This is a shot in the dark, but here goes. We use Indy to connect and transfer files to an FTP server. We're using SSL (TLS - not sure what version). It works.. sometimes. about 2 of our customers report "SSL is not available on this server". I was able to reproduce it when I use AT&T cellular hotspot, connected to my laptop. However, when I got home, I have Cincinnati Bell fioptics, and it worked fine. I debugged the code, and it can't connect. I think it times out , if I continue the debugging, it says, "error negotiating SSL", or something like that.
First download openSSL 1.0.2m the latest one from https://indy.fulgan.com/SSL.
ReplyDeleteIndy is almost transparent and doesn't do much with SSL. Everything is on OpenSSL dll side. Set TLS 1.2 and allow only TLS versions to be negotiated. Disable insecure ciphers. For example you can setup your TIdServerIOHandlerSSLOpenSSL options:
Method := sslvTLSv1_2;
SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
CipherList := 'HIGH:!eNULL:!aNULL:!NULL:!MD5:!DSS:!EXP:!IDEA:!RC4:!ADH';
I dont know if the with XE 5 shipped version of indy is too old for OpenSSL 1.0.2 g and later (see https://opendec.wordpress.com/2016/03/09/openssl-1-0-1s-and-1-0-2g/).
ReplyDeleteTomasz Kunicki setting only SSLVersions is enough, Method is the deprecated Indy 9 way. Changing one of them influence the other property.
I also recommended to add an @Strength
Fabian S. Biehn thanks. Good to know.
ReplyDelete