Jump to content

Using TLS 1.3


bbm

Recommended Posts

Hello, everyone,

is there a way to use TLS 1.3 for SSL? At the moment I was only able to activate TLS 1.2, for which the two files ssleay32.dll and libeayssl.dll in version 1.0.2.x are used. Unfortunately, these have been discontinued for some time.

Is there an alternative solution for this? This will certainly be criticized during security checks.

Many greetings

Link to comment
Share on other sites

35 minutes ago, bbm said:

Hello, everyone,

is there a way to use TLS 1.3 for SSL? At the moment I was only able to activate TLS 1.2, for which the two files ssleay32.dll and libeayssl.dll in version 1.0.2.x are used. Unfortunately, these have been discontinued for some time.

Is there an alternative solution for this? This will certainly be criticized during security checks.

Many greetings

Hello, is this can help to You ?

https://itecnote.com/tecnote/delphi-upgrade-indy-library-to-use-latest-openssl-library/

 

"So don't worry about it. If you use Indy with a proper Cypher Names list and latest Fulgan DLLs, you are pretty up-to-date and safe. Sometimes safer than some old Linux distribution, which may lag behind with the revision shipped with the system. Even TLS 1.3 is still far from being mandatory, since it is not yet enabled on client sides. I am sure Indy team will support 1.1 when some of its features becomes mandatory (or switch to Windows SChannel API)."

 

and how to use cypher name list in unigui:

 

 

Link to comment
Share on other sites

  • 6 months later...

Hi,

I'm using 1.0.2u OpenSSL dll's from Indy and uniGUI 1.90.0.1563

I must be something wrong trying to implement this. So I'm setting SSL.SSLOptions.CipherList to a desired list of ciphers

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

When trying to connect to my uniGUI webserver (testing it as application and as service) I get the following error message from Firefox:

 

Quote

Secure Connection Failed

An error occurred during a connection to 127.0.0.1:8077. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Only when I add the following (old) ciphers, then it works: 

AES128-SHA
AES256-SHA

Any idea what I'm doing wrong.

Regards,

Pascal

Link to comment
Share on other sites

56 minutes ago, pcoenen said:

Hi,

I'm using 1.0.2u OpenSSL dll's from Indy and uniGUI 1.90.0.1563

I must be something wrong trying to implement this. So I'm setting SSL.SSLOptions.CipherList to a desired list of ciphers

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

When trying to connect to my uniGUI webserver (testing it as application and as service) I get the following error message from Firefox:

 

Only when I add the following (old) ciphers, then it works: 

AES128-SHA
AES256-SHA

Any idea what I'm doing wrong.

Regards,

Pascal

Hello,

Did you try this solution: https://kinsta.com/blog/ssl_error_no_cypher_overlap/#2-reset-your-tls-and-ssl3-settings

please share part of your code how exactly you use it.

 

can you try this code in procedure TUniServerModule.UniGUIServerModuleCreate:

function GetCipherList(AStrength: Integer): WideString;
const
  //https://wiki.mozilla.org/Security/Server_Side_TLS
  //configurator: https://ssl-config.mozilla.org/
  cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
  cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256';
  cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
  cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';
  cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA';

begin
  case AStrength of
    // Advanced Plus (A+)
      1: Result := cCIPHER_LIST_1;
    // Advanced (A)
      2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2;
    // Broad Compatibility (
      3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3;
    // Widest Compatibility (C)
      4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4;
    // Legacy (C-)
      5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5;
    else
      Result := EmptyStr;
  end;
end;
begin

http://forums.unigui.com/index.php?/topic/8625-tls-cipher-strings/&tab=comments#comment-44301
//https://wiki.mozilla.org/Security/Server_Side_TLS
//Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself.
SSL.SSLOptions.CipherList := GetCipherList(1);
end;

Link to comment
Share on other sites

14 minutes ago, irigsoft said:

Hello,

Did you try this solution: https://kinsta.com/blog/ssl_error_no_cypher_overlap/#2-reset-your-tls-and-ssl3-settings

please share part of your code how exactly you use it.

For example:

SSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

SSL.SSLOptions.CipherList := 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS ';

It seems to work when I add older ciphers like:  

SSL.SSLOptions.CipherList := 'RSA+AESGCM:RSA+AES';

I tried the different solutions from the link, did not help.

(Thank you for your reply)

Link to comment
Share on other sites

12 minutes ago, pcoenen said:

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS

did You try with this: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128: DH+AES:RSA+AESGCM:RSA+AES:HIGH:!3DES:!aNULL:!MD5:!DSS:!MD5:!aNULL:!EDH:!RC4

Link to comment
Share on other sites

It only works when RSA+AESGCM or RSA+AES is in the list. 

Firefox information about the encryption used.

image.png.297ab9eede0411133ec90b5663ac5780.png

 

FYI, Same issue with Chrome:

127.0.0.1 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH
 
Link to comment
Share on other sites

FYI, this one works 'from your example code':

cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';

 

(Stupid) question, I'm using a Self Signed certificate, could this be the issue? 

 

Link to comment
Share on other sites

2 minutes ago, irigsoft said:

can you try with another/external IP (not 127.0.0.1) ?

Same error message:

An error occurred during a connection to 10.211.55.8:8077. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Link to comment
Share on other sites

1 minute ago, pcoenen said:

FYI, this one works 'from your example code':

cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA';

 

(Stupid) question, I'm using a Self Signed certificate, could this be the issue? 

 

You have to check, but I think so.

Link to comment
Share on other sites

1 minute ago, irigsoft said:

You have to check, but I think so.

