Support for Perfect Forward Secrecy in SSL with indy 10

Has anyone had any luck in adding support for Perfect Forward Secrecy (the ECDHE ciphers) in the Indy server-side components - I've been focusing on the TIdSMTPServer in particular?

I've been trying with both the 10.6.1.5210 and the 10.6.2.5270 Indy libraries with Delphi XE6, using the latest OpenSSL libraries v1.0.2a from http://indy.fulgan.com/SSL.

In addition to the default CipherList that is used in Indy, I've tried several alternate lists that have ECDHE ciphers, for example:
AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:HIGH:!MD5:!aNULL:!EDH
and
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!ADH:!EXP:!RC4:!eNULL@STRENGTH

But when I test with the TestSSL tool (https://testssl.sh) or when I try to tests manually with OpenSSL and force the use of specific ECDHE ciphers, it seems none are supported and no PFS support is found.

To make things simple for my tests I've been using a slightly modified Indy sample - the "Indy 10 SMTPServer" from http://www.indyproject.org/Sockets/Demos/index.EN.aspx.

I've placed at https://cloud.logsat.com/index.php/s/VKvZGXxX2pLlEig a copy of the modified code that compiles with Delphi XE6, adding support for STARTTLS on port 25, and with an additional TIdSMTPServer listening on port 465 for SSL connections with TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough:=false.
This lets me test both TLS and SSL.

Is there anyone who either succeeded in adding support for PFS, or has suggestions on how to proceed?


PS - I've asked this question without luck on the Indy atozed.com forums, so I'm trying here now.
0
Roberto
5/1/2015 1:19:59 PM
embarcadero.delphi.tools 5366 articles. 2 followers. Follow

5 Replies
963 Views

Similar Articles

[PageSpeed] 28

> Has anyone had any luck in adding support for Perfect Forward 
> Secrecy (the ECDHE ciphers) in the Indy server-side components - 
> In addition to the default CipherList that is used in Indy, I've 
> tried several alternate lists that have ECDHE ciphers

Never used Indy, but I had a similar problem with ICS.  Allowing the ECHDE
ciphers to be used needs two things.

1 - Support for DHParams, at least 512-bit, ideally several better versions.
Your server should have unique DHParams keys, which can be generated with
Openssl.exe, the better keys take several minutes. This is the DH and DHE
part of the cipher. 

2 - Support for Elliptic Curves, which adds EC to the cipher, using the
function f_SSL_CTX_set_ecdh_auto (1.0.2) or f_SSL_CTX_set_tmp_ecdh for
older versions with NID_X9_62_prime256v1,
NID_secp384r1 or NID_secp521r1 as a parameter.  

Also set SSL Options for SSL_OP_SINGLE_DH_USE so a new key is generated for
each session.  

Angus
0
Angus
5/4/2015 5:00:21 PM
> {quote:title=Roberto Franceschetti wrote:}{quote}
> Has anyone had any luck in adding support for Perfect Forward Secrecy (the ECDHE ciphers) in the Indy server-side components - I've been focusing on the TIdSMTPServer in particular?
> 

SUCCESS. Here what was needed.

To make it easier for myself right now I modified the IdOpenSSLHeaders to add support for the function SSL_CTX_set_ecdh_auto since it's not available in the Indy OpenSSL headers right now. These are the sections I added - to see where to add them just look for the references for the  existing ones relative to SSL_CTX_set_tmp_ecdh and SSL_CTRL_SET_TMP_ECDH


........

{$EXTERNALSYM SSL_CTRL_SET_ECDH_AUTO}
SSL_CTRL_SET_ECDH_AUTO = 94;
........

{$EXTERNALSYM SSL_CTX_set_ecdh_auto}
function SSL_CTX_set_ecdh_auto(ctx : PSSL_CTX; m : TIdC_LONG) : TIdC_LONG;
.........

function SSL_CTX_set_ecdh_auto(ctx : PSSL_CTX; m : TIdC_LONG) : TIdC_LONG;
 {$IFDEF USE_INLINE} inline; {$ENDIF}
begin
	Result := SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,m,nil);
end;
........



