Support OpenSSL 1.1.0 and later

[rlebeau]

Indy currently supports OpenSSL up to 1.0.2. OpenSSL 1.1.0 makes a number of major API changes that break TIdSSLIOHandlerSocketOpenSSL. Removing/renaming functions, changing/obscuring structures, changing the DLL filenames, etc. Indy needs to either have TIdSSLIOHandlerSocketOpenSSL recognize 1.1.0+ and adjust itself accordingly, or else define a whole new IOHandler just for 1.1.0+.

Also, in order to support TLS 1.3, Indy needs to support OpenSSL 1.1.1+, as TLS 1.3 will NOT be added to OpenSSL 1.0.2 or 1.1.0.

The OpenSSL devs will stop supporting OpenSSL 1.0.2 on Dec 31 2019, and 1.1.0 on Sept 11 2019.

UPDATE: as of 07-Sep-2021, OpenSSL 3.0.0 has been released, which is largely backwards compatible with 1.1.x, but does make some additional API changes. Refer to https://www.openssl.org/docs/man3.0/man7/migration_guide.html

[winkelsdorf]

@rlebeau Bringing this again to the team's attention. Afaik, Indy currently only supports the 1.0.2 branch which will be unsupported in a few weeks (by the end of this year).

Unfortunately I never found enough testers for my experimental 1.1.1 library builds and I am currently out of native windows development. I had a look at the current list on https://wiki.openssl.org/index.php/Binaries and saw that François Piette (ICS) started providing pre-compiled libraries too and already provides the 1.1.1 branch. Bintray releases seem solid too (build chain on https://github.com/curl/curl-for-win).

[rlebeau]

Work is in progress to support OpenSSL 1.1.x. I do not know at this time whether it will be ready by the deadline, though.

[jgv-Lisam]

@rlebeau Would be great if you could create a new branch for this support.

[rlebeau]

I have created an "OpenSSL-1.1.x" branch

[JPeterMugaas]

No, there has been too many setbacks in my life.

[rlebeau]

@JPeterMugaas you are not the only one working on it lately.

[mezen]

I created a fork (https://github.com/mezen/Indy/commits/NewOpenSSL) where a lot of progress is already done. A release-able version is not far away

[nag944]

I tried this code. Seems to be functional, but some strong problems with stability. Even at medium load, http server halts every several hours with exception "Failed to shutdown with result reason code 5".

[smeier1218]

What do I have to do to make INDY 10 on my Delphi 7 installed on windows 10 64Bit work with TLS 1.2 ?

[rlebeau]

@smeier1218 Are you asking about the new OpenSSL 1.1.x IOHandler that is in progress? Or, are you just asking about Indy in general? What version of Indy are you actually using? Delphi 7 is very old, are you using the version of Indy that shipped with D7, or have you upgraded your Indy installation to a modern version? It is difficult to answer your question without knowing your situation.

[smeier1218]

Hi Remy ! I'm using Delphi 7 with INDY 10 update. THANKS FOR THE HELP !

[rlebeau]

In that case, all you should need to do is assign a TIdSSLIOHandlerSocketOpenSSL component to the IOHandler property of a TCP connection, enable the sslvTLSv1_2 flag in the IOHandler's SSLOptions.SSLVersions property, and then deploy the OpenSSL 1.0.2 DLLs with your app. You can get the DLLs from this GitHub repo.

If you need to use OpenSSL 1.1.x, such as for TLS 1.3, then you need to download and use this IOHandler component instead.

[rlebeau]

FYI, a new GitHub repo has now been created to separate the OpenSSL logic, most likely into a new package, so it can be updated independently of the main Indy library.

https://github.com/IndySockets/IndyTLS-OpenSSL