Recent

Author Topic: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS  (Read 5657 times)

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« on: April 10, 2022, 03:15:32 am »
Hi,
 If I look at the Official OpenSSL page, I see that version 1.0.2 is out of support, and 1.1.1 is the minimum, while 3.0.2 is the current recommended: https://www.openssl.org/source/
Most of the sites providing 3.0.2 binaries: https://wiki.openssl.org/index.php/Binaries

But if I check Indy's site, there is only 1.0.2 available: https://indy.fulgan.com/SSL/

- Does anyone know what's going on here?

- Is there a way to use HTTPS connections or generate .CSR files using up to date version of OpenSSL ?

(I wonder why isn't there a topic about this already, while it is a very important part of our modern world...  :o )
x86_64-win64 --Win7 PRO 64bit HUN

Bi0T1N

  • Jr. Member
  • **
  • Posts: 85
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #1 on: April 10, 2022, 02:21:55 pm »
But if I check Indy's site, there is only 1.0.2 available: https://indy.fulgan.com/SSL/

- Does anyone know what's going on here?

Officially Indy only supports OpenSSL 1.0.2 - see here for the reason. However, there is a PR on Github that provides support for OpenSSL 1.1.1.

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #2 on: April 11, 2022, 02:02:18 pm »
Thank you very much for the links! I've red them all.
It seems a stable, widely tested TLS 1.3 won't go into production any soon.  :(
Indy is not even at SSL 1.1.1, while this version will be already deprecated after 2023-09-11 (y-m-d).

I really need to create a DLL now, that will support safe connection to a government server for 5-10+ years using a special 4096 RSA signed key.

So the big question is:
- What other library is there available instead of Indy?

I've red somewhere that "the most secure (error free) version" of OpenSSL is currently this:
https://github.com/rustls/rustls
But it does not support:
  • Compression.
  • Automatic protocol version downgrade.
So it does not seem to be the best choise.

I accept any advice what should I do to quickly solve this and start to work while only 30 days left to implement 1000+ things. (It's a new law in our country).

OFF:
I really would like to avoid switching to C# + VS2017 + .NET like all my pascal friends did 15 years ago.
x86_64-win64 --Win7 PRO 64bit HUN

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #3 on: April 11, 2022, 03:39:22 pm »
I have found this library, supporting OpenSSL 3.0.2 !   :)
http://wiki.overbyte.eu/wiki/index.php/ICS_Download

Theoratically it can be used with FreePascal too:
www.stack.nl/~marcov/ics.html
« Last Edit: April 11, 2022, 03:43:53 pm by PizzaProgram »
x86_64-win64 --Win7 PRO 64bit HUN

SymbolicFrank

  • Hero Member
  • *****
  • Posts: 1313
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #4 on: April 11, 2022, 03:59:14 pm »
There's also Synapse, but I would use fphttpclient for something new. There are more. Then again, the main stumbling block tends to be RSA. I cannot help with that.

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1312
    • Lebeau Software
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #5 on: April 11, 2022, 11:18:32 pm »
But if I check Indy's site, there is only 1.0.2 available: https://indy.fulgan.com/SSL/

FYI, Indy's Fulgan site is no longer being used.  The binaries are now hosted on GitHub:

https://github.com/IndySockets/OpenSSL-Binaries
https://www.indyproject.org/2020/06/16/openssl-binaries-moved-to-github/

It seems a stable, widely tested TLS 1.3 won't go into production any soon.  :(

Nothing is stopping you from trying Indy's in-progress code for OpenSSL 1.1.1.  And the OpenSSL team says that "Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled" when migrating to OpenSSL 3.0.
« Last Edit: April 14, 2022, 12:53:13 am by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #6 on: April 13, 2022, 01:57:02 am »
There's also Synapse, but I would use fphttpclient for something new.

Thank you very much
for the link, I was investigating it during the last 12 hours. Wrote a little example program too, and it seems I can load a self-created certificate into the request via TByte stream, not just from a file. (What would be very insecure.)
But I did not test it yet.

