如何在Indy 10中启用完全正向保密? [英] How to enable Perfect Forward Secrecy In Indy 10?

查看：83 发布时间：2021/4/30 19:04:27 https openssl delphi-2010 tls1.2 indy10

本文介绍了如何在Indy 10中启用完全正向保密?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我在Delphi 2010中将OpenSSL 1.0.2o与Indy 10.6.2一起使用.

这是我到目前为止所做的:

 过程TServerForm.FormCreate(Sender:TObject);变种语音提示:PEC_KEY;FSslCtx:PSSL_CTX;SSL:PSSL；FSSLContext:TIdSSLContext；开始//mServer.Active:= True;FSingle:= TCriticalSection.Create;appdir:= ExtractFilePath(ParamStr(0));IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile:= appdir +'EccCA.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile:= appdir +'EccSite.key';IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile:= appdir +'EccSite.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile:= appdir +'dhparam.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method:= sslvTLSv1_2;IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions:= [sslvTLSv1_2];IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList:=//'ECDHE-ECDSA-AES128-GCM-SHA256:'+'ECDHE-RSA-AES128-GCM-SHA256:'+//'ECDHE-RSA-AES256-GCM-SHA384:'+//'ECDHE-ECDSA-AES256-GCM-SHA384:'+//'DHE-RSA-AES128-GCM-SHA256:'+//'ECDHE-RSA-AES128-SHA256:'+//'DHE-RSA-AES128-SHA256:'+//'ECDHE-RSA-AES256-SHA384:'+//'DHE-RSA-AES256-SHA384:'+//'ECDHE-RSA-AES256-SHA256:'+//'DHE-RSA-AES256-SHA256:'+'高:'+'！aNULL:'+'！eNULL:'+'！出口:'+'！DES:'+'！RC4:'+'！MD5:'+'！PSK:'+'！SRP:'+'！茶花';MServer.IndyServer.IOHandler:= IdServerIOHandlerSSLOpenSSL1;mServer.Active:= True;//FSSLContext:= TIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);结尾;

有人有好的建议吗?

解决方案

首先，请确保将Indy版本更新为最新的SVN快照.在之前的讨论与我在Embarcadero论坛上与Roberto Frances进行的讨论之后，我添加了 SSL_CTRL_SET_ECDH_AUTO 和 SSL_CTX_set_ecdh_auto()到Indy的 IdSSLOpenSSLHeaders 单元.

因此，在其他讨论中，代码中唯一缺少的部分是 TMyIdSSLContext 的定义，我认为仅仅是这样:

 类型TMyIdSSLContext =类(TIdSSLContext)结尾;

由于 TIdSSLContext.fContext 成员被声明为受"保护的"，因此声明 TMyIdSSLContext 的单元可以访问 TIdSSLContext 的受保护成员.因此，您的代码将如下所示:

 类型TMyIdSSLContext =类(TIdSSLContext)结尾;过程TServerForm.FormCreate(Sender:TObject);变种FSSLContext:TMyIdSSLContext；开始FSingle:= TCriticalSection.Create;appdir:= ExtractFilePath(ParamStr(0));IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile:= appdir +'EccCA.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile:= appdir +'EccSite.key';IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile:= appdir +'EccSite.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile:= appdir +'dhparam.pem';IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method:= sslvTLSv1_2;IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions:= [sslvTLSv1_2];IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList:=//'ECDHE-ECDSA-AES128-GCM-SHA256:'+'ECDHE-RSA-AES128-GCM-SHA256:'+//'ECDHE-RSA-AES256-GCM-SHA384:'+//'ECDHE-ECDSA-AES256-GCM-SHA384:'+//'DHE-RSA-AES128-GCM-SHA256:'+//'ECDHE-RSA-AES128-SHA256:'+//'DHE-RSA-AES128-SHA256:'+//'ECDHE-RSA-AES256-SHA384:'+//'DHE-RSA-AES256-SHA384:'+//'ECDHE-RSA-AES256-SHA256:'+//'DHE-RSA-AES256-SHA256:'+'高:'+'！aNULL:'+'！eNULL:'+'！出口:'+'！DES:'+'！RC4:'+'！MD5:'+'！PSK:'+'！SRP:'+'！茶花';MServer.IndyServer.IOHandler:= IdServerIOHandlerSSLOpenSSL1;mServer.Active:= True;FSSLContext:= TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);SSL_CTX_set_ecdh_auto(FSSLContext.fContext，1);结尾;

I'm using OpenSSL 1.0.2o with Indy 10.6.2 in Delphi 2010.

