delphi xe2 - ssl - intraweb xii -

I am using IntraWeb XII for Delphi XE2. We have one intraweb standalone application and the SSL is enabled in it. The site is working fine. Last week we done PCI audit and they found some issues in the SSL(SSLv3.0/ TLSv1.0 protocol weak CBC mode vulnerability)in the site. We are using the same SSL certificates in other .Net application and there isn’t any SSL issues. Re this i spoke to the atozed team and they told IntraWeb SA uses Indy HTTP server. So ask the same in this forurm or indy forum. Please any
 solution for this?
-1
Pramod
8/6/2012 4:50:58 AM
embarcadero.delphi.winsock 1874 articles. 2 followers. Follow

10 Replies
700 Views

Similar Articles

[PageSpeed] 19

> {quote:title=Pramod Nair wrote:}{quote}
> I am using IntraWeb XII for Delphi XE2. We have one intraweb standalone application and the SSL is enabled in it. The site is working fine. Last week we done PCI audit and they found some issues in the SSL(SSLv3.0/ TLSv1.0 protocol weak CBC mode vulnerability)in the site. We are using the same SSL certificates in other .Net application and there isn’t any SSL issues. Re this i spoke to the atozed team and they told IntraWeb SA uses Indy HTTP server. So ask the same in this forurm or indy forum. Please a
ny solution for this?

And what your question is? From your description it sounds like weak cipher suite is being negotiated by Indy IOHandler. So you need to tune-up the IOHandler to disable that ciphersuites. Or better ask the auditors for better explanation of the problem - what ciphersuite was not accepted and which ones are acceptable.
-1
Eugene
8/6/2012 7:00:22 AM
Thnaks for the reply Eugene.
>>So you need to tune-up the IOHandler to disable that ciphersuites
How we can disable the Ciphersuites by using the IOHandler?
>>ask the auditors for better explanation of the problem 
the solution they given is upgrade to TLSv1.1 or TLSv1.2. if upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling the cbc mode ciphers will remove the vulnerability



> {quote:title=Eugene Mayevski wrote:}{quote}
> > {quote:title=Pramod Nair wrote:}{quote}
> > I am using IntraWeb XII for Delphi XE2. We have one intraweb standalone application and the SSL is enabled in it. The site is working fine. Last week we done PCI audit and they found some issues in the SSL(SSLv3.0/ TLSv1.0 protocol weak CBC mode vulnerability)in the site. We are using the same SSL certificates in other .Net application and there isn’t any SSL issues. Re this i spoke to the atozed team and they told IntraWeb SA uses Indy HTTP server. So ask the same in this forurm or indy forum. Please
 any solution for this?
> 
> And what your question is? From your description it sounds like weak cipher suite is being negotiated by Indy IOHandler. So you need to tune-up the IOHandler to disable that ciphersuites. Or better ask the auditors for better explanation of the problem - what ciphersuite was not accepted and which ones are acceptable.
-1
Pramod
8/6/2012 8:11:55 AM
Pramod wrote:

> How we can disable the Ciphersuites by using the IOHandler?

You can use the IOHandler's SSLOptions.CipherList property to customize the 
ciphers used.  Read the OpenSSL documentation for the SSL_CTX_set_cipher_list() 
function to see the syntax.  When the property is not set, Indy defaults 
to using "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH".

> the solution they given is upgrade to TLSv1.1 or TLSv1.2. if upgrading
> to TLSv1.1 or TLSv1.2 is not possible, then disabling the cbc mode
> ciphers will remove the vulnerability

Indy does not support TLS 1.1+ yet.

--
Remy Lebeau (TeamB)
-1
Remy
8/6/2012 6:49:32 PM
Thanks for the reply Remy 

i dont have any expreience in SSL. you mean do it in the IdServerIOHandlerSSLOpenSSL control? just want to drop it in the Server Controller form and customize the CipherList property? there are some other properties also in this ssloption. nothing to do on those? dont want to link/connect this control to the Server Controller? i checked the syntax in the documenation but i dont know what value should pass? Please help me?

