We have a web service that also supports HTTPS connections:
FWebBrokerBridge := TIdHTTPWebBrokerBridge.Create(Self); // TIdHTTPWebBrokerBridge = class(TIdCustomHTTPServer), see IdHTTPWebBrokerBridge.pas LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FWebBrokerBridge); LIOHandleSSL.SSLOptions.CertFile := FHTTPSCertificate; LIOHandleSSL.SSLOptions.RootCertFile := FHTTPSRootCertificate; LIOHandleSSL.SSLOptions.KeyFile := FHTTPSPrivateKey; LIOHandleSSL.OnGetPassword := HTTPSIOHandlerSSLOpenSSLGetPassword; FWebBrokerBridge.IOHandler := LIOHandleSSL;
As the code shows, we have OpenSSL (version 1.02d) installed on our dev machines.
One of our clients launches our web service and also uses OpenSSL (we assume the same version). Now they are going to change their firewall and start using certificates using the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
Their question (and therefore mine) is this: will / can the web service have a problem with this?
I checked which OpenSSL ciphers are supported using the openssl ciphers -v (verbose) operator.
This gives me a long list with their cipher names.
Their OpenSSL ciphers page lists the correspondence between OpenSSL names and package names from the respective specifications.
(Short note: do not go there with FireFox, complains that they are using the old version of TLS)
They translate:
TLS_RSA_WITH_AES_128_CBC_SHA -> AES128-SHA (from the 'AES ciphersuites from RFC3268, extending TLS v1.0') TLS_RSA_WITH_AES_256_CBC_SHA -> AES256-SHA (idem) TLS_RSA_WITH_AES_128_CBC_SHA256 -> AES128-SHA256 (from the 'TLS v1.2 cipher suites') TLS_RSA_WITH_AES_256_CBC_SHA256 -> AES256-SHA256 (idem)
What seems to be applicable here is their remark. It should be noted that several cipher suite names do not include the authentication used, for example. DES-CBC3-SHA. In these cases, RSA authentication is used.
These translated names are in the list I created:
... AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 ... AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 ... AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 ... AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ...
Is the following conclusion correct? :
The OpenSSL version supports the ciphers that they will use, and this is not relevant to my Delphi program. No need to recompile. The web service will work correctly.
Note. I had some doubts as to whether this question is here in the right place (also because Why we are not customer support ), but since this may matter to more programmers, I decided to put it on SO.