home

about

license

support

K/Base

Indy
HomeContactsSite Map


OpenSSL changes

A user reported a problem where Indy was not able to load OpenSSL on Ubuntu Server 15.04.  The reason turned out to be because Ubuntu's version of OpenSSL 1.x does not export the following three functions, which Indy's IdSSLOpenSSLHeaders.Load() function deemed to be "critical" and would fail if they are not exported:

SSLv2_method
SSLv2_server_method
SSLv2_client_method

SSLv2 is not secure, so nobody should be using it anymore.  It is not uncommon nowadays to see the SSLv2 functions not being exported in OpenSSL distributions to prevent apps from using that protocol version.

In light of recent attacks against SSLv3, like POODLE, many server admins have been disabling SSLv3 in their client/server communications, so it might not be too long before OpenSSL distributions start removing SSLv3 exports as well.  To prepare for that, the following OpenSSL functions are no longer marked as "critical" when Indy loads OpenSSL at runtime:

SSLv3_method
SSLv3_server_method
SSLv3_client_method
SSLv23_method
SSLv23_server_method
SSLv23_client_method
TLSv1_method
TLSv1_server_method
TLSv1_client_method

(the corresponding TLSv1_1, TLSv1_2, and DTLSv1 functions were already marked as non-critical)

The following public functions have been added to the IdSSLOpenSSLHeaders unit:

function IsOpenSSL_SSLv2_Available : Boolean;
function IsOpenSSL_SSLv3_Available : Boolean;
function IsOpenSSL_SSLv23_Available : Boolean;
function IsOpenSSL_TLSv1_1_Available : Boolean;
function IsOpenSSL_TLSv1_2_Available : Boolean;
function IsOpenSSL_DTLSv1_Available : Boolean;

When Indy is preparing a secure TCP connection, the TIdSSLContext.SetSSLMethod() method will now raise an EIdOSSLGetMethodError exception if a selected protocol version (as specified in the SSLOptions.Method and SSLOptions.SSLVersions properties of TIdSSLIOHandlerSocketOpenSSL) is not available.  For example, if the protocol version is set to sslvSSLv2 by itself, but SSLv2_client_method() is not exported, EIdOSSLGetMethodError is raised.  On the other hand, if sslvSSLv2 is disabled, Indy will now completely ignore SSLv2 without failure.  The same logic applies to SSLv3, SSLv23, TLSv1, TLS1_1, and TLS1_2 as well (if multiple protocol versions are enabled in the SSLOptions.SSLVersions property, Indy uses the SSLv23 method).

In addition, the public IdSSLOpenSSL.OpenSSLVersion() function has been updated to no longer return a blank string if Indy fails to load OpenSSL, as long as it was able to at least load the exported SSLeay_version() function.


Corporate Sponsors

Atozed







home

about

license

support

K/Base

site map

links

Copyright © 1993 - 2008 Chad Z. Hower (Kudzu) and the Indy Pit Crew.          Website design by RuInternet.ru