在Delphi webservice中使用OpenSSL - 可用的协议和密码 [英] Using OpenSSL in Delphi webservice - available protocols and ciphers
问题描述
我对在Delphi webservice中使用OpenSSL与HTTPS连接的可用密码有点混淆。
I'm a bit confused about using OpenSSL in my Delphi webservice in relation to the available ciphers for a HTTPS connection.
设置:
- 我的webservice在客户端的服务器上运行。 OpenSSL安装在那里。 Web服务使用Indy(TIdHTTPWebBrokerBridge)和OpenSSL DLL(使用TIdServerIOHandlerSSLOpenSSL)加载客户端证书
- 我们的Android / iOS应用程序通过HTTPS连接到此Web服务
- 客户端已配置应用用户可以连接并访问我的Web服务的域和IP。如果我们使用例如测试该域名 SSLLabs服务器测试我们概述了支持的密码和协议(SSLLab甚至模仿设备的握手)和浏览器,并显示协商的密码)。
- My webservice runs on a client's server. OpenSSL is installed there. The webservice uses Indy (a TIdHTTPWebBrokerBridge) and the OpenSSL DLLs (with TIdServerIOHandlerSSLOpenSSL) to load the client's certificate
- Our Android/iOS apps connect to this webservice over HTTPS
- The client has configured a domain and IP that the app users can connect to and reach my webservice. If we test that domain using e.g. the SSLLabs server test we get an overview of the supported ciphers and protocols (SSLLabs even mimics handshakes from devices and browsers and shows what ciphers were negotiated).
问题:我的网络服务(与OpenSSL结合)有什么为/应用程序和Web服务之间的TLS握手做/可以影响可用的密码?是否还需要使用OpenSSL设置其他内容?
Question: Is there anything my webservice (in combination with OpenSSL) has to do/can do to influence the available ciphers for the TLS handshake between app and webservice? Is there anything additional that needs to be setup with OpenSSL?
我认为答案是'不',即它只是服务器设置(在握手时)通过Android / iOS的应用程序确定从可用的服务器使用哪个密码。这是正确的假设吗?或者我错过了什么?
(事实上,我实际上并不想限制或扩展可用的密码,但是客户坚持要在web服务中应该完成 / OpenSSL让它与应用程序安全通信.SSLLabs测试显示他们的域仅支持TLS 1.0和密码与RSA密钥交换机制,所以例如没有Perfect Forward Secrecy。对我来说,这看起来像是需要修复的东西。)
I thought the answer is 'no', i.e. that it is just the server setup that (in the handshake with the app through Android/iOS) determines which cipher to use from the available server ones. Is this a correct assumption? Or do I miss something?
(As a matter of fact, I am not actually interested in limiting or expanding the available ciphers, but the client insists that something "should be done" in/with the webservice/OpenSSL to have it communicate "safely" with the apps. The SSLLabs test shows that their domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so e.g. no Perfect Forward Secrecy. To me, that looks like something that needs to be fixed anyway).
注意:
-
这个问题建议我可能要做点什么,但没有答案。
This SO question suggests I may have to do something, but it has no answers.
我发布了之前有些相关的问题,但没有答案。
I posted an earlier somewhat related question, but that has no answers.
这个SO帖子声明 OpenSSL尊重客户端的密码偏好,而不是服务器的密码偏好SSL握手,这又表明我可以做些什么?
This SO post states OpenSSL honors the client's cipher preference, not the server's, during the SSL handshake, which again suggest there are things I can do?
我怀疑这个问题是否在这里适当的地方(也是因为为什么我们不支持客户),但由于这可能与更多的程序员有关,我决定把它放在SO上。
I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.
推荐答案
您可以指定可用的密码通过TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList(以及通过TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions的SSL / TLS版本)。
You can specify available ciphers via TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL/TLS versions via TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).
如果你想要Perfect Forward Secrecy,你必须使用openssl.exe创建DHParam密钥(按结果文件名填写TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile)。如果您不仅需要DHE,还需要ECDHE密码,则需要调用一些额外的openssl api,请参阅 a例如,使用indy 10 支持SSL中的完美前向保密。
If you want Perfect Forward Secrecy, you has to create DHParam keys using openssl.exe (fill TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by result file name). If you want not only DHE, but ECDHE ciphers you need to call some additional openssl api, see a Support for Perfect Forward Secrecy in SSL with indy 10 for example.
这篇关于在Delphi webservice中使用OpenSSL - 可用的协议和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