Once that is done, this is how I enabled PFS:

procedure TForm1.btnServerOnClick(Sender: TObject);
var
  FSSLContext:TMyIdSSLContext;
const
  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = $00040000;
  SSL_OP_LEGACY_SERVER_CONNECT             = $00000004;
  SSL_CTRL_OPTIONS                         = 32;
  SSL_CTRL_CLEAR_OPTIONS                   = 77;
  SSLContextOptions                        = $00000FFF {SSL_OP_ALL}                                    or
                                             $00020000 {SSL_OP_NO_COMPRESSION}                         or
                                             $00400000 {SSL_OP_CIPHER_SERVER_PREFERENCE}               or
                                             $00100000 {SSL_OP_SINGLE_DH_USE}                          or
                                             $00080000 {SSL_OP_SINGLE_ECDH_USE}                        or
                                             $00010000 {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION} or
                                             $02000000 {SSL_OP_NO_SSLv3}                               or
                                             $01000000 {SSL_OP_NO_SSLv2}                               ;

begin
 IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList:='AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:HIGH:!MD5:!aNULL:!EDH';
 IdSMTPServer1.active := true;

  FSSLContext := TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
  SSL_CTX_set_ecdh_auto(FSSLContext.fContext,1);

end;


That was all I needed to have the PFS ciphers enabled. 


FYI in addition to the above changes I had also tried adding the following before calling SSL_CTX_set_ecdh_auto, but with my limited knowledge of OpenSSL right now I have no idea if it was needed or not:

 const
  NID_X9_62_prime256v1:integer       = 415;

  var
    ecdh : PEC_KEY;
  begin
    try
      ecdh := EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
      SSL_CTX_set_tmp_ecdh(ctx,ecdh);
    except
      ecdh := nil;
    end;
    if Assigned(ecdh) then
      EC_KEY_free(ecdh);
//    FSSLContext.DHParamsFile:='DH.pem';   //I also tried using a DH file I created with OpenSSL but did not see differences...
    FSSLContext.LoadDHParams;

Edited by: Roberto Franceschetti on May 6, 2015 7:58 PM
0
Roberto
5/7/2015 1:01:01 AM
> {quote:title=Roberto Franceschetti wrote:}{quote}
> Has anyone had any luck in adding support for Perfect Forward Secrecy (the ECDHE ciphers) in the Indy server-side components - I've been focusing on the TIdSMTPServer in particular?
> 

SUCCESS. Here what was needed.

To make it easier for myself right now I modified the IdOpenSSLHeaders to add support for the function SSL_CTX_set_ecdh_auto since it's not available in the Indy OpenSSL headers right now. These are the sections I added - to see where to add them just look for the references for the  existing ones relative to SSL_CTX_set_tmp_ecdh and SSL_CTRL_SET_TMP_ECDH

{code}
........

{$EXTERNALSYM SSL_CTRL_SET_ECDH_AUTO}
SSL_CTRL_SET_ECDH_AUTO = 94;
........

{$EXTERNALSYM SSL_CTX_set_ecdh_auto}
function SSL_CTX_set_ecdh_auto(ctx : PSSL_CTX; m : TIdC_LONG) : TIdC_LONG;
.........

function SSL_CTX_set_ecdh_auto(ctx : PSSL_CTX; m : TIdC_LONG) : TIdC_LONG;
 {$IFDEF USE_INLINE} inline; {$ENDIF}
begin
	Result := SSL_CTX_ctrl(ctx,SSL_CTRL_SET_ECDH_AUTO,m,nil);
end;
........
{code}


Once that is done, this is how I enabled PFS:

{code}
procedure TForm1.btnServerOnClick(Sender: TObject);
var
  FSSLContext:TMyIdSSLContext;
const
  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = $00040000;
  SSL_OP_LEGACY_SERVER_CONNECT             = $00000004;
  SSL_CTRL_OPTIONS                         = 32;
  SSL_CTRL_CLEAR_OPTIONS                   = 77;
  SSLContextOptions                        = $00000FFF {SSL_OP_ALL}                                    or
                                             $00020000 {SSL_OP_NO_COMPRESSION}                         or
                                             $00400000 {SSL_OP_CIPHER_SERVER_PREFERENCE}               or
                                             $00100000 {SSL_OP_SINGLE_DH_USE}                          or
                                             $00080000 {SSL_OP_SINGLE_ECDH_USE}                        or
                                             $00010000 {SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION} or
                                             $02000000 {SSL_OP_NO_SSLv3}                               or
                                             $01000000 {SSL_OP_NO_SSLv2}                               ;

begin
 IdServerIOHandlerSSLOpenSSL1.SSLOptions.CipherList:='AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:HIGH:!MD5:!aNULL:!EDH';
 IdSMTPServer1.active := true;

  FSSLContext := TMyIdSSLContext(IdServerIOHandlerSSLOpenSSL1.SSLContext);
  SSL_CTX_set_ecdh_auto(FSSLContext.fContext,1);

end;
{code}

That was all I needed to have the PFS ciphers enabled. 


