Forum > Networking and Web Programming

Force TLS1.3 with fphttpclient

(1/4) > >>

PizzaProgram:
Installed binaries downloaded  from here: https://slproweb.com/products/Win32OpenSSL.html

I've wrote a little test exe using fphttpclient and it works great from both Win7 + Win10!  :D
Found a free test-server, that shows detailed infos about my JSON I'm sending, and support TSLv1.3: https://webhook.site

By capturing the trafic with Wireshark I can see: the connection was made with TLS1.2 only! :(

One more thing to worried about:
 fphttpclient is basically using sslbase.pp file, where I've found this at Line 11:

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---  TSSLType = (stAny,stSSLv2,stSSLv3,stTLSv1,stTLSv1_1,stTLSv1_2);
used by:
TSSLSocketHandler.SSLType

So TLS 1.3is not even listed there! How can I check / force TSLv1.3 ?

Bi0T1N:

--- Quote from: PizzaProgram on April 17, 2022, 03:02:28 pm ---The only thing I can not see / test:  whether the connection was made with TLS1.3 or less ?

--- End quote ---
I think the simplest solution - thus Python (you can also use e.g. fphttpserver but I haven't found any code example in a hurry) - is to setup a local https server that supports TLS 1.3 and you connect to it with your Pascal program.


--- Quote from: PizzaProgram on April 17, 2022, 03:02:28 pm ---One more thing to worried about:
 fphttpclient is basically using sslbase.pp file, where I've found this at Line 11:

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---  TSSLType = (stAny,stSSLv2,stSSLv3,stTLSv1,stTLSv1_1,stTLSv1_2);
used by:
TSSLSocketHandler.SSLType

So TLS 1.3is not even listed there! How can I check / force TSLv1.3 ?

--- End quote ---
OpenSSL no longer supports specifying a specific protocol version, introduced with TLSv1.3. Thus this functionality is not provided anymore and the old functions are deprecated.
Nowadays it negotiates the highest version mutually supported by the client and the server during the initial handshake and hence there is only the universal TLS_method().

PizzaProgram:
I've dived into the code more, and realized:
 - Eventually this component is based on (calling) openssl.pas of Ararat Synapse, last changed in 2010-08-24.
It is searching for:

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---    DLLSSLName: string = 'ssleay32.dll';  DLLSSLName2: string = 'libssl32.dll';   files based on version 1.1, so there is no way it will work with libssl-3.dll
 

paweld:
Synapse in trunk version support openssl 1.1 and 3: https://sourceforge.net/p/synalist/code/HEAD/tree/trunk/ssl_openssl_lib.pas

PizzaProgram:
You are right! Thanks for the link.  :)
Those trunc .pas files are really looking for files like: 'libcrypto-3.dll', so it seems to be up to date.

I'm pretty much shocked about:
 - if this code is the "built-in-base" for all https communication, why did not Lazarus developers upgraded this code since the last 12 years?  :o

There is a laz_synapse.lpk too, so no "special conversion" of the package is needed.

I'll try to download and test it now...

_______________________________________
Anyway, I've made some more test yesterday and realized:
1. Even if I install the latest 3.0.2 binaries,
  default dir: C:\Program Files (x86)\OpenSSL-Win32\bin\
2. Allow to install DLL into "system",
3. my test-APP is still using some old 1.0.2.10 SSL DLLs found somewhere in the:
C:\Windows\SysWOW64\

Maybe this is a problem of the binary installer, not overwriting those old files from 2016, but still very strange.

Navigation

[0] Message Index

[#] Next page

Go to full version