Also a big bonus seems to be that it is theoratically still compatible with WinXP.
ICS binaries need minimum a Vista. (More testing needed later for that.)

I will need ca. 4-6 days until I get a signed .PEM test-file from the Goverment to get started with testing.
x86_64-win64 --Win7 PRO 64bit HUN

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #7 on: April 13, 2022, 02:35:26 am »
Nothing is stopping you from trying Indy's in-progress code for OpenSSL 1.1.1.  And the OpenSSL team says that "Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled".

Normally I would do that, but not in this case. Can not afford any failure and I do not have time to test things now.
Have only 70 days left to finish a 100 pages long specification to send continuously data to our Government.
They do not allow more than 1 day failure.
If (in maybe 2 years) they switch to a stronger protocol, I won't be able to upgrade manually 200 PCs in one day.

Synapse is also huge ! Amazing, but overwhelming. Tried to implement it many times, but it is "too much" for me.

OFF:
 Personally Remy you are like a Hero to me. Really.
I've learned soooo much from you!
You are helping so many Delphi programmers, answering all the questions. (Have red min. 3000 of your posts in my life.)

Thanks to your Indy components and hard work, I was able to implement many background threads into my PizzaProgram:
  • a webserver to serve an Android phone app
  • a SysLog server to listen to a VOIP adapter
  • and many REST HTTPS communications with pizza-ordering webshops.
Before I start using some code in my App, first I analyse it line by line + debug it step by step.
That's why I know: what a genius you are.

I know that Indy project is like your "own kid" for you, because my Restaurant program is the same for me, enhancing it since 20 years under Delphi 7.
I can only imagine how it would hurt me if I would loose my newest code and my developer machines.

My brother lost almost everything (laptop, PC, HDDs backups) in a fire 4 month ago too. Only 1 HDD left with ca 30% data on it. (XLS files, photos, expensive car-diagnostic programs, etc) >> 1 week later he overwrote the whole partition instead of cloning. (Too tired, daily 2 hours of sleep, no roof, winter, snow, cold + stress, 2 screaming babies etc. 1 wrong click. Done.)
x86_64-win64 --Win7 PRO 64bit HUN

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #8 on: April 17, 2022, 02:59:03 pm »
I would use fphttpclient for something new.

Dear Frank,

Installed binaries downloaded  from here: https://slproweb.com/products/Win32OpenSSL.html

Than I've tested fphttpclient and it works great from both Win7 + Win10!  :D
Found a free test-server, that shows detailed infos about my JSON I'm sending: https://webhook.site

The only thing I can not see / test:  whether the connection was made with TLS1.3 or less ?

One more thing to worried about:
 fphttpclient is basically using sslbase.pp file, where I've found this at Line 11:
Code: Pascal  [Select][+][-]
  1.   TSSLType = (stAny,stSSLv2,stSSLv3,stTLSv1,stTLSv1_1,stTLSv1_2);

used by:
TSSLSocketHandler.SSLType

So TLS 1.3is not even listed!
I think it's time to open a specific new topic to discuss this...
x86_64-win64 --Win7 PRO 64bit HUN

fpc2pas

  • New Member
  • *
  • Posts: 34
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #9 on: May 04, 2022, 11:32:35 am »
I would use fphttpclient for something new.

Dear Frank,

Installed binaries downloaded  from here: https://slproweb.com/products/Win32OpenSSL.html

Than I've tested fphttpclient and it works great from both Win7 + Win10!  :D
Found a free test-server, that shows detailed infos about my JSON I'm sending: https://webhook.site

The only thing I can not see / test:  whether the connection was made with TLS1.3 or less ?

