IndySecOpenSSL is now available on OPM

[tonyw]

I have published what is hopefully a useful new package on OPM. This is IndySecOpenSSL.

This package is dependent on the "Indy 10" Package already available in the OPM repo, and provides a new (optional) OpenSSL package separate from Indy's "protocols" package. IndySecOpenSSL adds support for OpenSSL 3.0 and later. It may be used as an add-on the Indy 10.6 or the forthcoming Indy 10.7 releases.

The IndySecOpenSSL package's purpose is to provide Indy users with an upgrade path to the use of current OpenSSL (3.x) libraries with the minimum of change. This includes users that use the existing version of Indy bundled with Delphi and the version provided with the Lazarus Online Package Manager. The package comes with a comprehensive User Guide covering installation, upgrade of existing programs, other usage and the example code provided. It also includes a component reference plus appendicies providing an analysis of the TLS 1.3 protocol and a tutorial on Security Concepts. OPM will install the package, but you will also want to read the User Guide, if only to correctly install the OpenSSL DLLs. While Linux usually comes with these, Windows does not.

The code has been under development for over a year now and was originally intended to be included with Indy 10.7. That release is still some way off and this code seems to be mature and worth making it available for general release.

The lack of up-to-date OpenSSL support has been an increasingly significant problem for the Indy Component Library. The existing library supports the legacy OpenSSL 1.0.2 which is now unsupported and only supports the older TLS 1.2 protocol. The IndySecOpenSSL package corrects this problem and allows the use of the current OpenSSL libraries and TLS 1.3.

The primary use case for IndySecOpenSSL is in support of the Indy HTTPS and HTTPS Server components. These are often used in support of REST based applications leveraging FPC's excellent JSON support. I have also released today (see separate announcement) an oauth2client. This is often needed for authentication for REST applications and also uses IndySecOpenSSL and the FPC JSON libraries.

You can also downloade IndySecOpenSSL from Github

https://github.com/MWASoftware/IndySecOpenSSL

[jujibo]

Great!

Thanks, Tony. I've been using Synapse. It's probably time to check out Indy.

[LeP]

I tested it in my test http server (with Delphi).

Simply modified existing code with some $IFDEF, and it works with TaurusTLS, with your solution, with old PR299 and with bundle.

All tests from SSLLABS where OK.

With compiling under Delphi 13 there were some warnings about obsolete and deprecated functions, some variables without initializations and some missing headers for inlining.
One of the files is with LF formatting (Delphi doesn't like it).

Good works, and have more solutions for indy TLS is a good news.

[tonyw]

I tested it in my test http server (with Delphi).

Simply modified existing code with some $IFDEF, and it works with TaurusTLS, with your solution, with old PR299 and with bundle.

All tests from SSLLABS where OK.

With compiling under Delphi 13 there were some warnings about obsolete and deprecated functions, some variables without initializations and some missing headers for inlining.
One of the files is with LF formatting (Delphi doesn't like it).

Good works, and have more solutions for indy TLS is a good news.

Thanks for your feedback.

I am only able to test with the Delphi Community Edition (Delphi 12), so any feedback from Delphi 13 is useful. The codebase has already benefited from feedback from a Delphi 13 user who was using Delphi on Linux. Again, I don't have access to this version.

It would be useful know which file had LF only line endings as this suggests a missing entry in the .gitattributes file.

[LeP]

The LF is inside all files ... I used a zip non a clone of repo 

The others is there (DELPHI13 is right ... change your INC)

[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Hint] IdSecOpenSSLHeaders_crypto.pas(1080): H2077 Value assigned to 'COMPAT_OPENSSL_init_crypto' never used
[dcc64 Warning] IdSecOpenSSLHeaders_ssl.pas(5136): W1035 Return value of function 'COMPAT_SSL_new_session_ticket' might be undefined
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1000 Symbol 'StrPas' is deprecated: 'Moved to the AnsiStrings unit'
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1057 Implicit string cast from 'AnsiString' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(431): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(436): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(548): W1035 Return value of function 'SearchLocations' might be undefined
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdSecOpenSSLHeaders_x509_vfy.pas(1067): W1035 Return value of function 'COMPAT_X509_STORE_CTX_get_ex_data' might be undefined
[dcc64 Hint] IdSecOpenSSLSocket.pas(305): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(316): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(336): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(382): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(404): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(431): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Warning] IdSecOpenSSLX509.pas(247): W1036 Variable 'LBufPtr' might not have been initialized

P.S.: I used it only at runtime not a design time (normally I don't install design time component if not strictly required).

