ICS v8 has been updated to support OpenSSL 1.0.2 and DH and EC keys, 
and to better support TLSv1.1 and TLSv1.2 protocols.   The changes 
may be downloaded from the SVN repository or the overnight zip file at:


Sorry, Fran├žois's ISP is still unable to get the wiki server running. 

This group of changes allow ICS SSL servers to support DH (Diiffie-
Hellman) and EDH/DHE (Ephemeral DH) key exchange, and EC (Elliptic 
Curve) encryption) for ECDH and EECDH key exchange, as well as the 
older RSA key exchange.  Note SSL clients already supported these key 

DH support requires supply of DH Parameters which are used to 
generate new keys for each session, which implements Forward Secrecy
preventing decryption of old sessions if the certificate key is later 
broken or stolen.

Currently, ICS only supports reading DH Parameters from a file generated
using the openssl.exe utility with key lengths of 512, 1024, 2048, 4096
bits and it's recommended these are generated when an application is
installed, although three prepared files are supplied. Beware 
generating DH Parameters takes a while, about 15 minutes for the 2048 
bit file, 30 seconds for the 1024 file.  ICS does not yet have a 
function to generate DH Parameters but I'll add it shortly, also a 
way to build them into the application rather than using a file.

EC support is much easier, just selection of SslECDHMethod as s
sslECDHNone, sslECDHAuto, sslECDH_P256, sslECDH_P384 and 
sslECDH_P521.  Currently MSIE 11 does not seem to like the ICS EC 
support, still investigating.

Note that server use of these new options needs matching Ciphers to be
available, and all testing has been with sslCiphersMozillaSrvInter.

SVN notes for specific units:

Mar 16, 2015 V8.15
Angus added more SslOptions: sslOpt_NO_COMPRESSION, 
sslOpt_CISCO_ANYCONNECT, sslOpt_NO_TLSv1_1 and sslOpt_NO_TLSv1_2
Added more SslVersionMethods: sslTLS_V1_1, sslTLS_V1_2 and sslBestVer 
which is eqivalent to sslV23 and actually means any of SSLV3, TLS1, 
TLS1.1 or TLS1.2. To disable some versions, use sslBestVer and 
disable specific ones using SslOptions. To force only one version, 
set SslVersionMethod to that version. Choosing a specific TLS version 
will fail if matching Ciphers are not available OPENSSL_NO_TLSEXT 
removed so SSL Server Name Identification is always supported
Added SslDHParamFile to load a DH Parameters for Diiffie-Hellman DH 
and EDH key ciphers. DH param files may have key lengths of 512, 
1024, 2048, 4096 bits and currently need to be generated using the 
opensll.exe utility (or use those that come with ICS)
Added SslECDHMethod to select Elliptic Curves to support ECDH and 
EECDH key ciphers
Note, only OpenSSL 1.0.1 and later are now supported since this added 
TLS 1.1/1.2

Mar 13, 2015 V8.07
Angus allow load of OSSL 1.0.2 (briefly tested)
Note, only OpenSSL 1.0.1 and later are now supported, removed some old
conditionals and code
Added functions and literals for DH and EC key support

Mar 13, 2015 V8.01
Angus updated SSL_OP option literals, added TLS v1.1 and 1.2 methods
Added functions need to generate DH keys for EDH ciphers with Forward
Note, only OpenSSL 1.0.1 and later are now supported, removed various

OPENSSL_NO_TLSEXT now disabled

Mar 16 2015   V8.01
Angus added DH File (mainly for servers)
Added SSL Version and Cipher edits to make testing easier
Reset SSL when changing parameters to force new negotiation

Mar 16, 2015 V8.00 Angus default key length now 2048

Mar 16 2015  V8.01
Angus added DHParam File needed to supporting DH key exchange
Set ECDH method to support ECDH key exchange

Mar 16 2015  V8.02
Angus added DHParam File needed to supporting DH key exchange
Added EllCurve to support ECDH key exchange
Display SSL handshake info on demo menu
Added Server Name Indication (SNI) display, used to support multiple host
and certificates on the same IP address
(note the OverbyteIcsSslSniSrv sample is better and changes the SslContext)

Mar 16, 2015 V8,00 Angus uses Sha256 instead of Sha1 for all signing

DH Parameter files with different key lengths.

To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to