FYI in addition to the above changes I had also tried adding the following before calling SSL_CTX_set_ecdh_auto, but with my limited knowledge of OpenSSL right now I have no idea if it was needed or not:
{code}
 const
  NID_X9_62_prime256v1:integer       = 415;

  var
    ecdh : PEC_KEY;
  begin
    try
      ecdh := EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
      SSL_CTX_set_tmp_ecdh(ctx,ecdh);
    except
      ecdh := nil;
    end;
    if Assigned(ecdh) then
      EC_KEY_free(ecdh);
//    FSSLContext.DHParamsFile:='DH.pem';   //I also tried using a DH file I created with OpenSSL but did not see differences...
    FSSLContext.LoadDHParams;
{code}

Edited by: Roberto Franceschetti on May 6, 2015 7:58 PM
0
Roberto
5/7/2015 3:02:14 AM
Roberto wrote:

> const
> SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = $00040000;
> SSL_OP_LEGACY_SERVER_CONNECT             = $00000004;
> SSL_CTRL_OPTIONS                         = 32;
> SSL_CTRL_CLEAR_OPTIONS                   = 77;
> SSLContextOptions                        = $00000FFF {SSL_OP_ALL}
<snip>

What is the point in defining all of those constants if you are not actually 
using them?

-- 
Remy Lebeau (TeamB)
0
Remy
5/7/2015 4:41:17 PM
> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Roberto wrote:
> 
> > const
> > SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION = $00040000;
> > SSL_OP_LEGACY_SERVER_CONNECT             = $00000004;
> > SSL_CTRL_OPTIONS                         = 32;
> > SSL_CTRL_CLEAR_OPTIONS                   = 77;
> > SSLContextOptions                        = $00000FFF {SSL_OP_ALL}
> <snip>
> 
> What is the point in defining all of those constants if you are not actually 
> using them?
> 
> -- 
> Remy Lebeau (TeamB)

None at all :-) I've been fighting with this for the past two weeks, testing so many different options that in the excitement of finally finding a solution and posting it here and in the Atozed forums that I forgot to cleanup useless code. At one point I was trying to call SSL_Set_Options(ctx,SSLContextOptions) but without success. Deleted the code but not the constants...

{code}
    try
      ecdh := EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
      SSL_CTX_set_tmp_ecdh(ctx,ecdh);
    except
      ecdh := nil;
    end;
    if Assigned(ecdh) then
      EC_KEY_free(ecdh);
    SSL_Set_Options(ctx,SSLContextOptions);
//    FSSLContext.DHParamsFile:='DH.pem';
    FSSLContext.LoadDHParams;
{code}

and forgot to remove the constants in addition to removing the bock of code above...

Edited by: Roberto Franceschetti on May 7, 2015 9:52 AM
0
Roberto
5/7/2015 4:54:35 PM
Reply:

Similar Artilces:

Indy 10 Delphi 5 support broken (SMTP and SSL)?
Hi, I need to update an Delphi 5 program to send e-mails via gmail's SMTP interface. So installed few days old Indy 10 snapshot (from http://indy.fulgan.com/ZIP/ filename was Indy10_4675.zip). I also downloaded OpenSSL DLLs from there (http://indy.fulgan.com/SSL/openssl-1.0.0d-i386-win32-rev2.zip). But the program dissapears when trying to send mail. There is no error message, it is just gone, probably stack overflow... So I created simple test program and the same thing happens with it. However, when compiling the test program with Delphi 2010 it works OK! So it looks like t...

Indy 10 Delphi 5 support broken (SMTP and SSL)?
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --JivePart=_5f0e5.zeB8CwDOH5aMJzMl Content-Type: text/plain; charset="Utf-8" Simple test program for SMTP and gmail test, see embarcadero.public.delphi.thirdpartytools.general group. ain --JivePart=_5f0e5.zeB8CwDOH5aMJzMl Content-Type: application/octet-stream; name="smtpTest.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smtpTest.zip" UEsDBBQAAAAIAMN8Jz+JAV9RhgAAALwAA...

