We have a very old application, written in Delphi 7, using Intraweb 8.0.2, indy 10 and openssl

We don't plan to extend or improve our application, 
but our customer asked us to upgrade this application
to support the last release of the tls protocol (tls 1.2)

It's several  days i'm fiddling with all this components, and I've come to the following conclusions :

Indy10 seems to works with the latest release of openssl, 
I've managed to make an elementary  server application using just delphi, indy10 and openssl, 
using the openssl binaries taken from :

http://indy.fulgan.com/SSL/openssl-1.0.2c-i386-win32

and I managed to test it using the openssl command line program.
This test app correctly refuses all kinds of connection protocols except TLS1.2, that is our customer requirement.


The trouble starts when I try to use Intraweb with Indy and openssl.
I made a bare standalone intraweb application, just to test the ssl connection.

As soon as I try to start the application I get the following error message:

exception EidOSSLCouldNotLoadSSLLibray in module Standalone.exe at 000EE8E1. Could not load SSL Libray

Obviously , the 2 dll, libeay.dll and ssleay.dll are both present in the app directory, with the 3 certificates, and the certificate password
is correctly set in the on constructor, as follows :

{code}
constructor TIWServerController.Create (aOwner:tComponent);
begin
  try
    Inherited Create (aOwner);
    SSLOptions.Port := 443;
    SSLOptions.CertificatePassword := 'XXXXXXXXXX';
    SSLOptions.nonSslrequest := nsBlock;
  except
    on e : exception do begin
      mylog(e.message + ' ' + WhichFailedToLoad());
    end;
  end;
end;
{code}


I've read the following thread :
http://atozed.com/IntraWeb/Download/Old%20SSL%20Notes.EN.aspx

where it speaks about interface changes that renders unusable the current (and future ?) versions of openssl

Now I don't understand where is the trouble :

Is in the interface between Intraweb and Indy ? (because indy and openssl correctly work)

We have a regular registered version on  Intraweb 8.0, licence number 2147441439
Expiration Date: mar 09, 2008,
but we have only a subset of the intraweb sources, 
Expecially we miss the sources of the Servercontroller unit, where, I suppose, the web server is initialized.

Is it there some undocumented procedure we can override ?
Can we do something about it ?

Please help !!

Best regards.
Maurizio Ferreira

Maurizio wrote:

> As soon as I try to start the application I get the following error
> message:
> 
> exception EidOSSLCouldNotLoadSSLLibray in module Standalone.exe at
> 000EE8E1. Could not load SSL Libray

And what does WhichFailedToLoad() actually report?  'Could not load SSL Library' 
is an Indy error message, but it is not one that WhichFailedToLoad() would 
return.

> I've read the following thread :
> http://atozed.com/IntraWeb/Download/Old%20SSL%20Notes.EN.aspx
> where it speaks about interface changes that renders unusable the
> current (and future ?) versions of openssl

"OpenSSL changed the interface after 0.9.8e and makes later versions unusable 
without recompiling and changing code." - I have never heard of that, and 
Indy works just fine with later versions of OpenSSL.

"IntraWeb uses a version of Indy that requires specifically the OpenSSL 0.9.8e 
API." - Indy has no such requirement, and works just fine with 1.x versions 
of OpenSSL.  If IntraWeb has a dependancy on 0.9.8e, then that has to be 
something AToZed introduced in their own code.

> Is in the interface between Intraweb and Indy ? (because indy and
> openssl correctly work)

Maybe.  Indy does go through periodic interface changes.  And IntraWeb (and 
Embarcadero) uses its own private copy of Indy to maintain stability when 
Indy does change.

-- 
Remy Lebeau (TeamB)

The FailedToLoad function returns an empty string.
I've traced it encapsulating the entire program in a try / except statement, since the exception occurs after controller creation.

Now I don't understand clearly the relations between Delphi, Intraweb, Indy and other components.

This is the full story of this project:

We initially installed Delphi 7 whith the bundled Intraweb version.
Short after, we bought and installed a  regular Intraweb licence.

Some time after that, we needed to install Indy10 to handle communications with external servers, from our Intraweb application.
After that we needed to install a third part component, Eldos SecureBlackbox SFTP to handle  SFTP file transfer.
Now our customer ask us to implement TLS 1.2 in the web server.

So the questions are :

Does Intraweb use our latest Indy10 instance or it uses a private copy of Indy ?
Why this "could not load ssl libraries" error ?
Wich version of Intraweb is needed to work in https tls 1.2 ?
Does it works on Delphi 7 or do we need to upgrade to a later version ?
Which version of openssl libraries are needed to work with such a version of Intraweb, and where to get them ?

