IndySecOpenSSL is now available on OPM

[tonyw]

I have published what is hopefully a useful new package on OPM. This is IndySecOpenSSL.

This package is dependent on the "Indy 10" Package already available in the OPM repo, and provides a new (optional) OpenSSL package separate from Indy's "protocols" package. IndySecOpenSSL adds support for OpenSSL 3.0 and later. It may be used as an add-on the Indy 10.6 or the forthcoming Indy 10.7 releases.

The IndySecOpenSSL package's purpose is to provide Indy users with an upgrade path to the use of current OpenSSL (3.x) libraries with the minimum of change. This includes users that use the existing version of Indy bundled with Delphi and the version provided with the Lazarus Online Package Manager. The package comes with a comprehensive User Guide covering installation, upgrade of existing programs, other usage and the example code provided. It also includes a component reference plus appendicies providing an analysis of the TLS 1.3 protocol and a tutorial on Security Concepts. OPM will install the package, but you will also want to read the User Guide, if only to correctly install the OpenSSL DLLs. While Linux usually comes with these, Windows does not.

The code has been under development for over a year now and was originally intended to be included with Indy 10.7. That release is still some way off and this code seems to be mature and worth making it available for general release.

The lack of up-to-date OpenSSL support has been an increasingly significant problem for the Indy Component Library. The existing library supports the legacy OpenSSL 1.0.2 which is now unsupported and only supports the older TLS 1.2 protocol. The IndySecOpenSSL package corrects this problem and allows the use of the current OpenSSL libraries and TLS 1.3.

The primary use case for IndySecOpenSSL is in support of the Indy HTTPS and HTTPS Server components. These are often used in support of REST based applications leveraging FPC's excellent JSON support. I have also released today (see separate announcement) an oauth2client. This is often needed for authentication for REST applications and also uses IndySecOpenSSL and the FPC JSON libraries.

You can also downloade IndySecOpenSSL from Github

https://github.com/MWASoftware/IndySecOpenSSL

[jujibo]

Great!

Thanks, Tony. I've been using Synapse. It's probably time to check out Indy.

[LeP]

I tested it in my test http server (with Delphi).

Simply modified existing code with some $IFDEF, and it works with TaurusTLS, with your solution, with old PR299 and with bundle.

All tests from SSLLABS where OK.

With compiling under Delphi 13 there were some warnings about obsolete and deprecated functions, some variables without initializations and some missing headers for inlining.
One of the files is with LF formatting (Delphi doesn't like it).

Good works, and have more solutions for indy TLS is a good news.

[tonyw]

I tested it in my test http server (with Delphi).

Simply modified existing code with some $IFDEF, and it works with TaurusTLS, with your solution, with old PR299 and with bundle.

All tests from SSLLABS where OK.

With compiling under Delphi 13 there were some warnings about obsolete and deprecated functions, some variables without initializations and some missing headers for inlining.
One of the files is with LF formatting (Delphi doesn't like it).

Good works, and have more solutions for indy TLS is a good news.

Thanks for your feedback.

I am only able to test with the Delphi Community Edition (Delphi 12), so any feedback from Delphi 13 is useful. The codebase has already benefited from feedback from a Delphi 13 user who was using Delphi on Linux. Again, I don't have access to this version.

It would be useful know which file had LF only line endings as this suggests a missing entry in the .gitattributes file.

[LeP]

The LF is inside all files ... I used a zip non a clone of repo 

The others is there (DELPHI13 is right ... change your INC)

[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Hint] IdSecOpenSSLHeaders_crypto.pas(1080): H2077 Value assigned to 'COMPAT_OPENSSL_init_crypto' never used
[dcc64 Warning] IdSecOpenSSLHeaders_ssl.pas(5136): W1035 Return value of function 'COMPAT_SSL_new_session_ticket' might be undefined
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1000 Symbol 'StrPas' is deprecated: 'Moved to the AnsiStrings unit'
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1057 Implicit string cast from 'AnsiString' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(431): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(436): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(548): W1035 Return value of function 'SearchLocations' might be undefined
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdSecOpenSSLHeaders_x509_vfy.pas(1067): W1035 Return value of function 'COMPAT_X509_STORE_CTX_get_ex_data' might be undefined
[dcc64 Hint] IdSecOpenSSLSocket.pas(305): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(316): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(336): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(382): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(404): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(431): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Warning] IdSecOpenSSLX509.pas(247): W1036 Variable 'LBufPtr' might not have been initialized

P.S.: I used it only at runtime not a design time (normally I don't install design time component if not strictly required).

