4

What is the process of upgrading Indy library written in Delphi to use the latest OpenSSL library having the newest features (eg. TLS v1.3)?

The last version of Indy library I found uses libssl32.dll and ssleay32.dll DLLs. The latest OpenSSL library produces libssl-1_1.dll and libcrypto-1_1.dll DLLs. By changing the DLL names in Indy libray the dynamic loading of OpenSSL DLLs fails because many functions defined in Indy do not match the functions of OpenSSL DLLs. Thus OpenSSL API was changed.

A far as I understand Delphi source files IdSSL*.pas of Indy library should be upgraded:

  • IdSSL.pas
  • IdSSLDotNET.pas
  • IdSSLOpenSSL.pas
  • IdSSLOpenSSLHeaders.pas
  • IdSSLOpenSSLHeaders_static.pas
  • IdSSLOpenSSLUtils.pas
Flaviu
  • 931
  • 11
  • 16

3 Answers3

8

As you observed, OpenSSL 1.1 has another API. Currently, Indy only uses 1.0 calls, and don't use 1.1 specific features like asynchronous processing. And let Indy switch to Open SLL 1.1 would be a big refactoring (see Remy comments below).

But the OpenSSL DLLs used by Indy are not deprecated. The Fulgan Reference WebSite has currently e.g. openssl-1.0.2o-i386-win32.zip which is the latest stable revision available on the branch, as stated by the official OpenSSL source code. You are confusing branches (1.0 vs 1.1 = API changes) and revisions (1.0.2a vs 1.0.2o = new fixes).

So don't worry about it. If you use Indy with a proper Cypher Names list and latest Fulgan DLLs, you are pretty up-to-date and safe. Sometimes safer than some old Linux distribution, which may lag behind with the revision shipped with the system. Even TLS 1.3 is still far from being mandatory, since it is not yet enabled on client sides. I am sure Indy team will support 1.1 when some of its features becomes mandatory (or switch to Windows SChannel API).

Arnaud Bouchez
  • 42,305
  • 3
  • 71
  • 159
  • Well, it's about legacy code that should be replaced (no more Indy usage) or improving Indy to support TLS v1.2 and upcoming TLS v1.3 using the latest possible OpenSSL library. – Flaviu May 23 '18 at 08:00
  • 1
    OpenSSL 1.0.2 supports TLS 1.2 since years - I don't understand your point. Please check the features set of 1.0 and 1.1 branches. You are confusing branches and revisions. 1.0.2o is much more up-to-date, and safer, say, than 1.1.0a. – Arnaud Bouchez May 23 '18 at 11:29
  • Thanks. By "latest OpenSSL library" I mean the most recent OpenSSL library with the newest features. I understand your point suggesting to use in Indy the last version of OpenSSL 1.0 branch that supports TLS up to v1.2. This is a solution for short term until TLS v1.3 support is required. – Flaviu May 23 '18 at 12:12
  • 2
    @Flaviu Indy currently only supports OpenSSL 1.0.2 and earlier, [it does not support OpenSSL 1.1.0 yet](https://github.com/IndySockets/Indy/issues/183). TLS 1.3 will not be implemented in OpenSSL 1.0.2, [it will require OpenSSL 1.1.1](https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/). But OpenSSL 1.1.0 has *major* API changes over OpenSSL 1.0.2, and even TLS 1.3 is a *major* rewrite over TLS 1.2. So it is not a simple matter of dropping in new DLLs, or making simple tweaks to Indy. It is essentially a new framework, and so requires migrating existing code. And that is a lot of work. – Remy Lebeau May 23 '18 at 15:13
  • 2
    Indy will support OpenSSL 1.1.x *eventually*, but not in the near future. And TLS 1.3 hasn't been standardized yet. By the time TLS 1.3 is ready for widespread public use (OpenSSL is still experimenting with it), Indy *may* have been updated by then to support OpenSSL 1.1.0. Or it *may* have implemented a different solution (using SChannel on Windows). It is too soon to tell. – Remy Lebeau May 23 '18 at 15:18
  • 1
    Thank you! I thought you are using scripts translating OpenSSL C symbols to Delphi from headers, def files and/or map files and there is a usual procedure for updating Indy when OpenSSL is changing. But I understand now the support for TLS v1.3 in Indy would be a major change due API changes. I could contribute to this change on Github when you start such upgrade. – Flaviu May 24 '18 at 05:19
  • Perhaps you or Arnaud could add an answer that there is no simple common process for such update of Indy. Otherwise I will add it tomorrow. – Flaviu May 24 '18 at 05:23
  • 1
    @Toby see [Radek's answer](https://stackoverflow.com/a/63932826/65863). Work on supporting OpenSSL 1.1.x is still in progress. – Remy Lebeau May 14 '21 at 22:43
  • @RemyLebeau Is there any update on Indy supporting OpenSSL1.1.x in latest release? – Nilesh Shinde Apr 19 '23 at 06:42
  • @NileshShinde it has not been finalized and merged into the main code yet. https://github.com/IndySockets/Indy/issues/183 https://github.com/IndySockets/Indy/pull/299 – Remy Lebeau Apr 19 '23 at 07:20
3

OpenSSL 1.1 is almost ready to use with newest revision of Indy (master Branch). Look at this link to Indy github page: https://github.com/IndySockets/Indy/pull/299

Radek Secka
  • 318
  • 2
  • 11
1

Due API incompatibilities between the OpenSSL library with the newest features 1.1.x and supported OpenSSL library 1.0.x, Indy code have to be reworked. There is no simple/common process for such upgrade.

Flaviu
  • 931
  • 11
  • 16