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Pramod wrote:
> 
> > How we can disable the Ciphersuites by using the IOHandler?
> 
> You can use the IOHandler's SSLOptions.CipherList property to customize the 
> ciphers used.  Read the OpenSSL documentation for the SSL_CTX_set_cipher_list() 
> function to see the syntax.  When the property is not set, Indy defaults 
> to using "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH".
> 
> > the solution they given is upgrade to TLSv1.1 or TLSv1.2. if upgrading
> > to TLSv1.1 or TLSv1.2 is not possible, then disabling the cbc mode
> > ciphers will remove the vulnerability
> 
> Indy does not support TLS 1.1+ yet.
> 
> --
> Remy Lebeau (TeamB)
1
Pramod
8/7/2012 2:47:00 AM
Pramod wrote:

> i dont have any expreience in SSL. you mean do it in the
> IdServerIOHandlerSSLOpenSSL control? just want to drop
> it in the Server Controller form and customize the CipherList
> property?

Yes.

> there are some other properties also in this ssloption. nothing to do on
> those?

No.

> dont want to link/connect this control to the Server
> Controller?

Yes, you have to connect it to the server.

> i checked the syntax in the documenation but i dont know
> what value should pass? Please help me?

Did you read the OpenSSL documentation, like I suggested?

http://openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html
http://openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT

--
Remy Lebeau (TeamB)
1
Remy
8/7/2012 5:21:28 PM
>>Yes, you have to connect it to the server.
how it connect to the server please? there is no property in the server controller

>>Did you read the OpenSSL documentation, like I suggested?
yes i read. i will do it like what they menitioned and  will back to you if any issues

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Pramod wrote:
> 
> > i dont have any expreience in SSL. you mean do it in the
> > IdServerIOHandlerSSLOpenSSL control? just want to drop
> > it in the Server Controller form and customize the CipherList
> > property?
> 
> Yes.
> 
> > there are some other properties also in this ssloption. nothing to do on
> > those?
> 
> No.
> 
> > dont want to link/connect this control to the Server
> > Controller?
> 
> Yes, you have to connect it to the server.
> 
> > i checked the syntax in the documenation but i dont know
> > what value should pass? Please help me?
> 
> Did you read the OpenSSL documentation, like I suggested?
> 
> http://openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html
> http://openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
> 
> --
> Remy Lebeau (TeamB)
1
Pramod
8/8/2012 2:22:37 AM
Pramod wrote:

> how it connect to the server please? there is no property in the
> server controller

Sorry, I keep forgetting that you are using IntraWeb and not Indy directly. 
 Indy has a property for connecting the TIdServerIOHandlerSSLOpenSSL component 
to a server component.  I have no clue what the IntraWeb equivilent of that 
would be.

--
Remy Lebeau (TeamB)
-1
Remy
8/8/2012 6:41:17 AM
with the help of atozed support team resolved the weak Cipher issue but still have the insecure beast attack. How to relosve this issue please?

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Pramod wrote:
> 
> > how it connect to the server please? there is no property in the
> > server controller
> 
> Sorry, I keep forgetting that you are using IntraWeb and not Indy directly. 
>  Indy has a property for connecting the TIdServerIOHandlerSSLOpenSSL component 
> to a server component.  I have no clue what the IntraWeb equivilent of that 
> would be.
> 
> --
> Remy Lebeau (TeamB)
1
Pramod
9/3/2012 10:42:02 AM
currently using the CipherList RC4-SHA:HIGH:!ADH and the verion of the OpenSSL is OpenSSL 1.0.1c. when tested it in the site https://www.ssllabs.com/ssltest it is showing the insecure Beast Attack.

How to solve this problem please?

