Delphi与Indy10:如何自动协商可用的最高TLS级别? [英] Delphi with Indy10: How to auto negotiate highest TLS level available?

问题描述

我们难以理解的是该设置:

Our undeerstanding is that setting:

SSL版本:sslvSSLv23

SSL Version: sslvSSLv23

将导致使用最高可用的TLS版本.

Will cause the highest avail TLS version to be used.

但是，查看SSL跟踪，似乎没有发生这种情况.

However, looking at the SSL trace, this does not appear to be happening.

将这些呼叫观察到同一服务器:

Observe these calls to the same server:

SSL版本:sslvTLSv1_2-我获得了TLS 1.2连接

SSL Version: sslvTLSv1_2 -- I get a TLS 1.2 connection

Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256; 
description = AES128-SHA256           
TLSv1.2 Kx=RSA      
Au=RSA  Enc=AES(128)  
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3; 

击中同一台服务器，但设置为:SSL版本:sslvSSLv23我希望使用TLS 1.2连接.出色地.实际上，我期望与上述相同的连接.但是请注意，我最终使用TLS 1.0:

Hitting the same server, but set to: SSL Version: sslvSSLv23 I would expect a TLS 1.2 connection. Well. actually I would expect the same connection as above. But observe, I end up with TLS 1.0:

Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA 
SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
; 
bits = 128; version = TLSv1/SSLv3; 

什么是失踪的，最高谈判的魔法?

What is the missing , negotiate highest, magic?

推荐答案

如果您仍在使用 SSLOption.Method 属性，则需要停止使用它.请使用 SSLOption.SSLVersions 属性.这样一来，您就可以一次启用多个SSL/TLS版本. sslvSSLv23 将在内部用于处理协商，但是它将向服务器报告在 SSLVersions 中启用的最高SSL/TLS版本.如果使用支持TLS 1.2的Indy 10版本和支持TLS 1.2的OpenSSL DLL版本，则在 SSLVersions 属性中启用 sslvTLSv1_2 应该会协商TLS如果服务器还支持TLS 1.2，则为1.2.请记住，如果DLL不支持TLS 1.1或1.2，即使使用 sslvTLSv1_1 和/或 sslvTLSv1_2 .Indy也会默默地退回到TLS 1.0.

You need to stop using the SSLOption.Method property if you are still using it. Use the SSLOption.SSLVersions property instead. That will allow you to enable multiple SSL/TLS versions at a time. sslvSSLv23 will be used internally to handle the negotiation, but it will report the highest SSL/TLS version enabled in SSLVersions to the server. If you are using a version of Indy 10 that supports TLS 1.2, and a version of the OpenSSL DLLs that support TLS 1.2, then enabling sslvTLSv1_2 in the SSLVersions property should negotiate TLS 1.2 if the server also supports TLS 1.2. Keep in mind that if the DLLs DO NOT support TLS 1.1 or 1.2, Indy will silently fall back to TLS 1.0 even when you use sslvTLSv1_1 and/or sslvTLSv1_2.

这篇关于Delphi与Indy10:如何自动协商可用的最高TLS级别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！