问题
We have a webservice that also provides HTTPS connections:
FWebBrokerBridge := TIdHTTPWebBrokerBridge.Create(Self); // TIdHTTPWebBrokerBridge = class(TIdCustomHTTPServer), see IdHTTPWebBrokerBridge.pas
LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FWebBrokerBridge);
LIOHandleSSL.SSLOptions.CertFile := FHTTPSCertificate;
LIOHandleSSL.SSLOptions.RootCertFile := FHTTPSRootCertificate;
LIOHandleSSL.SSLOptions.KeyFile := FHTTPSPrivateKey;
LIOHandleSSL.OnGetPassword := HTTPSIOHandlerSSLOpenSSLGetPassword;
FWebBrokerBridge.IOHandler := LIOHandleSSL;
As the code shows we have OpenSSL (version 1.02d) installed on our dev machines.
One of our clients runs our webservice and also uses OpenSSL (assume the same version). They are now going to change their firewall and start using certificates using the following ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
Their question (and therefore mine) is: Will/could the webservice have an issue with this?
I have checked what ciphers OpenSSL supports with the openssl ciphers -v (verbose) statement.
This gives me a long list with their cipher names.
Their OpenSSL ciphers page list the correspondence between the names OpenSSL uses and the suite names from the relevant specifications.
(Ironic note: Don't go there with FireFox, it complains that they use an old TLS version)
They translate:
TLS_RSA_WITH_AES_128_CBC_SHA -> AES128-SHA (from the 'AES ciphersuites from RFC3268, extending TLS v1.0')
TLS_RSA_WITH_AES_256_CBC_SHA -> AES256-SHA (idem)
TLS_RSA_WITH_AES_128_CBC_SHA256 -> AES128-SHA256 (from the 'TLS v1.2 cipher suites')
TLS_RSA_WITH_AES_256_CBC_SHA256 -> AES256-SHA256 (idem)
What seems to apply here is their remark It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
These translated names are in the list I generated:
...
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
...
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
...
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
...
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
...
Is the following conclusion correct?:
The OpenSSL version supports the ciphers they will use, and that is irrelevant to my Delphi program. No need to recompile either. The webservice will work properly.
Note: I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.
来源:https://stackoverflow.com/questions/32459865/delphi-webservice-and-openssl-supported-ssl-tls-ciphers