小贝子编程

Delphi with Indy10:如何自动协商可用的最高TLS级别



我们的不认可是这样的设置:

SSL版本: sslvSSLv23

将导致使用最高可用 TLS 版本。

但是,查看SSL跟踪,这似乎并没有发生。

观察对同一服务器的这些调用:

SSL 版本:sslvTLSv1_2 -- 我得到一个 TLS 1.2 连接

Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256; 
description = AES128-SHA256           
TLSv1.2 Kx=RSA      
Au=RSA  Enc=AES(128)  
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3;

访问同一服务器,但设置为:SSL 版本:sslvSSLv23我希望有一个TLS 1.2连接。井。实际上,我希望与上述连接相同。但观察一下,我最终得到了TLS 1.0:

Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA 
SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
; 
bits = 128; version = TLSv1/SSLv3;

什么是缺失的,谈判最高的,神奇的?

如果您仍在使用 SSLOption.Method 属性,则需要停止使用它。 请改用 SSLOption.SSLVersions 属性。 这将允许您一次启用多个SSL/TLS版本。 sslvSSLv23将在内部用于处理协商,但它会向服务器报告SSLVersions启用的最高 SSL/TLS 版本。 如果您使用的是支持 TLS 1.2 的 Indy 10 版本和支持 TLS 1.2 的 OpenSSL DLL 版本,则在服务器也支持 TLS 1.2 的情况下,在 SSLVersions 属性中启用sslvTLSv1_2应协商 TLS 1.2。 请记住,如果 DLL 不支持 TLS 1.1 或 1.2,即使您使用 sslvTLSv1_1 和/或 sslvTLSv1_2,Indy 也会静默回退到 TLS 1.0。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium