TIdHTTP和TLS SNI does not work
问题描述:
在我尝试失踪TLS SNI扩展。我不知道为什么。有人能指引我朝着正确的方向吗?TIdHTTP和TLS SNI does not work
Embarcadero®的RAD Studio 10版本西雅图23.0.21418.4207
印版:10.6.2.5311
的OpenSSL:https://indy.fulgan.com/SSL/openssl-1.0.2h-i386-win32.zip
的(Wireshark的)结果是有和无的解决方法是相同的。
示例/演示代码:
unit CMTelekomTest;
...
var
IdHTTP1: TIdHTTP;
IdSSLIOHandlerSocketOpenSSL1: TIdSSLIOHandlerSocketOpenSSL;
xml: ixmldocument;
root, node, sibling: ixmlnode;
httpreturn, xmlfile: string;
xmlstream: TStringStream;
begin
// xml stuff
xml := newxmldocument;
//xml.Encoding := 'utf-8';
xml.Options := [doNodeAutoIndent]; // just for xml-formatting
root := xml.AddChild('MESSAGES');
node := root.AddChild('AUTHENTICATION');
node := node.AddChild('PRODUCTTOKEN');
node.Text := 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
node := root.AddChild('MSG');
sibling := node;
sibling := node.AddChild('FROM');
sibling.Text := 'Sender';
sibling := node;
sibling := node.AddChild('TO');
sibling.Text := '00490';
sibling := node;
sibling := node.AddChild('BODY');
sibling.Text := 'Test via Delphi, german umlaut äöüß.';
xml.SaveToFile('C:\temp\delphicmtelecom.xml');
xml.SaveToXML(xmlfile);
xmlstream := TStringStream.Create(xmlfile, TEncoding.UTF8);
// http stuff
IdSSLIOHandlerSocketOpenSSL1 := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1];
// dont know the exact needed ciphers, so ALL
// http://stackoverflow.com/questions/27302773/delphi-w-indy-10-unable-to-connect-via-tls-1-2-w-ssl-best-practices-in-place
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.CipherList := 'ALL';
IdHTTP1 := tidhttp.Create(nil);
IdHTTP1.IOHandler := IdSSLIOHandlerSocketOpenSSL1;
// https://docs.cmtelecom.com/bulk_sms/v1.0
// utf-8 and application/xml
IdHTTP1.Request.ContentEncoding := 'utf-8';
IdHTTP1.Request.ContentType := 'application/xml';
httpreturn := IdHTTP1.post('https://sgw01.cm.nl/gateway.ashx', xmlstream);
// plain old http works fine, https tls is missing TLS SNI :(
//httpreturn := http.post('http://gw01.cm.nl/gateway.ashx', xmlstream);
// finishing process stuff
xmlstream.Free;
IdHTTP1.Free;
IdSSLIOHandlerSocketOpenSSL1.Free;
end;
// workaround for TLS SNI - doesnt work for me, dont know why
procedure TForm5.IdSSLIOHandlerSocketOpenSSL1StatusInfoEx(ASender: TObject;
const AsslSocket: PSSL; const AWhere, Aret: Integer; const AType,
AMsg: string);
begin
//https://forums.embarcadero.com/thread.jspa?messageID=675017
//https://forums.embarcadero.com/thread.jspa?messageID=824615
SSL_set_tlsext_host_name(AsslSocket, 'sgw01.cm.nl');
end;
...
这是什么是Wireshark已经告诉:
Extensions Length: 49
Extension: ec_point_formats
Extension: elliptic_curves
Extension: SessionTicket TLS
Extension: Heartbeat
没有扩展的SNI。
Frame 61: 275 bytes on wire (2200 bits), 275 bytes captured (2200 bits) on interface 0
Ethernet II, Src: FujitsuT_5e:3a:85 (90:1b:0e:5e:3a:85), Dst: SophosLt_33:49:a8 (00:1a:8c:33:49:a8)
Internet Protocol Version 4, Src: 192.168.10.230, Dst: 31.169.57.12
Transmission Control Protocol, Src Port: 51554 (51554), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 221
Source Port: 51554
Destination Port: 443
[Stream index: 5]
[TCP Segment Len: 221]
Sequence number: 1 (relative sequence number)
[Next sequence number: 222 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 260
[Calculated window size: 66560]
[Window size scaling factor: 256]
Checksum: 0x54d7 [validation disabled]
Urgent pointer: 0
[SEQ/ACK analysis]
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 216
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 212
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 0
Cipher Suites Length: 122
Cipher Suites (61 suites)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)
Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)
Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)
Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)
Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)
Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)
Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)
Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)
Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)
Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)
Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)
Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)
Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)
Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)
Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 49
Extension: ec_point_formats
Extension: elliptic_curves
Extension: SessionTicket TLS
Extension: Heartbeat
答
我不知道在印版据介绍(可能是r5321,你有5311),所以如果您更新到最新的一个,它会自动使用SNI。
我想你忘了分配IdSSLIOHandlerSocketOpenSSL1StatusInfoEx过程IdSSLIOHandlerSocketOpenSSL1.OnStatusInfoEx事件
IdSSLIOHandlerSocketOpenSSL1.OnStatusInfoEx:=IdSSLIOHandlerSocketOpenSSL1StatusInfoEx;
+0
事件的任务完成在DFM文件中。我更新我的Indy并重试。 –
+1
您在运行时在代码中创建对象,因此如果您在设计时进行了任何分配,则不适用。 – smooty86
+2
它已于2016年1月11日在r5321中推出。更新Indy应该修复它。 –
我建议你使用一个try-finally创建对象后阻止,只是为了安全 –