Converting Delphi 2007 Indy 10.2.3 to Delphi 2009 Indy 10.5.5 [Edit]
Hello, I am currently attempting to port over a Delphi 2007 project that uses Indy 10.2.3 (very successfully) to Delphi 2009 and Indy 10.5.5 (I just got the latest development build this morning). I think I am running into an encoding issue, but am not sure. Specifically, IDHTTP with SSL calls an old CGI and the CGI returns a .zip file and I then save it to the disk. In 2007 and before this worked perfectly. In 2009, it is not. Here is the examples of the 2 different results (though cut way short in the post) I am getting back: 2007: 'PK'#3#4#$14#0#0#0#8#0'rLQ9žrPb€'#0...

migrating from Delphi 6 With Indy 10 to XE7 with Indy 10
I updated the original Indy in D6 to version 10 several years ago. Now I want to migrate my application from D6 to XE7 and would like some feedback on the best route to take. I usually send data using readln and writeln statements. The data is typically XML format. Since migrating to XE7 will include potential unicode data what is the best approach to take when reading and writing data? Will writeln and readln work in these cases or should I be using a different strategy to send unicode data between the tidtcpclient and tidtcpserver applications? al wrote: > I usually send data ...

delphi 7 Indy 9 and Indy 10
Hi, I can upgrade to indy 10 in delphi 7. But I have discover that indy 9 and Indy 10 have some different properties, so i had to change my old programs that were made in indy 9 to upgrade it to new version, but it is a long work. So I want to know if it is possible to install in the same delphi 7 both versions indy 10 and indy 9. I have tried to do it but i received a error message: Cannot load package 'IndySystem70'. It contains unit 'IdWinSock2', which is also contained in package 'Indy70'. Some can give me ideas or a link to read how to install both versi...

Indy E-Mail Problem (Indy 10, Delphi 2007)
Hello, we use Indy 10 with Delphi 2007 to get E-Mail using IMAP. We recieved an E-Mail which is not handled correctly. The E-Mail looks like this {code} Return-Path: <test@mail.com>; From: "Test Tester" <test@mail.com>; To: <test@mail.com>; Subject: Order Date: Wed, 7 Mar 2012 16:50:40 +0100 Message-ID: <15D526BEB8091D43859549D9E16E370FBA3123> MIME-Version: 1.0 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFk6K6fcF3...

How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10
I'm completely new to SSL and these ciphering stuff but I need to make communicate client and server Delphi XE6 apps running on mobile devices. The TCP communication has to be safely ciphered. To start, I simply wrote the Delphi/Indy TIdTCPServer/TIdTCPClient based Win32 client and server exchanging strings. (Issued from the indy10clieservr demos found on SourceForge: svn://svn.code.sf.net/p/indy10clieservr/code/1_sample Simple String Exchange) I tried to modify them to cipher the communication by adding a TIdServerIOHandlerSSLOpenSSL component on the Server, and a TIdSSLIOHandlerSoc...

Indy support and Delphi
Hi all, I've been off the support site for nearly a year since the move to Embarcadero. Does anyone know where to get help with an Indy/Delphi 5 issue ? I was ready to pay the Indy team to help but they have shut down support ... wont even do it for money. I have an issue with the POP3 server that is showing up and need some short technical advise. TIA, Del Delbert Murray schrieb: > Hi all, > I've been off the support site for nearly a year since the move to > Embarcadero. Does anyone know where to get help with an Indy/Delphi 5 issue > ? I was ready to pay ...

Ubuntu 10.10 on 10/10/10 at 10:10:10
Kinda neet. I imagine that time was UTC? Bill -- Bill_MI - Bill in Michigan Expert Opinions $20, Shut-Up $50 On Sun, 10 Oct 2010 17:28:14 -0400, Bill_MI wrote: > Kinda neet. I imagine that time was UTC? Released on 10/10/10, at 10:10:10?? We'll have to call this one Ubuntu Masonic! :-) Bill_MI wrote: > Kinda neet. I imagine that time was UTC? Installed last night on my testbed laptop. Installer is different from previous versions. Main improvement is that the bootloader installation is not hidden behind an Advanced button on the last screen. Early in th...

Delphi XE5 Indy SSl
Moved application from Delphi XE to XE5, using TidHttp to post xml using SSL. Works fine in Delphi XE compiled version. With Delphi XE5 compiled getting unable to load SSL library. Were there changes to the Indy code that requires more updated versions of ssleay32.dll and libeay32.dll? Thanks Wayne. Wayne wrote: > Moved application from Delphi XE to XE5, using TidHttp to post xml > using SSL. Works fine in Delphi XE compiled version. With Delphi XE5 > compiled getting unable to load SSL library. Did you try calling Indy's IdSSLOpenSSLHeaders.WhichFailedToLoad() functi...

