huayan889 Posted May 3, 2021 Share Posted May 3, 2021 Sslvtlsv1.2 has been set in uniservermodule. How to disable TLS 1.0 and 1.1? Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 4, 2021 Share Posted May 4, 2021 8 hours ago, huayan889 said: Sslvtlsv1.2 has been set in uniservermodule. How to disable TLS 1.0 and 1.1? Hello, Did You try by this way: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings https://docs.microsoft.com/en-us/answers/questions/47472/how-to-disable-protocols.html to disable it on server side Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 4, 2021 Share Posted May 4, 2021 maybe this will help You: "Modern compatibility: For services with clients that support TLS 1.3 and don't need backward compatibility, the Modern configuration provides an extremely high level of security." OR "Intermediate compatibility : For services that don't need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. " https://ssl-config.mozilla.org/ Quote Link to comment Share on other sites More sharing options...
Tokay Posted May 4, 2021 Share Posted May 4, 2021 You can switch the SSL/TLS selectors: Quote Link to comment Share on other sites More sharing options...
huayan889 Posted May 4, 2021 Author Share Posted May 4, 2021 43 minutes ago, Tokay said: You can switch the SSL/TLS selectors: After setting, no effect。 Quote Link to comment Share on other sites More sharing options...
Tokay Posted May 4, 2021 Share Posted May 4, 2021 It's strange... Maybe a bug? Quote Link to comment Share on other sites More sharing options...
huayan889 Posted May 4, 2021 Author Share Posted May 4, 2021 20 minutes ago, Tokay said: It's strange... Maybe a bug? possible Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 5, 2021 Share Posted May 5, 2021 Hello, Did You succeed with this problem ? Can You try my solution ? Quote Link to comment Share on other sites More sharing options...
huayan889 Posted May 5, 2021 Author Share Posted May 5, 2021 1 hour ago, irigsoft said: Hello, Did You succeed with this problem ? Can You try my solution ? There is still this problem. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 5, 2021 Share Posted May 5, 2021 Yes it is . But when you use older versions of TLS they will not work. You have to try this in mind. Mozzila have explained very well, I have no methods to try, maybe with some api to your server with tls 1.0 or older will show that I'm right. Quote Link to comment Share on other sites More sharing options...
huayan889 Posted May 5, 2021 Author Share Posted May 5, 2021 8 minutes ago, irigsoft said: Yes it is . But when you use older versions of TLS they will not work. You have to try this in mind. Mozzila have explained very well, I have no methods to try, maybe with some api to your server with tls 1.0 or older will show that I'm right. I have to disable the old version of TLS Quote Link to comment Share on other sites More sharing options...
irigsoft Posted May 5, 2021 Share Posted May 5, 2021 1 hour ago, huayan889 said: I have to disable the old version of TLS Maybe the bug is in Indy part, please see this: https://stackoverflow.com/questions/37022485/how-do-i-support-tls-1-1-and-1-2-only-in-my-webservice or https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters or https://github.com/IndySockets/Indy/issues/125 or "We found an issue: Indy 10 is unable to connect when we enforce best practices AND TLS 1.2 only." https://stackoverflow.com/questions/27302773/delphi-w-indy-10-unable-to-connect-via-tls-1-2-w-ssl-best-practices-in-place Quote Link to comment Share on other sites More sharing options...
huayan889 Posted May 5, 2021 Author Share Posted May 5, 2021 Thanks irigsoft, it has been solved. According to your method, ssleay32.dll and libeay32.dll need to use the latest version. UniServerModule: function GetCipherList(AStrength: Integer): WideString; const cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'; cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA'; begin case AStrength of // Advanced Plus (A+) 1: Result := cCIPHER_LIST_1; // Advanced (A) 2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2; // Broad Compatibility ( 3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3; // Widest Compatibility (C) 4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4; // Legacy (C-) 5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5; else Result := EmptyStr; end; end; procedure TUniServerModule.UniGUIServerModuleCreate(Sender: TObject); begin UniServerModule.SSL.SSLOptions.CipherList := GetCipherList(5); end; ssleay32.dll libeay32.dll 1 Quote Link to comment Share on other sites More sharing options...
irigsoft Posted March 19 Share Posted March 19 I just want to extend knowing about why is important to disabling SSL and old TLS version How to prevent and repair POODLE attacks and BEAST attacks Any server that supports SSL 3.0 and older versions of TLS is vulnerable to a POODLE attack. Modern versions of TLS are safe, and today's browsers block sites that use old versions of TLS (1.0, 1.1). A server configured to support only newer protocols (TLS 1.2, 1.3) prevents the possibility of a POODLE attack. This information is also for those who think that using https is quite enough to protect their web applications ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.