5

I'm a bit confused about using OpenSSL in my Delphi webservice in relation to the available ciphers for a HTTPS connection.

Setup:

  • My webservice runs on a client's server. OpenSSL is installed there. The webservice uses Indy (a TIdHTTPWebBrokerBridge) and the OpenSSL DLLs (with TIdServerIOHandlerSSLOpenSSL) to load the client's certificate
  • Our Android/iOS apps connect to this webservice over HTTPS
  • The client has configured a domain and IP that the app users can connect to and reach my webservice. If we test that domain using e.g. the SSLLabs server test we get an overview of the supported ciphers and protocols (SSLLabs even mimics handshakes from devices and browsers and shows what ciphers were negotiated).

Question: Is there anything my webservice (in combination with OpenSSL) has to do/can do to influence the available ciphers for the TLS handshake between app and webservice? Is there anything additional that needs to be setup with OpenSSL?

I thought the answer is 'no', i.e. that it is just the server setup that (in the handshake with the app through Android/iOS) determines which cipher to use from the available server ones. Is this a correct assumption? Or do I miss something?
(As a matter of fact, I am not actually interested in limiting or expanding the available ciphers, but the client insists that something "should be done" in/with the webservice/OpenSSL to have it communicate "safely" with the apps. The SSLLabs test shows that their domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so e.g. no Perfect Forward Secrecy. To me, that looks like something that needs to be fixed anyway).

Notes:

  • This SO question suggests I may have to do something, but it has no answers.

  • I posted an earlier somewhat related question, but that has no answers.

  • This SO post states OpenSSL honors the client's cipher preference, not the server's, during the SSL handshake, which again suggest there are things I can do?

  • I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.

Community
  • 1
  • 1
Jan Doggen
  • 8,799
  • 13
  • 70
  • 144

1 Answers1

4

You can specify available ciphers via TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL/TLS versions via TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).

If you want Perfect Forward Secrecy, you has to create DHParam keys using openssl.exe (fill TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by result file name). If you want not only DHE, but ECDHE ciphers you need to call some additional openssl api, see a Support for Perfect Forward Secrecy in SSL with indy 10 for example.

Michael Izvekov
  • 196
  • 1
  • 5
  • Thanks for your answer, Michael. Now I have a place to start. I may edit your answer later with actual code examples. – Jan Doggen Mar 24 '16 at 09:12
  • There is no such things as a `TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile` in my current version Delphi XE2 with Indy 10.5.8.0. I tried something like the protected hack in that Embarcadero post to access the Context, but that has no DH parameter properties either. – Jan Doggen Apr 04 '16 at 13:40
  • I use Delphi XE6 with Indy 10.6.0.5122. You can download newest version of Indy on www.indyproject.org and find out how exactly DHParamsFile used. Actually, content of this file loaded into memory and is pushed in Context (OpenSSL API functions: BIO_new_mem_buf, PEM_read_bio_DHparams, SSL_CTX_set_tmp_dh). – Michael Izvekov Apr 04 '16 at 14:39
  • Yes, we are going to Seattle 10 in a few weeks. I have just parked my current development branch and postpone further updates till then. – Jan Doggen Apr 04 '16 at 15:04