Delphi Indy - 如何使用Indy 10获取SSL-TCP Client / Server链接的SSL证书 [英] Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10
问题描述
要开始,我只是写了基于Delphi / Indy TIdTCPServer / TIdTCPClient的Win32客户端和服务器交换字符串。 (从SourceForge发现的indy10clieservr演示文稿发行:svn://svn.code.sf.net/p/indy10clieservr/code/1_sample简单字符串交换)
我试过通过在服务器上添加TIdServerIOHandlerSSLOpenSSL组件以及在客户端上添加TIdSSLIOHandlerSocketOpenSSL来修改它们来加密通信,将它们分别附加到TIdTCPServer和TIdTCPClient。
我设置他们以下两个属性:
- SSLOptions.Method = sslvSSSv23
- SSLOptions.Mode = sslmServer / sslmClient(分别)
- SSLOptions.VerifyDepth = 2
而且我还添加了一个OnGetPassword事件处理程序,将Password参数设置为password两边。
(这个密码的作用是什么?对通信的隐私来说至关重要吗?如果通过分析/反向引用二进制文件找到它)?
Finaly,在服务器的OnConnect事件处理程序中,我将TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough属性设置为false。
但是,3 SSLOptions证书属性??
- CertFile
- KeyFile
- RootCertFile
如何在我的目标设备上生成和部署它们,以便运行我的SSL层客户端和服务器?
此外,如果我打算稍后部署我的服务器和/或客户端在IOS或Android手机上,是否有特别的事情要做设备。
我知道我对这个SSL主题的知识很少。对不起,如果我问一些小事。任何基本的文件解释所有这些棘手的东西给新手,将不胜感激。
正如我在回答您的 Embarcadero论坛上的相同问题,证书是可选的。它们用于允许对等体验证彼此的身份,而不是加密。证书有助于避免中间人攻击,允许客户端验证它是否连接到正在连接的正确的服务器,反之亦然。客户端有一个证书是不常见的,只有当制造专有系统时才允许授权的客户端进行连接。但服务器至少有证书是很常见的。证书可以受密码保护,因此如果您使用它们,则必须为您实际使用的证书提供正确的密码。证书的密码无法从证书本身检索,但是如果攻击者获得证书文件的访问权限,那么您可以处理更大的问题。
至于SSLv23这是一个通配符,允许在
客户端和服务器支持不同SSL / TLS版本的情况下进行动态版本协商。 SSLv23允许他们
找出并使用双方共同的最高版本。如果服务器
需要支持广泛的客户端,则在服务器端的
上使用SSLv23是有意义的。不是客户端那么多。既然你控制了
的客户端和服务器,你应该使用一个特定的版本,而不是更优选
TLSv1或更高版本。
I'm completely new to SSL and these ciphering stuff but I need to make communicate client and server Delphi XE6 apps running on mobile devices. The TCP communication has to be safely ciphered.
To start, I simply wrote the Delphi/Indy TIdTCPServer/TIdTCPClient based Win32 client and server exchanging strings. (Issued from the indy10clieservr demos found on SourceForge: svn://svn.code.sf.net/p/indy10clieservr/code/1_sample Simple String Exchange)
I tried to modify them to cipher the communication by adding a TIdServerIOHandlerSSLOpenSSL component on the Server, and a TIdSSLIOHandlerSocketOpenSSL on the Client, attaching them respectively to the TIdTCPServer and TIdTCPClient.
I set their following properties on both sides: - SSLOptions.Method = sslvSSSv23 - SSLOptions.Mode = sslmServer / sslmClient (respectively) - SSLOptions.VerifyDepth = 2
And I added an OnGetPassword Event handler setting the Password parameter to 'password' on both sides too. (What is the role of this password ? Is it critical for the privacy of the communication ? What if it is found by analysing/reverse enginering the binary file ?)
Finaly, in the server's OnConnect event handler I set the TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough property to false.
But what about the 3 SSLOptions certificate properties ?? - CertFile - KeyFile - RootCertFile
How to generate and deploy them on my target devices to make run my SSL layer on the client and server ?
Moreover, is there something special to do or to take into acount if I intend to deploy later my server and/or clients on IOS or Android mobile device.
I'm aware that I have few knowledge on this SSL topic. Sorry if I ask something trivial. Any basic documentation explaining all of this tricky stuff to a newbie would be greatly appreciated.
As I told you in my answer to your same question on the Embarcadero forums, certificates are optional. They are used to allow peers to validate each other's identities, not for encryption. Certificates help avoid man-in-the-middle attacks, by allowing a client to verify it is connected to the correct server it is expecting to be connected to, and vice versa. It is not common for a client to have a certificate, except maybe when making a proprietary system where only authorized clients are allowed to connect. But it is pretty common for servers to have certificates, at least. Certificates can be password-protected, so if you do use them, you have to provide the correct password for the certificate(s) that you are actually using. A certificate's password can't be retrieved from the certificate itself, but if an attacker gains access to your certificate files then you have bigger issues to deal with.
As for SSLv23, it is a wildcard that allows dynamic version negotiation in cases where client and server support different SSL/TLS versions. SSLv23 allows them to figure out and use the highest version common to both parties. If a server needs to support a wide range of clients, it makes sense to use SSLv23 on the server side. Not so much on the client side. Since you control both client and server, you should use use a specific version instead, preferrably TLSv1 or higher.
这篇关于Delphi Indy - 如何使用Indy 10获取SSL-TCP Client / Server链接的SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
