In this question I asked about limiting the available SSL/TLS protocols for my webservice under Delphi XE2.
By using a TIdServerIOHandlerSSLOpenSSL component and setting its SSLOptions.SSLVersions properties to [sslvSSLv23,sslvTLSv1] I was able to limit he available protocols to TLS 1.x.
Now, after upgrading to Delphi Seattle Upgrade 1, I wanted to further limit this to TLS 1.1 and 1.2 only:
LIOHandleSSL.SSLOptions.SSLVersions := [sslvTLSv1_1,sslvTLSv1_2];
But this does not work at all. When trying to connect I get a
exception class EidOSSLUnderlying CryptoError with message
'Error accepting connection with SSL. error: 140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol'
and
Error connecting with SSL
EOF was observed that violates the protocol
What is going on here? How to fix it?
Notes:
[sslvSSLv23,sslvTLSv1] works[sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2]I would personally just keep the SSLVersion to its default and use SSLOptions.CipherList instead to limit SSL using only known secure ciphers:
LIOHandleSSL.SSLOptions.CipherList := 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
This should disable older SSL versions implicitly because these do not support the specified ciphers AFAIK.
Note that OpenSSL 1.0.2g+ disables SSLv3 by default, unless one explicitly activates it during compilation.