问题描述
我们难以理解的是该设置:
Our undeerstanding is that setting:
SSL版本:sslvSSLv23
SSL Version: sslvSSLv23
将导致使用最高可用的TLS版本.
Will cause the highest avail TLS version to be used.
但是,查看SSL跟踪,似乎没有发生这种情况.
However, looking at the SSL trace, this does not appear to be happening.
将这些呼叫观察到同一服务器:
Observe these calls to the same server:
SSL版本:sslvTLSv1_2-我获得了TLS 1.2连接
SSL Version: sslvTLSv1_2 -- I get a TLS 1.2 connection
Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256;
description = AES128-SHA256
TLSv1.2 Kx=RSA
Au=RSA Enc=AES(128)
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3;
击中同一台服务器,但设置为:SSL版本:sslvSSLv23我希望使用TLS 1.2连接.出色地.实际上,我期望与上述相同的连接.但是请注意,我最终使用TLS 1.0:
Hitting the same server, but set to: SSL Version: sslvSSLv23I would expect a TLS 1.2 connection. Well. actually I would expect the same connection as above. But observe, I end up with TLS 1.0:
Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
;
bits = 128; version = TLSv1/SSLv3;
什么是失踪的,最高谈判的魔法?
What is the missing , negotiate highest, magic?
推荐答案
如果您仍在使用 SSLOption.Method
属性,则需要停止使用它.请使用 SSLOption.SSLVersions
属性.这样一来,您就可以一次启用多个SSL/TLS版本. sslvSSLv23
将在内部用于处理协商,但是它将向服务器报告在 SSLVersions
中启用的最高SSL/TLS版本.如果使用支持TLS 1.2的Indy 10版本和支持TLS 1.2的OpenSSL DLL版本,则在 SSLVersions
属性中启用 sslvTLSv1_2
应该会协商TLS如果服务器还支持TLS 1.2,则为1.2.请记住,如果DLL不支持TLS 1.1或1.2,即使使用 sslvTLSv1_1
和/或 sslvTLSv1_2
.Indy也会默默地退回到TLS 1.0.
You need to stop using the SSLOption.Method
property if you are still using it. Use the SSLOption.SSLVersions
property instead. That will allow you to enable multiple SSL/TLS versions at a time. sslvSSLv23
will be used internally to handle the negotiation, but it will report the highest SSL/TLS version enabled in SSLVersions
to the server. If you are using a version of Indy 10 that supports TLS 1.2, and a version of the OpenSSL DLLs that support TLS 1.2, then enabling sslvTLSv1_2
in the SSLVersions
property should negotiate TLS 1.2 if the server also supports TLS 1.2. Keep in mind that if the DLLs DO NOT support TLS 1.1 or 1.2, Indy will silently fall back to TLS 1.0 even when you use sslvTLSv1_1
and/or sslvTLSv1_2
.
这篇关于Delphi与Indy10:如何自动协商可用的最高TLS级别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!