I know theese are a lot of questions, but we really need help.
Thanks.
Maurizio.







 to load 

> {quote:title=Remy Lebeau (TeamB) wrote:}{quote}
> Maurizio wrote:
> 
> > As soon as I try to start the application I get the following error
> > message:
> > 
> > exception EidOSSLCouldNotLoadSSLLibray in module Standalone.exe at
> > 000EE8E1. Could not load SSL Libray
> 
> And what does WhichFailedToLoad() actually report?  'Could not load SSL Library' 
> is an Indy error message, but it is not one that WhichFailedToLoad() would 
> return.
> 
> > I've read the following thread :
> > http://atozed.com/IntraWeb/Download/Old%20SSL%20Notes.EN.aspx
> > where it speaks about interface changes that renders unusable the
> > current (and future ?) versions of openssl
> 
> "OpenSSL changed the interface after 0.9.8e and makes later versions unusable 
> without recompiling and changing code." - I have never heard of that, and 
> Indy works just fine with later versions of OpenSSL.
> 
> "IntraWeb uses a version of Indy that requires specifically the OpenSSL 0.9.8e 
> API." - Indy has no such requirement, and works just fine with 1.x versions 
> of OpenSSL.  If IntraWeb has a dependancy on 0.9.8e, then that has to be 
> something AToZed introduced in their own code.
> 
> > Is in the interface between Intraweb and Indy ? (because indy and
> > openssl correctly work)
> 
> Maybe.  Indy does go through periodic interface changes.  And IntraWeb (and 
> Embarcadero) uses its own private copy of Indy to maintain stability when 
> Indy does change.
> 
> -- 
> Remy Lebeau (TeamB)

On 6/19/2015 4:10 AM, Maurizio Ferreira wrote:
> Does Intraweb use our latest Indy10 instance or it uses a private
> copy of Indy ? Why this "could not load ssl libraries" error ? Wich

IW uses a private aliased copy of Indy with Id instead of In to avoid 
breaking code if the user uses a different version of Indy.

> version of Intraweb is needed to work in https tls 1.2 ? Does it
> works on Delphi 7 or do we need to upgrade to a later version ? Which

Alexandre would have to answer, but D7 has not been supported for 
several years by IW and likely you will need to update to D2009 or later 
and a later IW.

Another option would be to deploy as ISAPI and use SSL in IIS.

-- 
"Programming is an art form that fights back"

Maurizio wrote:

> After that we needed to install a third part component, Eldos
> SecureBlackbox SFTP to handle  SFTP file transfer.

SFTP (FTP over SSH) or FTPS (FTP over SSL/TLS)?  Indy 10 supports the latter.

> Does Intraweb use our latest Indy10 instance or it uses a private copy
> of Indy ?

Its own private copy.

> Why this "could not load ssl libraries" error ?

Without exact information from WhichFailedToLoad(), I can only guess.  That 
is why I asked you to call WhichFailedToLoad() (and make sure you are calling 
the one in IntraWeb's version of Indy, not the one in your copy of Indy).

Since you are using an old version of IntraWeb, my guess would be that it 
might be relying on Indy 8/9 instead of Indy 10, and that it might be relying 
on a version of Indy that depended on customized OpenSSL DLLs rather than 
the official DLLs.  Those DLLs are available at http://indy.fulgan.com/SSL/Archive/, 
but they predate TLS v1.2, IIRC.

> Wich version of Intraweb is needed to work in https tls 1.2 ?
>
> Does it works on Delphi 7 or do we need to upgrade to a later version
> ?

I have no clue.  I don't use IntraWeb.  Ask AtoZed.

-- 
Remy Lebeau (TeamB)

Maurizio wrote:

> After that we needed to install a third part component, Eldos
> SecureBlackbox SFTP to handle  SFTP file transfer.

SFTP (FTP over SSH) or FTPS (FTP over SSL/TLS)?  Indy 10 supports the latter.

> Does Intraweb use our latest Indy10 instance or it uses a private copy
> of Indy ?

Its own private copy.

> Why this "could not load ssl libraries" error ?

Without exact information from WhichFailedToLoad(), I can only guess.  That 
is why I asked you to call WhichFailedToLoad() (and make sure you are calling 
the one in IntraWeb's version of Indy, not the one in your copy of Indy).

Since you are using an old version of IntraWeb, my guess would be that it 
might be relying on Indy 8/9 instead of Indy 10, and that it might be relying 
on a version of Indy that depended on customized OpenSSL DLLs rather than 
the official DLLs.  Those DLLs are available at http://indy.fulgan.com/SSL/Archive/, 
but they predate TLS v1.2, IIRC.