One more thing to worried about:
 fphttpclient is basically using sslbase.pp file, where I've found this at Line 11:
Code: Pascal  [Select][+][-]
  1.   TSSLType = (stAny,stSSLv2,stSSLv3,stTLSv1,stTLSv1_1,stTLSv1_2);

used by:
TSSLSocketHandler.SSLType

So TLS 1.3is not even listed!
I think it's time to open a specific new topic to discuss this...

adding sslbase,opensslsockets units would automatically deploy SSL support for FPHTTPClient

JZS

  • Full Member
  • ***
  • Posts: 194
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #10 on: March 30, 2023, 08:46:04 pm »
I apologize for posting in this old thread. Just landed on this thread while looking for indy+TLS1.3
Am using Lazarus 2.2.6 (FPC 3.2.2) on Win10 with Indy10.6.2, how can I install/merge that code (https://github.com/IndySockets/Indy/pull/299) into my existing indy installation, in order to enable the TLS1.3?
I use recent stable release

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1312
    • Lebeau Software
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #11 on: March 30, 2023, 09:06:28 pm »
I apologize for posting in this old thread. Just landed on this thread while looking for indy+TLS1.3
Am using Lazarus 2.2.6 (FPC 3.2.2) on Win10 with Indy10.6.2, how can I install/merge that code (https://github.com/IndySockets/Indy/pull/299) into my existing indy installation, in order to enable the TLS1.3?

All of the PR's code is in its own subfolder under Indy's \Lib\Protocols folder, and the PR's code doesn't appear to touch Indy's master code at all, so you should be able to simply download the PR's code on top of your existing Indy installation and then use the new SSLIOHandler classes in your own code as needed.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

PizzaProgram

  • Jr. Member
  • **
  • Posts: 53
  • ...developing Delphi apps since 25 years.
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #12 on: March 30, 2023, 09:45:33 pm »
I have found this library, supporting OpenSSL 3.0.2 !   :)
http://wiki.overbyte.eu/wiki/index.php/ICS_Download

I just wanted to share my "final experience" after 1 year:
  • I had to drop Lazarus, and switch back to Delphi7, because Lazarus could not create a special (non-standard) version of JWS signature the Goverment demanded.
  • I've used ICS for the whole project including JSON generation + SSL3 + JWS + some special HTTPS stream-readout, (when the there was some different response code then 200=OK).

(I've just realized in an other project with Indy yesterday, that it drops the stream completely when the returning code is 405. Can not read the response.)

So ICS was a great choice, I can recommend it, but sadly it does not run on Lazarus  :(
x86_64-win64 --Win7 PRO 64bit HUN

JZS

  • Full Member
  • ***
  • Posts: 194
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #13 on: March 30, 2023, 11:20:36 pm »
All of the PR's code is in its own subfolder under Indy's \Lib\Protocols folder, and the PR's code doesn't appear to touch Indy's master code at all, so you should be able to simply download the PR's code on top of your existing Indy installation and then use the new SSLIOHandler classes in your own code as needed.

Thank you Remy. I downloaded Indy the GitHub version (https://github.com/IndySockets/Indy) and put the files under Protocol and recompiled and no errors.

Now the only suitable Units I found are:
IdOpenSSLIOHandlerClientBase
IdOpenSSLIOHandlerClient
IdOpenSSLIOHandlerClientServer
IdOpenSSLIOHandlerServer

And tried to look for the SSLIOHandler that I can use from them, that can set the TLSv1.3 but couldn't find that. Am I using the correct Units here?
I use recent stable release

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1312
    • Lebeau Software
Re: OpenSSL 3.0 vs Indy's 1.0.2 + Generating .CSR + HTTPS
« Reply #14 on: March 31, 2023, 01:18:55 am »
I've just realized in an other project with Indy yesterday, that it drops the stream completely when the returning code is 405. Can not read the response.

By default, Indy's TIdHTTP component does not modify your output String/TStream if an HTTP error occurs.  Instead, it raises an EIdHTTPProtocolException, where the response data is in the exception's ErrorMessage property.  If you want to avoid the exception, enable the hoNoProtocolErrorException flag in the TIdHTTP.HTTPOptions property. If you also want the response data in your String/TStream, enable the hoWantProtocolErrorContent flag, too.
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

 

TinyPortal © 2005-2018