This is what I have done so far:

procedure TServerForm.FormCreate(Sender: TObject);
var
  LEcdh: PEC_KEY;
  FSslCtx: PSSL_CTX;
  SSL: PSSL;
  FSSLContext: TIdSSLContext;
begin
  //mServer.Active := True;
  FSingle:=TCriticalSection.Create;
  appdir := ExtractFilePath(ParamStr(0));
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
    //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
    'ECDHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES256-GCM-SHA384:' +
    //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
    //'DHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES128-SHA256:' +
    //'DHE-RSA-AES128-SHA256:' +
    //'ECDHE-RSA-AES256-SHA384:' +
    //'DHE-RSA-AES256-SHA384:' +
    //'ECDHE-RSA-AES256-SHA256:' +
    //'DHE-RSA-AES256-SHA256:' +
    'HIGH:' +
    '!aNULL:' +
    '!eNULL:' +
    '!EXPORT:' +
    '!DES:' +
    '!RC4:' +
    '!MD5:' +
    '!PSK:' +
    '!SRP:' +
    '!CAMELLIA';

  MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
  mServer.Active := True;
  //FSSLContext := TIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
end;

This does not work.

Does anyone have good suggestions?

解决方案

First off, make sure that you update your version of Indy to the latest SVN snapshot. After the previous discussion I had with Roberto Frances on the Embarcadero forums, I added SSL_CTRL_SET_ECDH_AUTO and SSL_CTX_set_ecdh_auto() to Indy's IdSSLOpenSSLHeaders unit.

So, the only piece missing from the code in that other discussion is the definition of TMyIdSSLContext, which I assume is simply this:

type
  TMyIdSSLContext = class(TIdSSLContext)
  end;

Since the TIdSSLContext.fContext member is declared as protected, the unit that declares TMyIdSSLContext gains access to TIdSSLContext's protected members. Thus, your code can then look like this:

type
  TMyIdSSLContext = class(TIdSSLContext)
  end;

procedure TServerForm.FormCreate(Sender: TObject);
var
  FSSLContext: TMyIdSSLContext;
begin
  FSingle := TCriticalSection.Create;
  appdir := ExtractFilePath(ParamStr(0));
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.RootCertFile := appdir + 'EccCA.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.KeyFile := appdir + 'EccSite.key';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CertFile := appdir + 'EccSite.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.DHParamsFile := appdir + 'dhparam.pem';
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
  IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList := 
    //'ECDHE-ECDSA-AES128-GCM-SHA256:' +
    'ECDHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES256-GCM-SHA384:' +
    //'ECDHE-ECDSA-AES256-GCM-SHA384:' +
    //'DHE-RSA-AES128-GCM-SHA256:' +
    //'ECDHE-RSA-AES128-SHA256:' +
    //'DHE-RSA-AES128-SHA256:' +
    //'ECDHE-RSA-AES256-SHA384:' +
    //'DHE-RSA-AES256-SHA384:' +
    //'ECDHE-RSA-AES256-SHA256:' +
    //'DHE-RSA-AES256-SHA256:' +
    'HIGH:' +
    '!aNULL:' +
    '!eNULL:' +
    '!EXPORT:' +
    '!DES:' +
    '!RC4:' +
    '!MD5:' +
    '!PSK:' +
    '!SRP:' +
    '!CAMELLIA';

  MServer.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
  mServer.Active := True;

  FSSLContext := TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
  SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
end;

这篇关于如何在Indy 10中启用完全正向保密?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

如何在Indy 10中启用完全正向保密? [英] How to enable Perfect Forward Secrecy In Indy 10?

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

如何在Indy 10中启用完全正向保密? [英] How to enable Perfect Forward Secrecy In Indy 10?

问题描述

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

登录关闭