encryption - Delphi 12.2 INDY TLS 1.2 Ciphers no ECDHE-ECDSA - Stack Overflow

admin管理员组

文章数量:1297034

My server uses the "stock" Indy that comes with Delphi 12.2, and the OpenSSL 1.0.2u DLLs from Indy's GitHub. I am forcing the server to use TLS 1.2 only:

SSLHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];

If I leave the cipher list empty and issue the following command:

nmap -p 8443 --script ssl-enum-ciphers localhost

I get only ciphers like TLS_RSA_WITH_AES, but I am missing the modern elliptic curve ciphers like ECDHE-RSA-AES256-GCM-SHA384. In production, I use this cipher list, deactivating weak ones:

 SSLHandler.SSLOptions.CipherList := 'ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:RSA+AESGCM:!aNULL:!MD5:!DSS';

But then, only two ciphers are left, and still no ECDHE-ECDSA:

• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384

I verified that OpenSSL 1.0.2u supports these ECDHE-ECDSA ciphers by issuing:

openssl ciphers 

with the contents of the zip file downloaded from GitHub for OpenSSL 1.0.2u.

Am I missing something fundamental?

IMPORTANT ADDITIONAL INFORMATION

I fot to mention that I use TMS Sparkle and RemoteDB that links against Indy. In the meanwhile I tried upgrading to Indy.proposedUpdate-OpenSSLFinal. Unfortunately the TMS Libraries cannot be compiled with this version. So, I really depend on solving this with the old OpenSSL somehow.

MORE INFORMATION

OpenSSL 1.0.2 seems not to support ECC algorithms, as they fall under patents at the time they were compiled. A solution could be to recompile these DLLs with the correct settings as the patents have ended.

WORKAROUND BUT NOT SOLVED

I currently migrate my complete application to using the Windows stack. It's a lot of work but I am confident that its worth the effort, as then I do no longer need to care about this aspect as Windows updates will probably always add the required ciphers and techniques. As this is no solution to the question that might be of interest for others, I leave it open.

AN OTHER UPDATE

I now learned that TLS 1.3 also uses e.g. TLS_RSA_WITH_AES_256_GCM_SHA384 for encryption of the data stream, the ECC algorithms are relevant for key exchange. This lead to some confusion on my side. But OpenSSL 1.0.2u does not seem to support modern key exchange and also no forward security. So I have migrated my system to using the Windows HTTPSys Stack.

本文标签： encryptionDelphi 122 INDY TLS 12 Ciphers no ECDHEECDSAStack Overflow