Consider to add support for TLS_V_1.3 ?

[ctkqiang]

You are setting your SSLStack to use only TLS 1.2, but your cipher list contains several TLS 1.3 ciphers.

Remember that TIdSSLIOHandlerSocketOpenSSL still targets only up to OpenSSL 1.0.2, so don't use unsupported ciphers:

https://docs.openssl.org/1.0.2/man1/ciphers/

If you need TLS 1.3, there are alternatives available until Indy is updated.

Did you look at the TLS handshake with a packet sniffer to see what ciphers the peer is offering? Also, do you have any certificates assigned to your SSLStack?

Originally posted by @rlebeau in #615

---

Indy/Lib/Protocols/IdSSLOpenSSL.pas

Line 231 in 152f3a0

TIdSSLVersion = (sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2);

---

Recently, My team is maintaining legacy code which required TLSV_1.3, is this already implemented that I am not aware, or havent yet?

[JPeterMugaas]

It is unlikely that Indy's OpenSSL support will actually support TLS 1.3.

You are not completely out of options. TaurusTLS is an Indy add-on that provides its own IOHandlers (TTaurusTLSIOHandlerSocket and TTaurusTLSServerIOHandler ) that support TLS 1.3 by using the latest versions of OpenSSL.

TaurusTLS is available 3 ways:

1. GetIt Package Manager in the RAD Studio IDE
2. SmartSetup Community repository ( https://github.com/tmssoftware/smartsetup )
3. The TaurusTLS repository at: https://github.com/TaurusTLS-Developers/TaurusTLS

The TaurusTLS developers also redistribute OpenSSL .DLL's at:
https://github.com/TaurusTLS-Developers/OpenSSL-Distribution under "Releases".

[ctkqiang]

It is unlikely that Indy's OpenSSL support will actually support TLS 1.3.

You are not completely out of options. TaurusTLS is an Indy add-on that provides its own IOHandlers (TTaurusTLSIOHandlerSocket and TTaurusTLSServerIOHandler ) that support TLS 1.3 by using the latest versions of OpenSSL.

TaurusTLS is available 3 ways:

1. GetIt Package Manager in the RAD Studio IDE
2. SmartSetup Community repository ( https://github.com/tmssoftware/smartsetup )
3. The TaurusTLS repository at: https://github.com/TaurusTLS-Developers/TaurusTLS

The TaurusTLS developers also redistribute OpenSSL .DLL's at:
https://github.com/TaurusTLS-Developers/OpenSSL-Distribution under "Releases".

Did not notice that there are different package, will definitely check out 🙏thanks

[rlebeau]

What JP said.

The main Indy library still targets OpenSSL 1.0.2, but OpenSSL just released 4.0.0. That is a massive jump in API changes required to catch up. The workload needed to update Indy's built-in OpenSSL support was just too much for me due to time contraints. I tried doing it myself. I tried bringing in other people to help. It was dragged out for years. Stick a fork in it, it's done.

JP worked on Indy's original OpenSSL code. He created TaurusTLS to bridge the gap. It will cover Indy's OpenSSL support moving forward. For the upcoming Indy 10.7, OpenSSL will be split out entirely from the main library to make this separation cleaner. The current OpenSSL components are being moved to IndyTLS-OpenSSL for backwards compatibility, and maybe future (community) updates.