> {quote:title=Pramod Nair wrote:}{quote}
> with the help of atozed support team resolved the weak Cipher issue but still have the insecure beast attack. How to relosve this issue please?
> 
> > {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> > Pramod wrote:
> > 
> > > how it connect to the server please? there is no property in the
> > > server controller
> > 
> > Sorry, I keep forgetting that you are using IntraWeb and not Indy directly. 
> >  Indy has a property for connecting the TIdServerIOHandlerSSLOpenSSL component 
> > to a server component.  I have no clue what the IntraWeb equivilent of that 
> > would be.
> > 
> > --
> > Remy Lebeau (TeamB)
-1
Pramod
9/4/2012 3:24:14 AM
> {quote:title=Pramod Nair wrote:}{quote}
> with the help of atozed support team resolved the weak Cipher issue but still have the insecure beast attack. How to relosve this issue please?
> 

Finally we got it working and passing SSL labs test. From IntraWeb version 12.2.9 and up, you can use this:

{code}
procedure TIWServerController.IWServerControllerBaseAfterCreateIOHandler(
 IOHandler: TInServerIOHandler);
 begin
    TInServerIOHandlerSSLOpenSSL(IOHandler).SSLOptions.CipherList :=  'ECDHE-RSA-RC4-SHA:RC4+SHA1+RSA';
 end;
{code}

This uses OnAfterCreateIOHandler event in ServerController class, and makes your IntraWeb application (and Indy servers applications using SSL) invulnerable to BEAST attack :-)

Best regards
-1
Alexandre
9/5/2012 11:31:20 AM
Reply:

Similar Artilces:

Delphi 7 to Delphi XE2
Hi, Still using that old workhorse, Delphi7, but am going to the conference in London hosted by Embarcadero on Delphi XE2. Although I would like to "move with the times" and am keen to get the UNICODE and 64-bit support offered by the latest IDEs, I confess to being more than a little scared about all the UNICODE/String/AnsiString and 32/64 bit issues I'm probably going to fall over. Anyone recently upgraded from Delphi7 to one of the latest Delphi IDEs? Thanks, Alain On 03/02/2012 08:55, Alain Dekker wrote: > Still using that old workhorse, Delphi7, but...

Delphi 7 Pro to Delphi XE2
Hi All I'm porting a project from Delphi 7 Pro to Delphi XE2 and have notice the VersionInfo "Release" and "Build" not being extracted correctly. Should be "1.2.3.4" but is getting "1.2.6150.4567" I'm using the following to extract the VersionInfo and works ok in Delphi 7 but doesnt get the "Release" and "Build" info when used in Delphi XE2. function GetVersion : string; { --------------------------------------------------------- Extracts the FileVersion element of the VERSIONINFO structure that Delphi ma...

Is GNU Gettext for Delphi compatible with Delphi XE2 ?
The site http://dxgettext.po.dk declare support for Supports for Delphi 5-2009. Thanks in advance lior ilan wrote: > The site http://dxgettext.po.dk declare support for Supports for Delphi > 5-2009. > Thanks in advance It is, if you look in the forums mentioned in that website http://tech.groups.yahoo.com/group/dxgettext/ http://tech.groups.yahoo.com/group/dxgettext/message/3639 Regards Olivier ...

Delphi and Delphi for .Net
It seems that Delphi for .Net is slower than Delphi Win32 native applicaiton. I would like to know is it true all .Net application is slower than Win32 native applicaiton or it is Delphi for .Net only. Your information is great appreciated, Inung On 2011-06-21 18:20:17 +0100, Inung Huang said: > It seems that Delphi for .Net is slower than Delphi Win32 native applicaiton. > I would like to know is it true all .Net application is slower than > Win32 native applicaiton or it is Delphi for .Net only. If you are only running the code in the application once then, yes, yo...