[tonyw]

Thanks. All straightforward to fix and important for future proofing, but shouldn't cause any problems for current users. The fixes will soon appear in my Github repo, but not in a tagged release until something more significant turns up.

The LF v CR/LF line ending issue is more of a problem and seems to be a feature of Github. Googling the problem, I can find posts on the subject from as long ago as 2012.

In itself, git is very good at managing line endings and I use it all the time, during testing, to transfer source code from Linux to Windows and vice versa. That is, "git clone" and "git pull" do their job. On the other hand, "git archive" uses the line endings appropriate to the system it runs on. It seems that Github uses "git archive" to generate both zip and tar.gz archives "on the fly" and runs on Linux. Hence, line endings are always LF.

It looks like I will have to provide my own zips for Windows users,

The LF is inside all files ... I used a zip non a clone of repo 

The others is there (DELPHI13 is right ... change your INC)

[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Hint] IdSecOpenSSLHeaders_crypto.pas(1080): H2077 Value assigned to 'COMPAT_OPENSSL_init_crypto' never used
[dcc64 Warning] IdSecOpenSSLHeaders_ssl.pas(5136): W1035 Return value of function 'COMPAT_SSL_new_session_ticket' might be undefined
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1000 Symbol 'StrPas' is deprecated: 'Moved to the AnsiStrings unit'
[dcc64 Warning] IdSecOpenSSLExceptionHandlers.pas(76): W1057 Implicit string cast from 'AnsiString' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(431): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(436): W1057 Implicit string cast from 'PAnsiChar' to 'string'
[dcc64 Warning] IdSecOpenSSLAPI.pas(548): W1035 Return value of function 'SearchLocations' might be undefined
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdCompilerDefines.inc(460): W1054 Unknown compiler version detected! Assuming >= 13.x
[dcc64 Warning] IdSecOpenSSLHeaders_x509_vfy.pas(1067): W1035 Return value of function 'COMPAT_X509_STORE_CTX_get_ex_data' might be undefined
[dcc64 Hint] IdSecOpenSSLSocket.pas(305): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(316): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(336): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(382): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(404): H2443 Inline function 'TCriticalSection.Enter' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Hint] IdSecOpenSSLSocket.pas(431): H2443 Inline function 'TCriticalSection.Leave' has not been expanded because unit 'System.SyncObjs' is not specified in USES list
[dcc64 Warning] IdSecOpenSSLX509.pas(247): W1036 Variable 'LBufPtr' might not have been initialized

P.S.: I used it only at runtime not a design time (normally I don't install design time component if not strictly required).

[LeP]

Thanks. All straightforward to fix and important for future proofing, but shouldn't cause any problems for current users.

Yes, I agree, and one can fix most of them in 30 seconds. So, there's no hurry.

It seems that Github uses "git archive" to generate both zip and tar.gz archives "on the fly" and runs on Linux. Hence, line endings are always LF.
It looks like I will have to provide my own zips for Windows users,

I don't have any issues downloading "on the fly" all others packages from third parties on Windows (zip format), they are always "endings" with CRLF.
But by now it doesn't give any issue with Delphi compiler (seems). And when I have to edit, I "add" the CRLF.

[JD]

@tonyw

Thank you so much for this component as well as the oauth2client component. 

JD

[tonyw]

I don't have any issues downloading "on the fly" all others packages from third parties on Windows (zip format), they are always "endings" with CRLF.
But by now it doesn't give any issue with Delphi compiler (seems). And when I have to edit, I "add" the CRLF.

From what I can make out, the problem with Github is that while you can force the repo to the CR/LF formatted, all you end up doing is transferring the problem from Windows to Linux.

As a workaround, what I have done is to create windows formatted zips for each of my popular repos with a new repo holding these zips. I have then published each link in the description for each release. For example, for the current release of IndySecOpenSSL, the windows format zip has the URL

https://github.com/MWASoftware/WindowsZips/raw/refs/heads/main/IndySecOpenSSL/IndySecOpenSSL-1-0-0.zip

Hopefully, this is a satisfactory solution for all users.

[TheMouseAUS]

Hi,
I am having real issues connecting to my modem via https with a self signed cert. I had it working and after rebooting my pc I have never got it back again. If I complie and run your client cli example its fine. If I substitute the web page with the router page its fails (even though the previous day it worked!) I dont know how to begin even troubleshooting this.

If i run from the cli curl -X POST https://192.168.10.1/api/login -k -H "Content-Type: application/json" -d  '{"username": "***", "password": "***"}'
it works every time.

