misc Posted June 6, 2017 Share Posted June 6, 2017 Hi there, some of our customers are afraid about using RC4 in the cipher settings of our uniGUIServer. While the default from Indy10 (which is used in uniGUI) uses RC4 we tried to find a solution. In the OWASP (=open software security community) there is a cheat sheet about TLS Cipher Strings. We tried to implement the recommendations for a cipher string and we want to share this with you: Here is the link to the original document: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet Please read sections "Scenarios" in the link above to understand the different strength of cipher strings. Option 1 is to hard code the different cipher strings and provide it with a simple function: function GetCipherList(AStrength: Integer): WideString; const cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'; cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA'; begin case AStrength of // Advanced Plus (A+) 1: Result := cCIPHER_LIST_1; // Advanced (A) 2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2; // Broad Compatibility ( 3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3; // Widest Compatibility (C) 4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4; // Legacy (C-) 5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5; else Result := EmptyStr; end; end; procedure TServerModule.UniGUIServerModuleCreate(Sender: TObject); begin inherited; SSL.SSLOptions.CipherList := GetCipherList(1); end; Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself. Comments welcome! Michael 1 Link to comment Share on other sites More sharing options...
Recommended Posts