动态使Indy使用TLSv1.2 [英] Dynamically making indy use TLSv1.2

问题描述

GitHub已停止支持TLS v1.0和v1.1( https://githubengineering.com/crypto-deprecation-notice/)，因此我的代码不再希望从中下载.我已经检查过，看来我需要让Indy使用TLS v1.2，如下所示:在TLS 1.2中使用Indy 10 IdHTTP .

GitHub has stopped supporting TLS v1.0 and v1.1 (https://githubengineering.com/crypto-deprecation-notice/), so my code no longer wants to download from it. I have checked and it seems I need to make Indy use TLS v1.2, as stated here: Using Indy 10 IdHTTP with TLS 1.2.

我已经从 http://indy.fulgan.com/SSL/更新了最新的OpenSSL DLL. ，并且Indy似乎可以很好地加载它们，但是我仍然遇到错误.

I have already updated the OpenSSL DLLs to the latest from http://indy.fulgan.com/SSL/, and Indy seems to load them fine, but I still get an error.

我得到的错误:

如果我在工作线程中动态创建Indy对象，如何使Indy使用TLS v1.2?

How can I make Indy use TLS v1.2 if I dynamically create Indy objects in a worker thread?

当前代码:

constructor TDownload.Create(CreateSuspended: Boolean; aurl, afilename: string);
begin
  inherited Create(CreateSuspended);
  httpclient := TIdHTTP.Create(nil);
  httpclient.Request.UserAgent := 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36';
  httpclient.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(httpclient);
  httpclient.HandleRedirects := True;
  httpclient.OnWorkBegin := idhttp1WorkBegin;
  httpclient.OnWork := idhttp1Work;
  url := aurl;
  filename := afilename;
end;

推荐答案

您需要在TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions属性(

You need to enable the sslvTLSv1_2 flag in the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property (only sslvTLSv1 (TLS v1.0) is enabled by default), eg:

TIdSSLIOHandlerSocketOpenSSL(httpclient.IOHandler).SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

还请注意，您可能还必须更新TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList属性以启用TLS v1.2密码.有关实际语法，请参见 OpenSSL文档.默认情况下，如果您未指定自己的CipherList值，则Indy将使用'AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH'.

Also note that you might have to also update the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property to enable TLS v1.2 ciphers. Refer to the OpenSSL documentation for the actual syntax. By default, Indy uses 'AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH' if you don't specify your own CipherList value.

编辑:Indy不再指定默认密码列表.如果SSLOptions.CipherList属性为空，则现在允许OpenSSL使用其想要的任何默认密码列表.

Edit: Indy no longer specifies a default cipher list. If the SSLOptions.CipherList property is empty, OpenSSL is now allowed to use whatever default cipher list it wants instead.

这篇关于动态使Indy使用TLSv1.2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！