Ok, sorry for your time, I had to tell you this in the beginning. Thank you very much for all your information on the forum regarding security. Much appreciated.

Link to comment
Share on other sites

it's not a problem for my time, I want to help you and for everyone's sake afterwards, but I can't give you a ready-to-use solution.

I was reading somewhere that 127.0.0.1 is always http not https !

Please, search web for this: https://www.google.com/search?q=127.0.0.1+on+https&ei=68i6Y8ObOouSxc8P-LyngAg&oq=https+on+127.0.0.1&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQAxgAMgsIABAIEB4QDxDxBDIFCAAQhgMyBQgAEIYDMgUIABCGAzoMCAAQ6gIQtAIQQxgBOhIILhDHARDRAxDqAhC0AhBDGAE6BQgAEJECOgUIABCABDoFCC4QgAQ6CAguEIAEENQCOgsILhCvARDHARCABDoJCAAQBxAeEPEEOgcIABCABBAKOgcIABAeEPEEOgkIABCABBANEAo6CwgAEAgQBxAeEPEEOg0IABAIEAcQHhAPEPEEOgkIABAeEPEEEA1KBAhBGABKBAhGGABQiwhY6ClgmD1oAXABeACAAWyIAeMLkgEEMTcuMZgBAKABAbABCsABAdoBBAgBGAc&sclient=gws-wiz-serp

maybe this will help: https://stackoverflow.com/questions/6793174/third-party-signed-ssl-certificate-for-localhost-or-127-0-0-1

 

13 minutes ago, pcoenen said:

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

I am not sure what is your purpose:

you want to block the use of SSL3 (like your example: https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters),

or something else because error message is exact that (The error code ‘SSL_NO_CYPHER_OVERLAP’ occurs in Firefox when certain type of encryptions have been disabled either on the browser or in the server side   https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/

Link to comment
Share on other sites

4 minutes ago, irigsoft said:

it's not a problem for my time, I want to help you and for everyone's sake afterwards, but I can't give you a ready-to-use solution.

I am not sure what is your purpose:

you want to block the use of SSL3 (like your example: https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters),

or something else because error message is exact that: https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/

Due to a vulnerability-scan at one of my customers we got the request to add an option for a customized cipher list. We got a couple of ciphers they would like to use and that is when I started getting this error message. I'll try further and let you know the result.

Link to comment
Share on other sites

Just now, pcoenen said:

Due to a vulnerability-scan at one of my customers we got the request to add an option for a customized cipher list. We got a couple of ciphers they would like to use and that is when I started getting this error message. I'll try further and let you know the result.

thank you.

Link to comment
Share on other sites

36 minutes ago, pcoenen said:

I'm using a Self Signed certificate, could this be the issue? 

maybe this will help to You: 

I use trusted certificate.

I had set up in the URL='https://X.X.X.X:8070/...'and the problem was it.

After I set it up in the URL='https://myaddres:8070/...' the problem solved in MsgSrv.

 

http://forums.unigui.com/index.php?/search/&q="Self Signed certificate"&quick=1

 

or this: 

 

Link to comment
Share on other sites

  • 2 months later...

Dear @Farshad Mohajeri

Even using TLS 1.2, our security department is after me to solve a vulnerability that has to do with weak ciphers that could be used. To do this, I have to modify UniServerModule.SSL.SSLOptions.CipherList to specify which ciphers are allowed.

The question is, since I have to do this inside "UniGUIServerModuleCreate", it will run properly in standalone or service mode, but will it do so using hyperserver?. If the latter is no, please add the possibility to specify this parameter in the "hyper_server.ssl.cfg" file.

Kind regards,

 

Link to comment
Share on other sites

  • Administrators
35 minutes ago, estrify said:

Dear @Farshad Mohajeri

Even using TLS 1.2, our security department is after me to solve a vulnerability that has to do with weak ciphers that could be used. To do this, I have to modify UniServerModule.SSL.SSLOptions.CipherList to specify which ciphers are allowed.

The question is, since I have to do this inside "UniGUIServerModuleCreate", it will run properly in standalone or service mode, but will it do so using hyperserver?. If the latter is no, please add the possibility to specify this parameter in the "hyper_server.ssl.cfg" file.

Kind regards,

 

object TUniHyperSSL
  SSL.Enabled = True
  SSL.SSLOptions.RootCertFile = 'root.pem'
  SSL.SSLOptions.CertFile = 'cert.pem'
  SSL.SSLOptions.KeyFile = 'key.pem'
  SSL.SSLOptions.Method = sslvTLSv1_2
  SSL.SSLOptions.SSLVersions = [sslvTLSv1_2]
  SSL.SSLOptions.Mode = sslmUnassigned
  SSL.SSLOptions.VerifyMode = []
  SSL.SSLOptions.VerifyDepth = 0
  SSL.SSLPort = 0
end

You can add additional properties to above setup. You can add other properties which are valid for TUniSSL & TIdSSLOptions objects.

You can simply copy from DFM file of ServerModule and paste into hyper.ssl.cfg file.

http://www.unigui.com/doc/online_help/index.html?ssl-support-in-hyperserver.htm

 

Link to comment
Share on other sites

6 minutes ago, Farshad Mohajeri said:

You can add additional properties to above setup. You can add other properties which are valid for TUniSSL & TIdSSLOptions objects.

You can simply copy from DFM file of ServerModule and paste into hyper.ssl.cfg file.

http://www.unigui.com/doc/online_help/index.html?ssl-support-in-hyperserver.htm

 

I should have skipped that detail in the documentation. Sorry for the inconvenience.
Thank you so much.

  • Like 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...