Search code examples
c++sslopensslindy

Enable Perfect Forward Secrecy In Indy 10?

In How to enable Perfect Forward Secrecy In Indy 10?, the question is answered for Delphi. As I am trying to achieve the same in C++, I get stuck at the SSL_CTX_set_ecdh_auto() method. It is present in the source of Indy, and thus (I assume) in the installed version (I am running C++Builder 11), but there is no reference in the C++ header file IdSSLOpenSSLHeaders.hpp.

However, I might add this manually in the header, assuming the DCU contains the source, but searching the web for OpenSSL I found SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect.

How can I best enable perfect forward secrecy using C++ and Indy 10?

TIdServerIOHandlerSSLOpenSSL * LIOHandleSSL;
LIOHandleSSL = new TIdServerIOHandlerSSLOpenSSL(FServer);
LIOHandleSSL->SSLOptions->Mode = TIdSSLMode::sslmServer;
LIOHandleSSL->SSLOptions->Method = TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->SSLVersions = TIdSSLVersions() << TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->CertFile = AppRoot + CertFile;
if (RootCertFile.Trim().Length() > 0)
    LIOHandleSSL->SSLOptions->RootCertFile = AppRoot + RootCertFile;
LIOHandleSSL->SSLOptions->KeyFile = AppRoot + KeyFile;

LIOHandleSSL->SSLOptions->CipherList = ""
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-WITH-AES-256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"HIGH:"
"!aNULL:"
"!eNULL:"
"!EXPORT:"
"!DES:"
"!RC4:"
"!MD5:"
"!PSK:"
"!SRP:"
"!CAMELLIA:"
"@STRENGTH";

// this is what is needed according to the post
//               auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext);
//             SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);

LIOHandleSSL->OnGetPassword = OnGetSSLPassword;

FServer->IOHandler = LIOHandleSSL;
FServer->OnQuerySSLPort = OnQuerySSLPort;
Solution

  • [SSL_CTX_set_ecdh_auto()] is present in the source of Indy, and thus (I assume) in the installed version (I am running C++Builder 11), but there is no reference in the C++ header file IdSSLOpenSSLHeaders.hpp.

    That is because all of the OpenSSL functions used in the IdSSLOpenSSLHeaders.pas unit are marked as {$EXTERNALSYM} specifically so that they won't appear in the IdSSLOpenSSLHeaders.hpp file. This is customary when Delphi units use external SDKs that are otherwise available to C/C++ natively.

    So, to use the OpenSSL functions in C++, you will have to download the OpenSSL 1.0.2 SDK and #include its .h header files in your code (or, as you said, you can simply declare the functions yourself, since they are present in the Delphi DCUs). Delphi can't use .h files, which is (mostly) why IdSSLOpenSSLHeaders.pas exists.

    searching the web for OpenSSL I found SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect.

    In OpenSSL 1.1.0 and later, yes. But not in OpenSSL 1.0.2, which is what TIdSSLIOHandlerSocketOpenSSL uses. If you want to use OpenSSL 1.1.x+, you need to use this (wip) SSLIOHandler instead.

    // this is what is needed according to the post
//               auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext);
//             SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);

    In C++, that would look something like this:

    #include <openssl/ssl.h>
// or simply:
// long __fastcall SSL_CTX_set_ecdh_auto(PSSL_CTX ctx, long m);

class TMyIdSSLContext : public TIdSSLContext
{
public:
    __property PSSL_CTX Context = {read=fContext};
};

auto sslContext = (TMyIdSSLContext*) LIOHandleSSL->SSLContext;
SSL_CTX_set_ecdh_auto(sslContext->Context, 1);