Will Delphi XE2 co-exist with other Delphi versions ?
Can I install it on a machine that's got other Delphi's on it ? Lut Mentz wrote: > Can I install it on a machine that's got other Delphi's on it ? Yes. As far as I know that has always been the case. -- -Mike (TeamB) Lut Mentz wrote: > Can I install it on a machine that's got other Delphi's on it ? Yes -- it has always been the case that the new version co-exists peacefully with all the older ones. -- Nick Hodges -- Product Development Manager Gateway Ticketing Systems http://www.gatewayticketing.com > {quote:title=Mike Williams ...

Delphi 2007 to Delphi XE2 paint order change
Hello all, I have a program here that does some very specific work in the paint handlers and requires that the controls are painted from bottom to top. This worked just fine under Delphi 2007 but now that we have migrated to Delphi XE2, it no longer works. Tracing the paint order, we discovered that there are cases when the bottom most component (the form for instance) is drawn last instead of first, which means that the painting code we do in the program gets a black area for the bottom most control instead of its background. This was observed with D2007 and DXE2 on the same c...

Move from Delphi 2009 to Delphi XE2 and now failing
I recently moved from Delphi 2009 to Delphi XE2 (combined with a new computer). The XML that is now created no longer accepted by the webservice. The specific steps I went through were. 1) Delphi 2009 with old pas file. Worked. 2) Delphi XE2 with old pas file. Didn't work. 3) Delphi XE2 with new pas file imported by Delphi XE2. Didn't work. The new pas file has the following lines, but commenting them out doesn't change the XML. { InvRegistry.RegisterParamInfo(TypeInfo(FaCSIADiagnosticInterface), 'Ping', 'Ping_Input', '&...

Delphi XE2 and IW XII
Hi Finally we are upgrading our intraweb to XII and using XE2, but when installing the package (no default intraweb selected when installing delphi) we get the following error: Registration procedure, Iwregister.Register in package dcIntraweb_120_160.bpl raised exception class EStringListError : List index out of bounds (10) Can anyone give some info as to why this is happening( This is a clean Win7 x64 machine!) Regards Mario > {quote:title=Mario Vermeulen wrote:}{quote} > Hi > > Finally we are upgrading our intraweb to XII and using XE2, but when installi...

converting delphi 2007 code to delphi XE2 -- emptyparam problem
Hi, I am trying to convert my applicantion code from delphi 2007 to delphi XE2 and i got stuck in this error "[DCC Error] ADODB_TLB.pas(4888): E2033 Types of actual and formal var parameters must be identical". This happens when we use emptyparam as an argument in a function that wants an olevariant. Example: function TAcadDatabase.CopyObjects(Objects: OleVariant): OleVariant; begin Result := DefaultInterface.CopyObjects(Objects, EmptyParam, EmptyParam); //this is where we get the ERROR end; The coyobjects function as this signature: " function CopyObjects(Object...

Delphi XE2 Translation Manager is crippled compared to Delphi 7
Delphi XE2 Translation Manager enables editing only of the properties that were previously saved to the DFM file. That means only properties that were changed from their default values in the original source language form. So if a TLabel Alignment is taLeftJustify I can't edit or even see its value in the translated form grid editor. Delphi 7 Translation Manager enabled editing and viewing of all the properties of a component included in the form. It also enabled editing properties using the Object inspector. Am I missing some definition in Delphi XE2 to enable all properties ...

Access to legacy (Delphi 4) Midas server from Delphi XE2
Hello, My company biggest product is developped with Delphi 4 and uses several Midas servers. It's a really big application (still in evolution, since 1997) , that has been started with Delphi 3. A partial or complete rewrite of this application is planned in a mid term future, and I must study if we can envisage a soft migration of some parts of the software on Delphi XE2 (or XE4), or if a complete rewrite even of the servers parts is required. If a complete rewrite must be done, my boss doesn't exclude to study the possibility of using another development environment to rewri...

DesignIDE package and porting Delphi 7 components to Delphi XE2
HI I am porting components from Delphi7 to Delphi XE2, and started run in problems regarding MaskProp.dcu, some of the components uses this, and is looking for TMaskProperty class. After a lot of browsing on the net i figured out that all these units is packaged in the designide.dcp. So i have the design time component in a package that requires the designide.dcp and then the runtime component package that reguires the designtime package for the component. In the runtime component package i get errors regarding the MaskProp.dcu and the TMaskProperty class. I dont know what to do from ...

