我们坚持不懈的是设置:
SSL版本:sslvSSLv23
将导致使用最高的可用TLS版本。
但是,查看SSL跟踪,似乎没有发生这种情况。
观察对同一服务器的这些调用:
SSL版本:sslvTLSv1_2 - 我获得了TLS 1.2连接
Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256;
description = AES128-SHA256
TLSv1.2 Kx=RSA
Au=RSA Enc=AES(128)
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3;
点击同一台服务器,但设置为:SSL版本:sslvSSLv23 我希望有一个TLS 1.2连接。好。实际上我希望与上面的连接相同。但请注意,我最终得到了TLS 1.0:
Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
;
bits = 128; version = TLSv1/SSLv3;
缺少什么,谈判最高,魔术?
答案 0 :(得分:7)
如果您仍在使用,则需要停止使用SSLOption.Method属性。请改用SSLOption.SSLVersions属性。这将允许您一次启用多个SSL / TLS版本。 sslvSSLv23将在内部用于处理协商,但它会将SSLVersions中启用的最高SSL / TLS版本报告给服务器。如果您使用的是支持TLS 1.2的Indy 10版本以及支持TLS 1.2的OpenSSL DLL版本,那么如果服务器也支持,则sslvTLSv1_2属性中的SSLVersions启用应该协商TLS 1.2 TLS 1.2。请记住,如果DLL不支持TLS 1.1或1.2,即使您使用sslvTLSv1_1和/或sslvTLSv1_2,Indy也会无声地回退到TLS 1.0。