All geek questions in one place

Using OpenSSL in Delphi Web Service - Available Protocols and Ciphers

I am a bit confused about using OpenSSL in my Delphi web service regarding the available ciphers for an HTTPS connection.

Setup:

  • My web service runs on a client server. OpenSSL is installed here. Webservice uses Indy (TIdHTTPWebBrokerBridge) and the OpenSSL DLL (with TIdServerIOHandlerSSLOpenSSL) to download the client certificate.
  • Our Android / iOS apps connect to this web service via HTTPS
  • The client set up a domain and an IP address to which users of the application can connect and access my web service. If we check this domain using, for example, the SSLLabs server test , we get an overview of the supported ciphers and protocols (SSLLabs even simulates a handshake from devices and browsers and shows which ciphers were discussed).

Question: Is there anything that my web service (in combination with OpenSSL) should / can influence the available ciphers to establish TLS communication between the application and the webservice? Is there anything extra that needs to be configured using OpenSSL?

I thought the answer is no, i.e. what server setup (in a handshake with the application via Android / iOS) determines which cipher to use from the available server ones. Is this a correct guess? Or am I missing something?
(Actually, I’m actually not interested in limiting or expanding the available ciphers, but the client insists that the / s webservice / OpenSSL needs to do something so that it communicates β€œsecurely” with applications. The SSLLabs test shows that they the domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so, for example, there is no Perfect Forward Secrecy. For me, this seems to need fixing anyway).

Notes:

  • This SO question suggests that I might have to do something, but it has no answers.

  • I posted a somewhat related question earlier , but it has no answers.

  • This SO post claims that OpenSSL respects the preference for client encryption rather than the server when establishing SSL, which again suggests that there are things I can do?

  • I had some doubts that this question is in the right place (also because Why we are not customer support ), but since this may be relevant for more programmers, I decided to put it on SO.

+5
source share
1 answer

You can specify the available ciphers through TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL / TLS versions through TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).

If you want Perfect Forward Secrecy, you must create DHParam keys using openssl.exe (fill in TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by the name of the result file). If you want not only DHE, but also ECDHE ciphers, you need to call some additional openssl api, see Support for perfect forwarding to SSL using indy 10 for example.

+4
source

Source: https://habr.com/ru/post/1244816/

More articles:


All Articles