bbm Posted June 28, 2022 Share Posted June 28, 2022 Hello, everyone, is there a way to use TLS 1.3 for SSL? At the moment I was only able to activate TLS 1.2, for which the two files ssleay32.dll and libeayssl.dll in version 1.0.2.x are used. Unfortunately, these have been discontinued for some time. Is there an alternative solution for this? This will certainly be criticized during security checks. Many greetings Quote Link to comment Share on other sites More sharing options...
irigsoft Posted June 28, 2022 Share Posted June 28, 2022 35 minutes ago, bbm said: Hello, everyone, is there a way to use TLS 1.3 for SSL? At the moment I was only able to activate TLS 1.2, for which the two files ssleay32.dll and libeayssl.dll in version 1.0.2.x are used. Unfortunately, these have been discontinued for some time. Is there an alternative solution for this? This will certainly be criticized during security checks. Many greetings Hello, is this can help to You ? https://itecnote.com/tecnote/delphi-upgrade-indy-library-to-use-latest-openssl-library/ "So don't worry about it. If you use Indy with a proper Cypher Names list and latest Fulgan DLLs, you are pretty up-to-date and safe. Sometimes safer than some old Linux distribution, which may lag behind with the revision shipped with the system. Even TLS 1.3 is still far from being mandatory, since it is not yet enabled on client sides. I am sure Indy team will support 1.1 when some of its features becomes mandatory (or switch to Windows SChannel API)." and how to use cypher name list in unigui: Quote Link to comment Share on other sites More sharing options...
bbm Posted June 28, 2022 Author Share Posted June 28, 2022 Thank you very much, I will try. Best regards Quote Link to comment Share on other sites More sharing options...
irigsoft Posted June 28, 2022 Share Posted June 28, 2022 1 hour ago, bbm said: Thank you very much, I will try. Best regards If you succeed, please write here the result: Quote Link to comment Share on other sites More sharing options...
bbm Posted June 30, 2022 Author Share Posted June 30, 2022 Hi, it works!, Thank you. Best regards 1 Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 Hi, I'm using 1.0.2u OpenSSL dll's from Indy and uniGUI 1.90.0.1563 I must be something wrong trying to implement this. So I'm setting SSL.SSLOptions.CipherList to a desired list of ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 When trying to connect to my uniGUI webserver (testing it as application and as service) I get the following error message from Firefox: Quote Secure Connection Failed An error occurred during a connection to 127.0.0.1:8077. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP Only when I add the following (old) ciphers, then it works: AES128-SHA AES256-SHA Any idea what I'm doing wrong. Regards, Pascal Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 56 minutes ago, pcoenen said: Hi, I'm using 1.0.2u OpenSSL dll's from Indy and uniGUI 1.90.0.1563 I must be something wrong trying to implement this. So I'm setting SSL.SSLOptions.CipherList to a desired list of ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 When trying to connect to my uniGUI webserver (testing it as application and as service) I get the following error message from Firefox: Only when I add the following (old) ciphers, then it works: AES128-SHA AES256-SHA Any idea what I'm doing wrong. Regards, Pascal Hello, Did you try this solution: https://kinsta.com/blog/ssl_error_no_cypher_overlap/#2-reset-your-tls-and-ssl3-settings please share part of your code how exactly you use it. can you try this code in procedure TUniServerModule.UniGUIServerModuleCreate: function GetCipherList(AStrength: Integer): WideString; const //https://wiki.mozilla.org/Security/Server_Side_TLS //configurator: https://ssl-config.mozilla.org/ cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'; cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA'; begin case AStrength of // Advanced Plus (A+) 1: Result := cCIPHER_LIST_1; // Advanced (A) 2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2; // Broad Compatibility ( 3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3; // Widest Compatibility (C) 4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4; // Legacy (C-) 5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5; else Result := EmptyStr; end; end; begin http://forums.unigui.com/index.php?