This test is running on Solus Linux, the application once complete and working will be on Debian 12

this is the output from your example application

Using OpenSSL 3.3.5 30 Sep 2025, OpenSSLDir: /etc/ssl
Link Model: Dynamic linking at run time
LibCrypto:
LibSSL:

Getting https://192.168.10.1/api/login with no verification

Status Info: SSL status: "before SSL initialization"
Status Info: SSL status: "before SSL initialization"
Status Info: SSL status: "SSLv3/TLS write client hello"
Status Info: SSL status: "SSLv3/TLS write client hello"
Status Info: SSL status: "SSLv3/TLS read server hello"
Status Info: SSL status: "TLSv1.3 read encrypted extensions"
Status Info: SSL status: "SSLv3/TLS read server certificate"
Status Info: SSL status: "TLSv1.3 read server certificate verify"
Status Info: SSL status: "SSLv3/TLS read finished"
Status Info: SSL status: "SSLv3/TLS write change cipher spec"
Status Info: SSL status: "SSLv3/TLS write finished"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: Cipher: name = TLS_CHACHA20_POLY1305_SHA256; description = TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
; bits = 256; version = TLSv1.3;
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSLv3/TLS read server session ticket"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSLv3/TLS read server session ticket"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "error"
Error: error:0A000126:SSL routines::unexpected eof while reading

[tonyw]

The cli example is intended to demonstrate a successful negotiation of a TLS 1.3 session and remote certificate verification. A simple GET is then performed as a confidence test that the session is usable.

The curl command you have provided is for a POST operation sending JSON encoded data to perform a login.

Looking at the session log. A TLS 1.3 session has been successfully negotiated with your router and the certificate verified. An error is then reported when you try to use the session. Have you modified the example program to change the operation from a GET to a POST and to send the JSON encoded data as provided with the curl command?

Hi,
I am having real issues connecting to my modem via https with a self signed cert. I had it working and after rebooting my pc I have never got it back again. If I complie and run your client cli example its fine. If I substitute the web page with the router page its fails (even though the previous day it worked!) I dont know how to begin even troubleshooting this.

If i run from the cli curl -X POST https://192.168.10.1/api/login -k -H "Content-Type: application/json" -d  '{"username": "***", "password": "***"}'
it works every time.

This test is running on Solus Linux, the application once complete and working will be on Debian 12

this is the output from your example application

Using OpenSSL 3.3.5 30 Sep 2025, OpenSSLDir: /etc/ssl
Link Model: Dynamic linking at run time
LibCrypto:
LibSSL:

Getting https://192.168.10.1/api/login with no verification

Status Info: SSL status: "before SSL initialization"
Status Info: SSL status: "before SSL initialization"
Status Info: SSL status: "SSLv3/TLS write client hello"
Status Info: SSL status: "SSLv3/TLS write client hello"
Status Info: SSL status: "SSLv3/TLS read server hello"
Status Info: SSL status: "TLSv1.3 read encrypted extensions"
Status Info: SSL status: "SSLv3/TLS read server certificate"
Status Info: SSL status: "TLSv1.3 read server certificate verify"
Status Info: SSL status: "SSLv3/TLS read finished"
Status Info: SSL status: "SSLv3/TLS write change cipher spec"
Status Info: SSL status: "SSLv3/TLS write finished"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: Cipher: name = TLS_CHACHA20_POLY1305_SHA256; description = TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
; bits = 256; version = TLSv1.3;
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSLv3/TLS read server session ticket"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "SSLv3/TLS read server session ticket"
Status Info: SSL status: "SSL negotiation finished successfully"
Status Info: SSL status: "error"
Error: error:0A000126:SSL routines::unexpected eof while reading

[TheMouseAUS]

Hi Thanks for the reply

These is the mods I made to get the response I needed

Code: Pascal  [Select][+][-]