[tonyw]

Thanks. All straightforward to fix and important for future proofing, but shouldn't cause any problems for current users. The fixes will soon appear in my Github repo, but not in a tagged release until something more significant turns up.

The LF v CR/LF line ending issue is more of a problem and seems to be a feature of Github. Googling the problem, I can find posts on the subject from as long ago as 2012.

In itself, git is very good at managing line endings and I use it all the time, during testing, to transfer source code from Linux to Windows and vice versa. That is, "git clone" and "git pull" do their job. On the other hand, "git archive" uses the line endings appropriate to the system it runs on. It seems that Github uses "git archive" to generate both zip and tar.gz archives "on the fly" and runs on Linux. Hence, line endings are always LF.

It looks like I will have to provide my own zips for Windows users,

The LF is inside all files ... I used a zip non a clone of repo 

The others is there (DELPHI13 is right ... change your INC)

[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Hint] IdSecOpenSSLHeaders_crypto.pas(1080): H2077 Value assigned to 'COMPAT_OPENSSL_init_crypto' never used
[dcc64 Warning] IdSecOpenSSLHeaders_ssl.pas(5136): W1035 Return value of function 'COMPAT_SSL_new_session_ticket' might be undefined
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1000 Symbol 'StrPas' is deprecated: 'Moved to the AnsiStrings unit'
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1057 Implicit string cast from 'AnsiString' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(431): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(436): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(548): W1035 Return value of function 'SearchLocations' might be undefined
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdSecOpenSSLHeaders_x509_vfy.pas(1067): W1035 Return value of function 'COMPAT_X509_STORE_CTX_get_ex_data' might be undefined
[dcc64 Hint] IdSecOpenSSLSocket.pas(305): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(316): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(336): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(382): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(404): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(431): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Warning] IdSecOpenSSLX509.pas(247): W1036 Variable 'LBufPtr' might not have been initialized

P.S.: I used it only at runtime not a design time (normally I don't install design time component if not strictly required).

[LeP]

Thanks. All straightforward to fix and important for future proofing, but shouldn't cause any problems for current users.

Yes, I agree, and one can fix most of them in 30 seconds. So, there's no hurry.

It seems that Github uses "git archive" to generate both zip and tar.gz archives "on the fly" and runs on Linux. Hence, line endings are always LF.
It looks like I will have to provide my own zips for Windows users,

I don't have any issues downloading "on the fly" all others packages from third parties on Windows (zip format), they are always "endings" with CRLF.
But by now it doesn't give any issue with Delphi compiler (seems). And when I have to edit, I "add" the CRLF.

[JD]

@tonyw

Thank you so much for this component as well as the oauth2client component. 

JD

[tonyw]

I don't have any issues downloading "on the fly" all others packages from third parties on Windows (zip format), they are always "endings" with CRLF.
But by now it doesn't give any issue with Delphi compiler (seems). And when I have to edit, I "add" the CRLF.

From what I can make out, the problem with Github is that while you can force the repo to the CR/LF formatted, all you end up doing is transferring the problem from Windows to Linux.

As a workaround, what I have done is to create windows formatted zips for each of my popular repos with a new repo holding these zips. I have then published each link in the description for each release. For example, for the current release of IndySecOpenSSL, the windows format zip has the URL

https://github.com/MWASoftware/WindowsZips/raw/refs/heads/main/IndySecOpenSSL/IndySecOpenSSL-1-0-0.zip

Hopefully, this is a satisfactory solution for all users.