/topic/8625-tls-cipher-strings/&tab=comments#comment-44301 //https://wiki.mozilla.org/Security/Server_Side_TLS //Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself. SSL.SSLOptions.CipherList := GetCipherList(1); end; Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 14 minutes ago, irigsoft said: Hello, Did you try this solution: https://kinsta.com/blog/ssl_error_no_cypher_overlap/#2-reset-your-tls-and-ssl3-settings please share part of your code how exactly you use it. For example: SSL.SSLOptions.SSLVersions := [sslvTLSv1_2]; SSL.SSLOptions.CipherList := 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS '; It seems to work when I add older ciphers like: SSL.SSLOptions.CipherList := 'RSA+AESGCM:RSA+AES'; I tried the different solutions from the link, did not help. (Thank you for your reply) Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 12 minutes ago, pcoenen said: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS did You try with this: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128: DH+AES:RSA+AESGCM:RSA+AES:HIGH:!3DES:!aNULL:!MD5:!DSS:!MD5:!aNULL:!EDH:!RC4 Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 It only works when RSA+AESGCM or RSA+AES is in the list. Firefox information about the encryption used. FYI, Same issue with Chrome: 127.0.0.1 uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 4 minutes ago, pcoenen said: 127.0.0.1 uses an unsupported protocol. can you try with another/external IP (not 127.0.0.1) i think there is some differences in localhost and external IP? Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 FYI, this one works 'from your example code': cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; (Stupid) question, I'm using a Self Signed certificate, could this be the issue? Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 2 minutes ago, irigsoft said: can you try with another/external IP (not 127.0.0.1) ? Same error message: An error occurred during a connection to 10.211.55.8:8077. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 1 minute ago, pcoenen said: FYI, this one works 'from your example code': cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; (Stupid) question, I'm using a Self Signed certificate, could this be the issue? You have to check, but I think so. Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 1 minute ago, irigsoft said: You have to check, but I think so. Ok, sorry for your time, I had to tell you this in the beginning. Thank you very much for all your information on the forum regarding security. Much appreciated. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 it's not a problem for my time, I want to help you and for everyone's sake afterwards, but I can't give you a ready-to-use solution. I was reading somewhere that 127.0.0.1 is always http not https ! Please, search web for this: https://www.google.com/search?q=127.0.0.1+on+https&ei=68i6Y8ObOouSxc8P-LyngAg&oq=https+on+127.0.0.1&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQAxgAMgsIABAIEB4QDxDxBDIFCAAQhgMyBQgAEIYDMgUIABCGAzoMCAAQ6gIQtAIQQxgBOhIILhDHARDRAxDqAhC0AhBDGAE6BQgAEJECOgUIABCABDoFCC4QgAQ6CAguEIAEENQCOgsILhCvARDHARCABDoJCAAQBxAeEPEEOgcIABCABBAKOgcIABAeEPEEOgkIABCABBANEAo6CwgAEAgQBxAeEPEEOg0IABAIEAcQHhAPEPEEOgkIABAeEPEEEA1KBAhBGABKBAhGGABQiwhY6ClgmD1oAXABeACAAWyIAeMLkgEEMTcuMZgBAKABAbABCsABAdoBBAgBGAc&sclient=gws-wiz-serp maybe this will help: https://stackoverflow.com/questions/6793174/third-party-signed-ssl-certificate-for-localhost-or-127-0-0-1 13 minutes ago, pcoenen said: Error code: SSL_ERROR_NO_CYPHER_OVERLAP I am not sure what is your purpose: you want to block the use of SSL3 (like your example: https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters), or something else because error message is exact that (The error code ‘SSL_NO_CYPHER_OVERLAP’ occurs in Firefox when certain type of encryptions have been disabled either on the browser or in the server side : https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/ Quote Link to comment Share on other sites More sharing options...
