我们的不认可是这样的设置:
SSL版本: sslvSSLv23
将导致使用最高可用 TLS 版本。
但是,查看SSL跟踪,这似乎并没有发生。
观察对同一服务器的这些调用:
SSL 版本:sslvTLSv1_2 -- 我得到一个 TLS 1.2 连接
Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256;
description = AES128-SHA256
TLSv1.2 Kx=RSA
Au=RSA Enc=AES(128)
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3;
访问同一服务器,但设置为:SSL 版本:sslvSSLv23我希望有一个TLS 1.2连接。井。实际上,我希望与上述连接相同。但观察一下,我最终得到了TLS 1.0:
Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
;
bits = 128; version = TLSv1/SSLv3;
什么是缺失的,谈判最高的,神奇的?
如果您仍在使用 SSLOption.Method
属性,则需要停止使用它。 请改用 SSLOption.SSLVersions
属性。 这将允许您一次启用多个SSL/TLS版本。 sslvSSLv23
将在内部用于处理协商,但它会向服务器报告SSLVersions
启用的最高 SSL/TLS 版本。 如果您使用的是支持 TLS 1.2 的 Indy 10 版本和支持 TLS 1.2 的 OpenSSL DLL 版本,则在服务器也支持 TLS 1.2 的情况下,在 SSLVersions
属性中启用sslvTLSv1_2
应协商 TLS 1.2。 请记住,如果 DLL 不支持 TLS 1.1 或 1.2,即使您使用 sslvTLSv1_1
和/或 sslvTLSv1_2
,Indy 也会静默回退到 TLS 1.0。