ICS v8 has been updated to support OpenSSL 1.0.2 and DH and EC keys, and to better support TLSv1.1 and TLSv1.2 protocols. The changes may be downloaded from the SVN repository or the overnight zip file at:
http://www.magsys.co.uk/delphi/magics.asp Sorry, François's ISP is still unable to get the wiki server running. This group of changes allow ICS SSL servers to support DH (Diiffie- Hellman) and EDH/DHE (Ephemeral DH) key exchange, and EC (Elliptic Curve) encryption) for ECDH and EECDH key exchange, as well as the older RSA key exchange. Note SSL clients already supported these key exchanges. DH support requires supply of DH Parameters which are used to generate new keys for each session, which implements Forward Secrecy preventing decryption of old sessions if the certificate key is later broken or stolen. Currently, ICS only supports reading DH Parameters from a file generated using the openssl.exe utility with key lengths of 512, 1024, 2048, 4096 bits and it's recommended these are generated when an application is installed, although three prepared files are supplied. Beware generating DH Parameters takes a while, about 15 minutes for the 2048 bit file, 30 seconds for the 1024 file. ICS does not yet have a function to generate DH Parameters but I'll add it shortly, also a way to build them into the application rather than using a file. EC support is much easier, just selection of SslECDHMethod as s sslECDHNone, sslECDHAuto, sslECDH_P256, sslECDH_P384 and sslECDH_P521. Currently MSIE 11 does not seem to like the ICS EC support, still investigating. Note that server use of these new options needs matching Ciphers to be available, and all testing has been with sslCiphersMozillaSrvInter. SVN notes for specific units: Source/OverbyteIcsWSocket.pas Mar 16, 2015 V8.15 Angus added more SslOptions: sslOpt_NO_COMPRESSION, sslOpt_TLSEXT_PADDING, sslOpt_SAFARI_ECDHE_ECDSA_BUG, sslOpt_CISCO_ANYCONNECT, sslOpt_NO_TLSv1_1 and sslOpt_NO_TLSv1_2 Added more SslVersionMethods: sslTLS_V1_1, sslTLS_V1_2 and sslBestVer which is eqivalent to sslV23 and actually means any of SSLV3, TLS1, TLS1.1 or TLS1.2. To disable some versions, use sslBestVer and disable specific ones using SslOptions. To force only one version, set SslVersionMethod to that version. Choosing a specific TLS version will fail if matching Ciphers are not available OPENSSL_NO_TLSEXT removed so SSL Server Name Identification is always supported Added SslDHParamFile to load a DH Parameters for Diiffie-Hellman DH and EDH key ciphers. DH param files may have key lengths of 512, 1024, 2048, 4096 bits and currently need to be generated using the opensll.exe utility (or use those that come with ICS) Added SslECDHMethod to select Elliptic Curves to support ECDH and EECDH key ciphers Note, only OpenSSL 1.0.1 and later are now supported since this added TLS 1.1/1.2 Source/OverbyteIcsLIBEAY.pas Mar 13, 2015 V8.07 Angus allow load of OSSL 1.0.2 (briefly tested) Note, only OpenSSL 1.0.1 and later are now supported, removed some old conditionals and code Added functions and literals for DH and EC key support Source/OverbyteIcsSSLEAY.pas Mar 13, 2015 V8.01 Angus updated SSL_OP option literals, added TLS v1.1 and 1.2 methods Added functions need to generate DH keys for EDH ciphers with Forward Secrecy Note, only OpenSSL 1.0.1 and later are now supported, removed various conditionals Source/Include/OverbyteIcsSslDefs.inc OPENSSL_NO_TLSEXT now disabled Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.dfm Samples/Delphi/SslInternet/OverbyteIcsHttpsTst1.pas Mar 16 2015 V8.01 Angus added DH File (mainly for servers) Added SSL Version and Cipher edits to make testing easier Reset SSL when changing parameters to force new negotiation Samples/Delphi/SslInternet/OverbyteIcsPemTool1.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool1.pas Samples/Delphi/SslInternet/OverbyteIcsPemTool3.dfm Mar 16, 2015 V8.00 Angus default key length now 2048 Samples/Delphi/SslInternet/OverbyteIcsSslWebAppServerMain.dfm Samples/Delphi/SslInternet/OverbyteIcsSslWebAppServerMain.pas Mar 16 2015 V8.01 Angus added DHParam File needed to supporting DH key exchange Set ECDH method to support ECDH key exchange Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.dfm Samples/Delphi/SslInternet/OverbyteIcsSslWebServ1.pas Mar 16 2015 V8.02 Angus added DHParam File needed to supporting DH key exchange Added EllCurve to support ECDH key exchange Display SSL handshake info on demo menu Added Server Name Indication (SNI) display, used to support multiple host and certificates on the same IP address (note the OverbyteIcsSslSniSrv sample is better and changes the SslContext) Samples/Delphi/SslInternet/OverbyteIcsSslX509Utils.pas Mar 16, 2015 V8,00 Angus uses Sha256 instead of Sha1 for all signing Samples/Delphi/SslInternet/dhparam1024.pem Samples/Delphi/SslInternet/dhparam2048.pem Samples/Delphi/SslInternet/dhparam512.pem DH Parameter files with different key lengths. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be