pcoenen Posted January 8, 2023 Share Posted January 8, 2023 4 minutes ago, irigsoft said: it's not a problem for my time, I want to help you and for everyone's sake afterwards, but I can't give you a ready-to-use solution. I am not sure what is your purpose: you want to block the use of SSL3 (like your example: https://stackoverflow.com/questions/44767903/delphi-indy-ssl-parameters), or something else because error message is exact that: https://appuals.com/how-to-fix-ssl_error_no_cypher_overlap/ Due to a vulnerability-scan at one of my customers we got the request to add an option for a customized cipher list. We got a couple of ciphers they would like to use and that is when I started getting this error message. I'll try further and let you know the result. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 Just now, pcoenen said: Due to a vulnerability-scan at one of my customers we got the request to add an option for a customized cipher list. We got a couple of ciphers they would like to use and that is when I started getting this error message. I'll try further and let you know the result. thank you. Quote Link to comment Share on other sites More sharing options...
irigsoft Posted January 8, 2023 Share Posted January 8, 2023 36 minutes ago, pcoenen said: I'm using a Self Signed certificate, could this be the issue? maybe this will help to You: I use trusted certificate. I had set up in the URL='https://X.X.X.X:8070/...'and the problem was it. After I set it up in the URL='https://myaddres:8070/...' the problem solved in MsgSrv. http://forums.unigui.com/index.php?/search/&q="Self Signed certificate"&quick=1 or this: Quote Link to comment Share on other sites More sharing options...
estrify Posted March 9, 2023 Share Posted March 9, 2023 Dear @Farshad Mohajeri Even using TLS 1.2, our security department is after me to solve a vulnerability that has to do with weak ciphers that could be used. To do this, I have to modify UniServerModule.SSL.SSLOptions.CipherList to specify which ciphers are allowed. The question is, since I have to do this inside "UniGUIServerModuleCreate", it will run properly in standalone or service mode, but will it do so using hyperserver?. If the latter is no, please add the possibility to specify this parameter in the "hyper_server.ssl.cfg" file. Kind regards, Quote Link to comment Share on other sites More sharing options...
Administrators Farshad Mohajeri Posted March 9, 2023 Administrators Share Posted March 9, 2023 35 minutes ago, estrify said: Dear @Farshad Mohajeri Even using TLS 1.2, our security department is after me to solve a vulnerability that has to do with weak ciphers that could be used. To do this, I have to modify UniServerModule.SSL.SSLOptions.CipherList to specify which ciphers are allowed. The question is, since I have to do this inside "UniGUIServerModuleCreate", it will run properly in standalone or service mode, but will it do so using hyperserver?. If the latter is no, please add the possibility to specify this parameter in the "hyper_server.ssl.cfg" file. Kind regards, object TUniHyperSSL SSL.Enabled = True SSL.SSLOptions.RootCertFile = 'root.pem' SSL.SSLOptions.CertFile = 'cert.pem' SSL.SSLOptions.KeyFile = 'key.pem' SSL.SSLOptions.Method = sslvTLSv1_2 SSL.SSLOptions.SSLVersions = [sslvTLSv1_2] SSL.SSLOptions.Mode = sslmUnassigned SSL.SSLOptions.VerifyMode = [] SSL.SSLOptions.VerifyDepth = 0 SSL.SSLPort = 0 end You can add additional properties to above setup. You can add other properties which are valid for TUniSSL & TIdSSLOptions objects. You can simply copy from DFM file of ServerModule and paste into hyper.ssl.cfg file. http://www.unigui.com/doc/online_help/index.html?ssl-support-in-hyperserver.htm Quote Link to comment Share on other sites More sharing options...
estrify Posted March 9, 2023 Share Posted March 9, 2023 6 minutes ago, Farshad Mohajeri said: You can add additional properties to above setup. You can add other properties which are valid for TUniSSL & TIdSSLOptions objects. You can simply copy from DFM file of ServerModule and paste into hyper.ssl.cfg file. http://www.unigui.com/doc/online_help/index.html?ssl-support-in-hyperserver.htm I should have skipped that detail in the documentation. Sorry for the inconvenience. Thank you so much. 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.