在 Indy 10 中启用完美前向保密?
Enable Perfect Forward Secrecy In Indy 10?
在 中回答了 Delphi 的问题。当我试图在 C++ 中实现相同的目标时,我陷入了 SSL_CTX_set_ecdh_auto() 方法。它存在于 Indy 的源代码中,因此(我假设)存在于已安装的版本中(我是 运行 C++Builder 11),但在 C++ header 文件中没有引用 IdSSLOpenSSLHeaders.hpp.
但是,我可能会在 header 中手动添加它,假设 DCU 包含源代码,但在网上搜索 OpenSSL 我发现 SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect。
我怎样才能最好地使用 C++ 和 Indy 10 实现完美的前向保密?
TIdServerIOHandlerSSLOpenSSL * LIOHandleSSL;
LIOHandleSSL = new TIdServerIOHandlerSSLOpenSSL(FServer);
LIOHandleSSL->SSLOptions->Mode = TIdSSLMode::sslmServer;
LIOHandleSSL->SSLOptions->Method = TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->SSLVersions = TIdSSLVersions() << TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->CertFile = AppRoot + CertFile;
if (RootCertFile.Trim().Length() > 0)
LIOHandleSSL->SSLOptions->RootCertFile = AppRoot + RootCertFile;
LIOHandleSSL->SSLOptions->KeyFile = AppRoot + KeyFile;
LIOHandleSSL->SSLOptions->CipherList = ""
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-WITH-AES-256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"HIGH:"
"!aNULL:"
"!eNULL:"
"!EXPORT:"
"!DES:"
"!RC4:"
"!MD5:"
"!PSK:"
"!SRP:"
"!CAMELLIA:"
"@STRENGTH";
// this is what is needed according to the post
// auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext);
// SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
LIOHandleSSL->OnGetPassword = OnGetSSLPassword;
FServer->IOHandler = LIOHandleSSL;
FServer->OnQuerySSLPort = OnQuerySSLPort;
[SSL_CTX_set_ecdh_auto()] is present in the source of Indy, and thus (I assume) in the installed version (I am running C++Builder 11), but there is no reference in the C++ header file IdSSLOpenSSLHeaders.hpp.
这是因为IdSSLOpenSSLHeaders.pas单元中使用的所有OpenSSL函数都被特意标记为{$EXTERNALSYM},这样它们就不会出现在IdSSLOpenSSLHeaders.hpp 文件。当 Delphi 单位使用外部 SDK 时,这是惯例,否则 C/C++ 本机可用。
因此,要在 C++ 中使用 OpenSSL 函数,您必须在代码中下载 OpenSSL 1.0.2 SDK 和 #include 它的 .h 头文件(或者,如您所说,您可以简单地自己声明函数,因为它们存在于 Delphi DCU 中)。 Delphi 不能使用 .h 文件,这(主要)是 IdSSLOpenSSLHeaders.pas 存在的原因。
searching the web for OpenSSL I found SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect.
在 OpenSSL 1.1.0 及更高版本中,是的。但在 TIdSSLIOHandlerSocketOpenSSL 使用的 OpenSSL 1.0.2 中不是。如果要使用 OpenSSL 1.1.x+,则需要使用 this (wip) SSLIOHandler。
// this is what is needed according to the post
// auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext);
// SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
在 C++ 中,它看起来像这样:
#include <openssl/ssl.h>
// or simply:
// long __fastcall SSL_CTX_set_ecdh_auto(PSSL_CTX ctx, long m);
class TMyIdSSLContext : public TIdSSLContext
{
public:
__property PSSL_CTX Context = {read=fContext};
};
auto sslContext = (TMyIdSSLContext*) LIOHandleSSL->SSLContext;
SSL_CTX_set_ecdh_auto(sslContext->Context, 1);
在 SSL_CTX_set_ecdh_auto() 方法。它存在于 Indy 的源代码中,因此(我假设)存在于已安装的版本中(我是 运行 C++Builder 11),但在 C++ header 文件中没有引用 IdSSLOpenSSLHeaders.hpp.
