Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define global TLSVersion in IdSSL #281

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Define global TLSVersion in IdSSL #281

wants to merge 2 commits into from

Conversation

Bi0T1N
Copy link
Contributor

@Bi0T1N Bi0T1N commented Jan 31, 2020
edited
Loading

this allows to have one set of TLS versions for all SSL/TLS IO handler

@Bi0T1N
Define global SSLVersion in IdSSL
08a0075 
this allows to have one set of SSL versions
for all SSL IO handler
rlebeau
rlebeau requested changes Jan 31, 2020
View reviewed changes
Copy link
Member

@rlebeau rlebeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm OK with moving these types into the IdSSL.pas unit. But rather than removing them from the IdSSLOpenSSL.pas unit and risk breaking any existing user code, I would leave them in the IdSSLOpenSSL.pas unit for now and have them alias the new types in IdSSL.pas.

@Bi0T1N
Add new type for TLS methods
5177e8e 
Default value for user code should be tlsvTLS_flexible:
"The actual protocol version used will be
negotiated to the highest version mutually
supported by the client and the server."
https://www.openssl.org/docs/man1.1.1/man3/TLS_method.html
@Bi0T1N Bi0T1N changed the title Define global SSLVersion in IdSSL Define global TLSVersion in IdSSL Feb 1, 2020
@Bi0T1N
Copy link
Contributor Author

Bi0T1N commented Feb 1, 2020

I've reverted the changes and called the type TLS versions as this is more appropriate.

rlebeau
rlebeau reviewed Feb 2, 2020
View reviewed changes
Copy link
Member

@rlebeau rlebeau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renaming TIdSSLVersion/s to TIdTLSVersion/s is one thing, but I don't see the need for an explicit tlsvTLS_flexible value at all. Enabling multiple TLS versions at a time should imply the use of "flexible" internally. Just as for OpenSSL, enabling multiple SSL/TLS versions at a time uses SSLv23/TLSMethod internally. And by removing the SSL versions from the enum, the enum can no longer be used with TIdSSLIOHandlerSocketOpenSSL since SSLv2/v3 still need to be supported for OpenSSL 1.0.2 and earlier. Yes, there are still some systems using those old versions. Only OpenSSL 1.1.x drop SSLv2/v3 completely.

@Bi0T1N
Copy link
Contributor Author

Bi0T1N commented Feb 2, 2020
edited
Loading

Firstly I named it tlsvTLS_method but to know the meaning you need to read the documentation for it. So I thought naming it tlsvTLS_flexible (or tlsvTLS_highest) is more intuitive as it negotiates the highest possible version between client and server (therefore flexible).
The define is also not meant for use with OpenSSL 1.0.2 (it's EOL and should therefore be ignored for new code) and almost all libraries removed SSLv3 a long time ago. No need to keep it in the possible versions.
I've created the types so that all new SSL IO handler can make use of it to avoid having different schemes for different IO handler. (OpenSSL, LibreSSL, LibTLS, ...)

@rlebeau rlebeau added Type: Enhancement Issue is proposing a new feature/enhancement Element: I/O Handlers Issues related to TIdIOHandler and descendants Element: SSL/TLS Issues related to SSL/TLS handling, TIdSSLIOHandlerSocketBase and descendants labels May 20, 2021
@rlebeau rlebeau added this to the Indy 11 - Maintenance Release milestone Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rlebeau rlebeau rlebeau requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
Element: I/O Handlers Issues related to TIdIOHandler and descendants Element: SSL/TLS Issues related to SSL/TLS handling, TIdSSLIOHandlerSocketBase and descendants Type: Enhancement Issue is proposing a new feature/enhancement
Projects
None yet
Milestone
Indy 11 - Maintenance Release
Development

Successfully merging this pull request may close these issues.
2 participants
@Bi0T1N @rlebeau