> Wich version of Intraweb is needed to work in https tls 1.2 ?
>
> Does it works on Delphi 7 or do we need to upgrade to a later version
> ?

I have no clue.  I don't use IntraWeb.  Ask AtoZed.

-- 
Remy Lebeau (TeamB)

Hi!

> Which version of Intraweb is needed to work in https tls 1.2 ?

You will need IntraWeb XIV to use TLS 1.2.

> Which version of openssl libraries are needed to work with such a
> version of Intraweb, and where to get them ?

IntraWeb works with many OpenSSL versions. But you shoud not use older versions if your main concern is security (I guess it is, owtherwise why bother with TLS 1.2...)

> Does it works on Delphi 7 or do we need to upgrade to a later version
> ?

IntraWeb XIV works with Delphi 2009 to XE8

> Does Intraweb use our latest Indy10 instance or it uses a private copy
> of Indy ?

It uses an internal version (aliased) of Indy 10 (based on XE6 distribution)

> Why this "could not load ssl libraries" error ?

This is the old D7 application or a new IW application? 


This document contains links to OpenSSL libraries. You can use older and newer files as well. The recommended version is 1.0.1x (Where x can be any letter) though.

http://atozed.com/IntraWeb/Download/SSL.EN.aspx

Il 22/06/2015 10:39, Alexandre Machado ha scritto:
> Hi!
>
>> Which version of Intraweb is needed to work in https tls 1.2 ?
>
> You will need IntraWeb XIV to use TLS 1.2.
>
>> Which version of openssl libraries are needed to work with such a
>> version of Intraweb, and where to get them ?
>
> IntraWeb works with many OpenSSL versions. But you shoud not use older versions if your main concern is security (I guess it is, owtherwise why bother with TLS 1.2...)
>
>> Does it works on Delphi 7 or do we need to upgrade to a later version
>> ?
>
> IntraWeb XIV works with Delphi 2009 to XE8
>
>> Does Intraweb use our latest Indy10 instance or it uses a private copy
>> of Indy ?
>
> It uses an internal version (aliased) of Indy 10 (based on XE6 distribution)
>
>> Why this "could not load ssl libraries" error ?
>
> This is the old D7 application or a new IW application?
>
>
> This document contains links to OpenSSL libraries. You can use older and newer files as well. The recommended version is 1.0.1x (Where x can be any letter) though.
>
> http://atozed.com/IntraWeb/Download/SSL.EN.aspx
>
So If I upgrade to Delphi XE8, I can use the internal Indy components 
vers 10 in my app and they will handle tls 1.2 ?

On 6/23/2015 8:21 AM, Maurizio Ferreira wrote:
> So If I upgrade to Delphi XE8, I can use the internal Indy components
> vers 10 in my app and they will handle tls 1.2 ?

Yes. But you don't need XE8 - just IW 14 which works from D2009 up.


-- 
"Programming is an art form that fights back"

On 6/23/2015 8:21 AM, Maurizio Ferreira wrote:
On 6/23/2015 8:21 AM, Maurizio Ferreira wrote:> So If I upgrade to 
Delphi XE8, I can use the internal Indy components
 > vers 10 in my app and they will handle tls 1.2 ?

Yes. But you don't need XE8 - just IW 14 which works from IIRC D2009 up.


-- 
"Programming is an art form that fights back"

Maurizio wrote:

> After that we needed to install a third part component, Eldos
> SecureBlackbox SFTP to handle  SFTP file transfer.

SFTP (FTP over SSH) or FTPS (FTP over SSL/TLS)?  Indy 10 supports the latter.

> Does Intraweb use our latest Indy10 instance or it uses a private copy
> of Indy ?

Its own private copy.

> Why this "could not load ssl libraries" error ?

Without exact information from WhichFailedToLoad(), I can only guess.  That 
is why I asked you to call WhichFailedToLoad() (and make sure you are calling 
the one in IntraWeb's version of Indy, not the one in your copy of Indy).

Since you are using an old version of IntraWeb, my guess would be that it 
might be relying on Indy 8/9 instead of Indy 10, and that it might be relying 
on a version of Indy that depended on customized OpenSSL DLLs rather than 
the official DLLs.  Those DLLs are available at http://indy.fulgan.com/SSL/Archive/, 
but they predate TLS v1.2, IIRC.

> Wich version of Intraweb is needed to work in https tls 1.2 ?
>
> Does it works on Delphi 7 or do we need to upgrade to a later version
> ?

I have no clue.  I don't use IntraWeb.  Ask AtoZed.

-- 
Remy Lebeau (TeamB)