但是,我可能会在 header 中手动添加它,假设 DCU 包含源代码,但在网上搜索 OpenSSL 我发现 SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and have no effect。
我怎样才能最好地使用 C++ 和 Indy 10 实现完美的前向保密?
TIdServerIOHandlerSSLOpenSSL * LIOHandleSSL;
LIOHandleSSL = new TIdServerIOHandlerSSLOpenSSL(FServer);
LIOHandleSSL->SSLOptions->Mode = TIdSSLMode::sslmServer;
LIOHandleSSL->SSLOptions->Method = TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->SSLVersions = TIdSSLVersions() << TIdSSLVersion::sslvTLSv1_2;
LIOHandleSSL->SSLOptions->CertFile = AppRoot + CertFile;
if (RootCertFile.Trim().Length() > 0)
LIOHandleSSL->SSLOptions->RootCertFile = AppRoot + RootCertFile;
LIOHandleSSL->SSLOptions->KeyFile = AppRoot + KeyFile;
LIOHandleSSL->SSLOptions->CipherList = ""
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-WITH-AES-256-GCM-SHA384:"
"ECDHE-ECDSA-CHACHA20-POLY1305:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-ECDSA-AES256-SHA384:"
"ECDHE-ECDSA-AES128-SHA256:"
"HIGH:"
"!aNULL:"
"!eNULL:"
"!EXPORT:"
"!DES:"
"!RC4:"
"!MD5:"
"!PSK:"
"!SRP:"
"!CAMELLIA:"
"@STRENGTH";
// this is what is needed according to the post
// auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext);
// SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
LIOHandleSSL->OnGetPassword = OnGetSSLPassword;
FServer->IOHandler = LIOHandleSSL;
FServer->OnQuerySSLPort = OnQuerySSLPort;
[
SSL_CTX_set_ecdh_auto()] is present in the source of Indy, and thus (I assume) in the installed version (I am running C++Builder 11), but there is no reference in the C++ header fileIdSSLOpenSSLHeaders.hpp.
这是因为IdSSLOpenSSLHeaders.pas单元中使用的所有OpenSSL函数都被特意标记为{$EXTERNALSYM},这样它们就不会出现在IdSSLOpenSSLHeaders.hpp 文件。当 Delphi 单位使用外部 SDK 时,这是惯例,否则 C/C++ 本机可用。
因此,要在 C++ 中使用 OpenSSL 函数,您必须在代码中下载 OpenSSL 1.0.2 SDK 和 #include 它的 .h 头文件(或者,如您所说,您可以简单地自己声明函数,因为它们存在于 Delphi DCU 中)。 Delphi 不能使用 .h 文件,这(主要)是 IdSSLOpenSSLHeaders.pas 存在的原因。
searching the web for OpenSSL I found
SSL_CTX_set_ecdh_auto()andSSL_set_ecdh_auto()are deprecated and have no effect.
在 OpenSSL 1.1.0 及更高版本中,是的。但在 TIdSSLIOHandlerSocketOpenSSL 使用的 OpenSSL 1.0.2 中不是。如果要使用 OpenSSL 1.1.x+,则需要使用 this (wip) SSLIOHandler。
// this is what is needed according to the post // auto sslContext = TMyIdSSLContext(LIOHandleSSL->SSLContext); // SSL_CTX_set_ecdh_auto(FSSLContext.fContext, 1);
在 C++ 中,它看起来像这样:
#include <openssl/ssl.h>
// or simply:
// long __fastcall SSL_CTX_set_ecdh_auto(PSSL_CTX ctx, long m);
class TMyIdSSLContext : public TIdSSLContext
{
public:
__property PSSL_CTX Context = {read=fContext};
};
auto sslContext = (TMyIdSSLContext*) LIOHandleSSL->SSLContext;
SSL_CTX_set_ecdh_auto(sslContext->Context, 1);