How to disable low version TLS？

[huayan889]

Sslvtlsv1.2 has been set in uniservermodule. How to disable TLS 1.0 and 1.1?

[irigsoft]

8 hours ago, huayan889 said:

Sslvtlsv1.2 has been set in uniservermodule. How to disable TLS 1.0 and 1.1?

Hello,

Did You try by this way:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

https://docs.microsoft.com/en-us/answers/questions/47472/how-to-disable-protocols.html

to disable it on server side 

[irigsoft]

maybe this will help You:

"Modern compatibility: For services with clients that support TLS 1.3 and don't need backward compatibility, the Modern configuration provides an extremely high level of security."

OR

"Intermediate compatibility : For services that don't need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. "

 

https://ssl-config.mozilla.org/

[Tokay]

You can switch the SSL/TLS selectors:

[huayan889]

43 minutes ago, Tokay said:

You can switch the SSL/TLS selectors:

After setting, no effect。

[Tokay]

It's strange... Maybe a bug?

[huayan889]

20 minutes ago, Tokay said:

It's strange... Maybe a bug?

possible

[irigsoft]

Hello,

Did You succeed with this problem ?

Can You try my solution ?

[huayan889]

1 hour ago, irigsoft said:

Hello,

Did You succeed with this problem ?

Can You try my solution ?

 

There is still this problem.

[irigsoft]

Yes it is .

But when you use older versions of TLS they will not work. You have to try this in mind.

Mozzila have explained very well, I have no methods to try, maybe with some api to your server with tls 1.0 or older will show that I'm right.

[huayan889]

8 minutes ago, irigsoft said:

Yes it is .

But when you use older versions of TLS they will not work. You have to try this in mind.

Mozzila have explained very well, I have no methods to try, maybe with some api to your server with tls 1.0 or older will show that I'm right.

I have to disable the old version of TLS

[irigsoft]

1 hour ago, huayan889 said:

I have to disable the old version of TLS

Maybe the bug is in Indy part, please see this: 

https://stackoverflow.com/questions/37022485/how-do-i-support-tls-1-1-and-1-2-only-in-my-webservice

or https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters

or https://github.com/IndySockets/Indy/issues/125

or "We found an issue: Indy 10 is unable to connect when we enforce best practices AND TLS 1.2 only." https://stackoverflow.com/questions/27302773/delphi-w-indy-10-unable-to-connect-via-tls-1-2-w-ssl-best-practices-in-place

 

[huayan889]

Thanks irigsoft, it has been solved. According to your method, ssleay32.dll and libeay32.dll need to use the latest version.

UniServerModule:

function GetCipherList(AStrength: Integer): WideString;
const
  cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
  cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
  cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
  cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';
  cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA';

begin
  case AStrength of
    // Advanced Plus (A+)
      1: Result := cCIPHER_LIST_1;
    // Advanced (A)
      2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2;
    // Broad Compatibility (
      3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3;
    // Widest Compatibility (C)
      4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4;
    // Legacy (C-)
      5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5;
    else
      Result := EmptyStr;
  end;
end;

procedure TUniServerModule.UniGUIServerModuleCreate(Sender: TObject);
begin
  UniServerModule.SSL.SSLOptions.CipherList := GetCipherList(5);

end;

ssleay32.dll libeay32.dll

[irigsoft]

I just want to extend knowing about why is important to disabling SSL and old TLS version

How to prevent and repair POODLE attacks and BEAST attacks

Any server that supports SSL 3.0 and older versions of TLS is vulnerable to a POODLE attack. Modern versions of TLS are safe, and today's browsers block sites that use old versions of TLS (1.0, 1.1). A server configured to support only newer protocols (TLS 1.2, 1.3) prevents the possibility of a POODLE attack.

 

This information is also for those who think that using https is quite enough to protect their web applications !