Using SSL with Indy 10
I am trying to get FTP over SSL working with Indy 10. I am getting an error telling me that Indy can't load the SSL libary. It turns out that the problem is actually that it can't find certain entry points in the SSL DLLs. Those entry points are: DES_set_odd_parity DES_set_key DES_ecb_encrypt CRYPTO_cleanup_all_ex_data SSL_COMP_get_compression_methods I have checked and I have the same version of the SSL DLLs as is available on the intelicom.si web site. I found the solution. I had to get the SSL DLLs from the OpenSSL site rather than the intelicom.si site. ...

Indy 9/10 Support
[I've already posted this to indy's newsgroup but was told to try elsewhere as nobody monitors the group] I'm trying to support Indy 9/10 for my users in BCB 5, 6, 2006 and 2007. I've downloaded the latest versions of Indy 9 and 10 but am not having any luck compiling them in each of the above compilers. For Indy 9, I don't have any project files for BCB 2006 and 2007. If I'm meant to use the Delphi projects, which ones do I use and how to I compile them ? Will they produce BPL's compatible with BCB ? For Indy 10, I have not managed past BCB5 - th...

Indy 10 SSL Question
What is the version of SSL Dll for Indy 10, that bundled with C++Builder 2009. Please provide the link. Thanks "tom mario" <tommario@yahoo.co.in> wrote in message news:172928@forums.codegear.com... > What is the version of SSL Dll for Indy 10, that bundled with > C++Builder 2009. There are no SSL DLLs bundled with CB2009. You have to download them from OpenSSL's website yourself. -- Remy Lebeau (TeamB) I tried both libraries openssl-0.9.8k_WIN32 openssl-0.9.8k_X64 Still i get Could Not Load SSL Library. Thanks "tom mario&q...

Google and perfect forward secrecy
Google and perfect forward secrecy Questions driving this post: -Is it true that Google is using perfect forward secrecy? -Are there any other cloud providers that are? -Does this make Google more secure / private, even in the face of the NSA? -When using cloud services how much security do we have if we have no privacy? According to many articles and a mention by Steve, Google implemented perfect forward secrecy for many of their sites in 2011. Apparently Facebook has also implemented this protocol (although I think Face book itself is the one not to trust with one&...

Web resources about - Support for Perfect Forward Secrecy in SSL with indy 10 - embarcadero.delphi.tools

Legged Squad Support System - Wikipedia, the free encyclopedia
The Legged Squad Support System ( LS3 ) is a DARPA project for a legged robot which could function autonomously as a packhorse for a squad of ...

Google’s Project Fi now supports iPad LTE, $10/GB flat rate
... MVNO will see an option to order a free data-only nano SIM from the ‘Your Plan’ section of the Project Fi website. Google only touts support ...

Google Launches Android Pay Support for Apps in the U.S.
Google has announced that Android Pay is now available in supported Android apps in the United States. The feature allows users to make purchases ...

Philips Hue is getting back its third-party smart bulb support
... LED products, to their smart home lighting network. After reconsidering the matter, Philips is reversing the upgrade and restoring support for ...

Why it's so important for Apple Music to support Sonos
Starting today , Apple Music customers can stream music to Sonos wireless speaker systems. Why does that matter? This data from CE Pro , charted ...

As pre-IE11 support ends, scrambling for workarounds
Time flies. It seems like just yesterday we heard that Microsoft would stop supporting older versions of Internet Explorer . But it was over ...

Tom Brady On Donald Trump: "He's A Good Friend Of Mine ... I Support All My Friends"
... to a sweet potato. Brady did a good job of not providing an actual answer. When one of the show’s hosts asked point-blank if Brady supported ...

Samsung Pay Adds Support for 19 New MasterCard and Visa Issuers
Samsung announced 19 newly supported credit card issuers for Samsung Pay this morning, allowing even more folks with a compatible device to conveniently ...

Google Fi Now Supports Tablets With No Device Fees -
Google this week quietly announced that the company's wireless service, Google Fi, now supports tablets and other Internet-connected devices. ...

Outlook for iOS now supports 3D Touch
... for iOS has quickly become one of the platform's best options for managing your inbox, and today it got a handy new feature: 3D Touch support. ...

Resources last updated: 12/16/2015 7:36:00 PM