Dynamically making indy use TLSv1.2

Question

GitHub has stopped supporting TLS v1.0 and v1.1 (https://githubengineering.com/crypto-deprecation-notice/), so my code no longer wants to download from it. I have checked and it seems I need to make Indy use TLS v1.2, as stated here: Using Indy 10 IdHTTP with TLS 1.2.

I have already updated the OpenSSL DLLs to the latest from http://indy.fulgan.com/SSL/, and Indy seems to load them fine, but I still get an error.

The error I get:

How can I make Indy use TLS v1.2 if I dynamically create Indy objects in a worker thread?

Current Code:

constructor TDownload.Create(CreateSuspended: Boolean; aurl, afilename: string);
begin
  inherited Create(CreateSuspended);
  httpclient := TIdHTTP.Create(nil);
  httpclient.Request.UserAgent := 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36';
  httpclient.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(httpclient);
  httpclient.HandleRedirects := True;
  httpclient.OnWorkBegin := idhttp1WorkBegin;
  httpclient.OnWork := idhttp1Work;
  url := aurl;
  filename := afilename;
end;

Answer 1

You need to enable the sslvTLSv1_2 flag in the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property (only sslvTLSv1 (TLS v1.0) is enabled by default), eg:

TIdSSLIOHandlerSocketOpenSSL(httpclient.IOHandler).SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Also note that you might have to also update the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.CipherList property to enable TLS v1.2 ciphers. Refer to the OpenSSL documentation for the actual syntax. By default, Indy uses 'AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH' if you don't specify your own CipherList value.

Edit: Indy no longer specifies a default cipher list. If the SSLOptions.CipherList property is empty, OpenSSL is now allowed to use whatever default cipher list it wants instead.