019-02-20 22:48:32
【问题描述】:

我在 Delphi 2010 中使用 OpenSSL 1.0.2o 和 Indy 10.6.2。

这是我到目前为止所做的:

procedure TServerForm.FormCreate(Sender: TObject);
var
  LEcdh: PEC_KEY;
  FSslCtx: PSSL_CTX;
  SSL: PSSL;
  FSSLContext: TIdSSLContext;
begin
  //mServer.Active := True;
  FSingle:=TCriticalSection.Create;
  appdir := ExtractFilePath(ParamStr(0));
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
    //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
    'ECDHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES256-GCM-SHA384:' +
    //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
    //'DHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES128-SHA256:' +
    //'DHE-RSA-AES128-SHA256:' +
    //'ECDHE-RSA-AES256-SHA384:' +
    //'DHE-RSA-AES256-SHA384:' +
    //'ECDHE-RSA-AES256-SHA256:' +
    //'DHE-RSA-AES256-SHA256:' +
    'HIGH:' +
    '!aNULL:' +
    '!eNULL:' +
    '!EXPORT:' +
    '!DES:' +
    '!RC4:' +
    '!MD5:' +
    '!PSK:' +
    '!SRP:' +
    '!CAMELLIA';

  MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
  mServer.Active := True;
  //FSSLContext := TIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
end;

This 不起作用。

有人有好的建议吗?

【问题讨论】:

    标签: https openssl delphi-2010 tls1.2 indy10


    【解决方案1】:

    首先,确保将 Indy 版本更新为最新的 SVN 快照。在Embarcadero 论坛上与Roberto Frances 交流previous discussion 之后,我将SSL_CTRL_SET_ECDH_AUTOSSL_CTX_set_ecdh_auto() 添加到Indy 的IdSSLOpenSSLHeaders 单元。

    因此,在其他讨论中,代码中唯一缺少的部分是TMyIdSSLContext 的定义,我认为这就是:

    type
      TMyIdSSLContext = class(TIdSSLContext)
      end;
    

    由于TIdSSLContext.fContext 成员被声明为protected,因此声明TMyIdSSLContext 的单元可以访问TIdSSLContext 的受保护成员。因此,您的代码可能如下所示:

    type
      TMyIdSSLContext = class(TIdSSLContext)
      end;
    
    procedure TServerForm.FormCreate(Sender: TObject);
    var
      FSSLContext: TMyIdSSLContext;
    begin
      FSingle := TCriticalSection.Create;
      appdir := ExtractFilePath(ParamStr(0));
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
      IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
        //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
        'ECDHE-RSA-AES128-GCM-SHA256:' +
        //'ECDHE-RSA-AES256-GCM-SHA384:' +
        //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
        //'DHE-RSA-AES128-GCM-SHA256:' +
        //'ECDHE-RSA-AES128-SHA256:' +
        //'DHE-RSA-AES128-SHA256:' +
        //'ECDHE-RSA-AES256-SHA384:' +
        //'DHE-RSA-AES256-SHA384:' +
        //'ECDHE-RSA-AES256-SHA256:' +
        //'DHE-RSA-AES256-SHA256:' +
        'HIGH:' +
        '!aNULL:' +
        '!eNULL:' +
        '!EXPORT:' +
        '!DES:' +
        '!RC4:' +
        '!MD5:' +
        '!PSK:' +
        '!SRP:' +
        '!CAMELLIA';
    
      MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
      mServer.Active := True;
    
      FSSLContext := TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
      SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
    end;
    

    【讨论】:

      猜你喜欢
      • 2013-06-22
      • 2019-05-27
      • 2022-07-12
      • 2013-12-28
      • 2017-06-11
      • 2012-12-11
      • 2013-12-25
      • 1970-01-01
      • 2015-02-28
      相关资源
      最近更新 更多