Delphi Berlin TIdHTTPServer(Indy 10)[https / ssl / tls]:过时的密钥交换(RSA)和漏洞客户端发起的重新协商
我有一个IdHTTPServer,我希望实现对处理HTTP和HTTPS请求的支持。这是我的代码:
FSSLHandler := TIdServerIOHandlerSSLOpenSSL.Create(nil);
FSSLHandler.SSLOptions.CertFile := 'certificate.pem';
FSSLHandler.SSLOptions.KeyFile := 'key.pem';
FSSLHandler.SSLOptions.RootCertFile := 'chain.pem';
FIdHTTPServer.Bindings.Add.Port := 443;
FIdHTTPServer.IOHandler := FSSLHandler;
FIdHTTPServer.Activate := true;
在服务器目录中,我从http://indy.fulgan.com/SSL/下载了ssleay32.dll和ssleay32.dll v1.0.2l(Win32)
当我向Chrome发出请求时,在开发者工具的安全性标签中,我看到:
此外,使用sslyze分析服务器我还有其他一些安全问题(请参阅VULNERABLE标签):
> sslyze --regular local.XXXXXXXXXXXXXX.com:4343
SCAN RESULTS FOR LOCAL.XXXXXXXXXXXXXX.COM:4343 - 127.0.0.1
--------------------------------------------------------
* SSLV2 Cipher Suites:
Server rejected all cipher suites.
* TLSV1_1 Cipher Suites:
Preferred:
None - Server followed client cipher suite preference.
Accepted:
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
* SSLV3 Cipher Suites:
Server rejected all cipher suites.
* TLSV1 Cipher Suites:
Preferred:
None - Server followed client cipher suite preference.
Accepted:
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
* Deflate Compression:
OK - Compression disabled
* Downgrade Attacks:
TLS_FALLBACK_SCSV: OK - Supported
* OpenSSL Heartbleed:
OK - Not vulnerable to Heartbleed
* OpenSSL CCS Injection:
OK - Not vulnerable to OpenSSL CCS injection
* Session Renegotiation:
Client-initiated Renegotiation: VULNERABLE - Server honors client-initiated renegotiations
Secure Renegotiation: OK - Supported
* Resumption Support:
With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Tickets: OK - Supported
* TLSV1_2 Cipher Suites:
Preferred:
None - Server followed client cipher suite preference.
Accepted:
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
* Certificate Information:
Content
SHA1 Fingerprint: 47d0385fb45a82a91f9d8639ea222191adb12719
Common Name: *.XXXXXXXXXXXXXX.com
Issuer: XXXXXXXX RSA Domain Validation Secure Server CA
Serial Number: 10462331755053598199612105214047533723
Not Before: 2017-09-20 00:00:00
Not After: 2020-09-19 23:59:59
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['*.XXXXXXXXXXXXXX.com', 'XXXXXXXXXXXXXX.com']
Trust
Hostname Validation: OK - Certificate matches local.XXXXXXXXXXXXXX.com
AOSP CA Store (7.0.0 r1): OK - Certificate is trusted
Apple CA Store (OS X 10.11.6): OK - Certificate is trusted
Java 7 CA Store (Update 79): OK - Certificate is trusted
Microsoft CA Store (09/2016): OK - Certificate is trusted
Mozilla CA Store (09/2016): OK - Certificate is trusted
Received Chain: *.XXXXXXXXXXXXXX.com --> XXXXXXXX RSA Domain Validation Secure Server CA --> XXXXXXXX RSA Certification Authority
Verified Chain: *.XXXXXXXXXXXXXX.com --> XXXXXXXX RSA Domain Validation Secure Server CA --> XXXXXXXX RSA Certification Authority
Received Chain Contains Anchor: OK - Anchor certificate not sent
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response.
SCAN COMPLETED IN 1.34 S
------------------------
我试图通过将CipherList和Method设置如下来解决问题:
FSSLHandler.SSLOptions.Method := sslvTLSv1_2;
FSSLHandler.SSLOptions.Mode := sslmUnassigned;
FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
FSSLHandler.SSLOptions.CipherList := 'TLSv1:TLSv1.2:SSLv3:!RC4:!NULL-MD5:!NULL-SHA:!NULL-SHA256:!DES-CBC-SHA:!DES-CBC3-SHA:!IDEA-CBC-SHA';
但错误仍然存在。
如何修复Chrome中的过时密钥交换(RSA)以及客户端启动的重新协商sslyze漏洞?
附注:我想尝试按照最常见的最佳做法(例如https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
)在Indy服务器上实施SSL关注https://cipherli.st/我还尝试使用:
FSSLHandler.SSLOptions.Method := sslvTLSv1_2;
FSSLHandler.SSLOptions.Mode := sslmUnassigned;
FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];
FSSLHandler.SSLOptions.CipherList := 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
但它引发了一个例外:
第3563行接受与SSL的连接时出错。错误:1408A0C1:SSL 例程:ssl3_get_client_hello:no shared cipher
IdSSLOpenSSL.pas中的:
// RLebeau: if this socket's IOHandler was cloned, no need to reuse the
// original IOHandler's active session ID, since this is a server socket
// that generates its own sessions...
error := SSL_accept(fSSL);
if error <= 0 then begin
EIdOSSLAcceptError.RaiseException(fSSL, error, RSSSLAcceptError); // EXCEPTION HERE
end;
if Supports(fParent, IIdSSLOpenSSLCallbackHelper, IInterface(LHelper)) then
begin
LParentIO := LHelper.GetIOHandlerSelf;
if LParentIO <> nil then begin
StatusStr := 'Cipher: name = ' + Cipher.Name + '; ' + {Do not Localize}
'description = ' + Cipher.Description + '; ' + {Do not Localize}
'bits = ' + IntToStr(Cipher.Bits) + '; ' + {Do not Localize}
'version = ' + Cipher.Version + '; '; {Do not Localize}
LParentIO.DoStatusInfo(StatusStr);
end;
LHelper := nil;
end;
IndyServer似乎不会以相同的Apache方式接受CipherList。官方文件含糊不清:
TIdSSLOptions.CipherList属性
Pascal
property CipherList:String;
说明
CipherList是已发布的字符串属性。写访问权限 该属性是使用fCipherList实现的。
0 个答案:
没有答案
相关问题
- 使用https和SSL的Delphi 2007和Indy 10
- 一个TIdHTTPServer组件可以同时处理http和https请求吗?
- ssl v3贵宾犬,并与indy一起搬到tls
- 客户端密钥交换后的SSL / TLS握手错误
- TIdHTTP和TLS SNI不起作用
- Delphi Berlin TIdHTTPServer(Indy 10)[https / ssl / tls]:过时的密钥交换(RSA)和漏洞客户端发起的重新协商
- Delphi Berlin:TIdHTTPServer(Indy 10)受益于KeepAlive
- 使用Indy和Delphi 10与SSL连接时出错
- 哪个Indy TIdHTTPServer代码负责服务器端对SSL版本和密码的检查?
- TIdSSLIOHandlerSocketOpenSSL和TLS协议
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?