1. function TBasicHttpsClient.DoTest: integer;
2. var httpClient: TIdHttp;
3.     ResponseStream: TResponseTextBuffer;
4.     JSONToSend: TStringStream;
5.     JSONString, response: string;
6. begin
7.   httpClient := TIdHTTP.Create(nil);
8.   JSONString := '{"username": "****", "password": "****"}';
9.   JSONToSend := TStringStream.Create(JSONString, TEncoding.UTF8);
10.   try
11.     httpClient.HTTPOptions := httpClient.HTTPOptions + [hoNoProtocolErrorException,
12.                                                         hoKeepOrigProtocol,
13.                                                         hoWantProtocolErrorContent];
14.     httpClient.ProtocolVersion := pv1_1;
15.     httpClient.Request.CustomHeaders.Clear;
16.     httpClient.Request.Accept := rcAccept;
17.     httpClient.Request.BasicAuthentication:= false;
18.     httpClient.HandleRedirects := true;
19.  
20.     httpClient.Request.UserAgent :=' Mozilla/5.0 (compatible; Indy Library)';
21.     httpClient.Request.ContentType := 'application/json';
22.     httpClient.IOHandler := GetSSLHandler(httpClient);
23.  
24.     httpClient.ConnectTimeout := 5000;
25.     httpClient.ReadTimeout := 2000;
26.  
27.     ResponseStream := TResponseTextBuffer.Create;
28.     try
29.       Response := httpClient.POST(RemoteSource, JSONToSend);
30.  
31. //      httpClient.Get(remoteSource,ResponseStream);
32.       if assigned (FSSLHandler.SSLSocket) then
33.         writeln('Using SSL/TLS Version ' + FSSLHandler.SSLSocket.SSLProtocolVersionStr, ' with cipher ',FSSLHandler.SSLSocket.Cipher.Name);
34.       Result := httpClient.ResponseCode;
35.       if Result = 200 then
36.       begin
37.         writeln('Remote Source returned:');
38. //        writeln(ResponseStream.DataString);
39.         writeLn(Response);
40.       end
41.       else
42.         writeln(Format(sGetException,[Result,remoteSource]));
43.     finally
44.       ResponseStream.Free;
45.     end;
46.   finally
47.     httpClient.Free;
48.     JSONToSend.Free;
49.   end;
50. end;
51.  

Yesterday it worked perfectly and I had no issues, today I cannot get it to work no matter what I try

[TheMouseAUS]

I ended up using the LibCurl fpc wrapper and I have it all working.

[paweld]

@TheMouseAUS: Please place the code within [code ] tags: https://wiki.freepascal.org/Forum#Use_code_tags

[tonyw]

You probably need to look at your router's logs to work out what is actually going wrong. It looks like your router is rejecting the login and the dropping the connection. As you are not processing the response, you may be missing out on an error message.

You may also find useful example code for an https POST with a JSON content (response) in my oauth2client package (https://github.com/MWASoftware/oauth2client) - also available using OPM. In the example "oauth2client", function TOAuth2Client.Post is doing something similar what you are trying to do here - albeit with url-encoded login data.

Comparing the two, the way you are preparing the JSON encoded data may be the issue. FPC has very good JSON support and I would recommend use of the TJSONStreamer class as a way of encoding JSON data rather than a direct encoding.

Hi Thanks for the reply

These is the mods I made to get the response I needed

function TBasicHttpsClient.DoTest: integer;
var httpClient: TIdHttp;
    ResponseStream: TResponseTextBuffer;
    JSONToSend: TStringStream;
    JSONString, response: string;
begin
  httpClient := TIdHTTP.Create(nil);
  JSONString := '{"username": "****", "password": "****"}';
  JSONToSend := TStringStream.Create(JSONString, TEncoding.UTF8);
  try
    httpClient.HTTPOptions := httpClient.HTTPOptions + [hoNoProtocolErrorException,
                                                        hoKeepOrigProtocol,
                                                        hoWantProtocolErrorContent];
    httpClient.ProtocolVersion := pv1_1;
    httpClient.Request.CustomHeaders.Clear;
    httpClient.Request.Accept := rcAccept;
    httpClient.Request.BasicAuthentication:= false;
    httpClient.HandleRedirects := true;

    httpClient.Request.UserAgent :=' Mozilla/5.0 (compatible; Indy Library)';
    httpClient.Request.ContentType := 'application/json';
    httpClient.IOHandler := GetSSLHandler(httpClient);

    httpClient.ConnectTimeout := 5000;
    httpClient.ReadTimeout := 2000;

    ResponseStream := TResponseTextBuffer.Create;
    try
      Response := httpClient.POST(RemoteSource, JSONToSend);

//      httpClient.Get(remoteSource,ResponseStream);
      if assigned (FSSLHandler.SSLSocket) then
        writeln('Using SSL/TLS Version ' + FSSLHandler.SSLSocket.SSLProtocolVersionStr, ' with cipher ',FSSLHandler.SSLSocket.Cipher.Name);
      Result := httpClient.ResponseCode;
      if Result = 200 then
      begin
        writeln('Remote Source returned:');
//        writeln(ResponseStream.DataString);
        writeLn(Response);
      end
      else
        writeln(Format(sGetException,[Result,remoteSource]));
    finally
      ResponseStream.Free;
    end;
  finally
    httpClient.Free;
    JSONToSend.Free;
  end;
end;

Yesterday it worked perfectly and I had no issues, today I cannot get it to work no matter what I try