Debugging in Delphi XE2 using another Delphi BDS process as host
Hi I've been using delphi a long time And I always had the possibility of debbuging Packages using another Delphi process as host. This is very useful to test the design-time side of packages. Now with XE 2 I can whether running with options - Debugger - Host Application or Attach to process Any ideas? Thanks Plp Pedro wrote: > Now with XE 2 I can whether running with options - Debugger - Host > Application or Attach to process What exactly are you having trouble with? Error messages, unexpected behavior, etc. -- Remy Lebeau (TeamB) Hi Remy ...

Access to legacy (Delphi 4) Midas server from Delphi XE2 [Edit]
Hello, My company biggest product is developped with Delphi 4 and uses several Midas servers. It's a really big application (still in evolution, since 1997) , that has been started with Delphi 3. A partial or complete rewrite of this application is planned in a mid term future, and I must study if we can envisage a soft migration of some parts of the software on Delphi XE2 (or XE4), or if a complete rewrite even of the servers parts is required. If a complete rewrite must be done, my boss doesn't exclude to study the possibility of using another development environment to rewri...

Delphi XE2 or RadStudio XE2?
Hello all, being a user of both Delphi and RadPHP, I am in doubt which SKU would be right for me. In the RADPHP forum I read that people are disappointed about missing bugfixes in RadPHP. Would it make sense to buy just Delphi XE2 and wait for a bugfixed PadPHP version? Regards, Arthur Arthur! I had not time to install. My idea is to wait until good news appear for both. Mike Hi Arthur, > being a user of both Delphi and RadPHP, I am in doubt which SKU would be right for me. In the RADPHP forum I read that people are disappointed about missing bugfixes in RadPHP. Would it...

Web resources about - delphi xe2 - ssl - intraweb xii - - embarcadero.delphi.winsock

HTC Droid Incredible 4G surfaces on Verizon intraweb
Verizon's HTC Droid Incredible 4G may be closer to hiting the market. Android Central has posted an internal advisory letting its employees know ...

Nikki Gloudeman (@NikkiGloudeman) on Twitter
Sign in Sign up To bring you Twitter, we and our partners use cookies on our and other websites. Cookies help personalize Twitter content, tailor ...

Latest apps in Developer Tools and tmssoftware.com - CNET Australia
CNET CNET Australia CNET is available in the following editions: Asia Australia China France Germany Japan United Kingdom USA Home Phones Computers ...

SwissDelphiCenter.ch : English
All about Borland Delphi. Programming tips, downloads, forums, news, topsites, newsletter whats new ¦ programming tips ¦ indy articles ¦ intraweb ...

“Milltown Pride” Review
In the summer of 2009, a small flare-up occurred between Bob Jones University and the fundamentalist publishing house Sword of the Lord. The ...

From my position... On the way!
From my position... On the way!

Logical Reasonings - Most Strongly Supported
One nurse's 'helpful' advice leads to a solid conviction, the Phoenix Police Force take their fight on crime to a whole new level, and a Texas ...

Pregnant Carrie Underwood and Husband Mike Fisher Baby Divorce Feud; Discuss Marriage Meat Compromise ...
For months the intrawebs have been filled with rumors that Carrie Underwood and her professional hockey playing husband Mike Fisher are either ...

How To Write a Persuasive Blog Post
Persuasion is an art and a science. Teaching the art is hard but the science is rather simple. Today I want to share with you five key characteristics ...

Google Chimes In To Let Customers Know Their Nexus 7 Pre-Orders Are Indeed Shipping Out
The intrawebs have been buzzing all day with Nexus 7 news. Some retailers are selling them, then they’re not selling them; a few lucky people ...

Resources last updated: 11/22/2015 9:21:43 AM