delphi - ssl v3 poodle 并使用 indy 迁移到 tls

Question

如您所知，新的 poodle在城里，女巫叫声得到了Twitter, Cloudflare放弃对 SSL3 的支持。

Indy(TidHttp) 10.6.0.0 恢复了这个不错的异常:

EidOsslUnerlayingCryptoError message 'Error connecting with SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'

我的问题是处理 TLS 所需的定义是什么？

更新:这是抛出异常的代码:完整的工作代码。

var
  parameters:TStringList;
  keySecretBase64:string;
  stream:TStringStream;
  IdEncoderMIME1 : TIdEncoderMIME;
  idHttp1 : TIdHTTP;
  IdSSLIOHandlerSocketOpenSSL1:TIdSSLIOHandlerSocketOpenSSL;//assume on Form
begin
  stream:=TStringStream.create;
  parameters:=TStringList.Create;
  IdEncoderMIME1 := TIdEncoderMIME.Create(nil);
  idHttp1 := TIdHTTP.Create(nil);
  IdSSLIOHandlerSocketOpenSSL1:=TIdSSLIOHandlerSocketOpenSSL.Create(nil);
  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
    with IdSSLIOHandlerSocketOpenSSL1 do begin
      SSLOptions.Method := sslvSSLv3;
      SSLOptions.Mode :=  sslmUnassigned;
      SSLOptions.VerifyMode := [];
      SSLOptions.VerifyDepth := 2;
    end;
    with idHttp1 do begin
      IOHandler := IdSSLIOHandlerSocketOpenSSL1;
      ReadTimeout := 0;
      AllowCookies := True;
      ProxyParams.BasicAuthentication := False;
      ProxyParams.ProxyPort := 0;
      Request.ContentLength := -1;
      Request.ContentRangeEnd := 0;
      Request.ContentRangeStart := 0;
      Request.ContentType := 'application/x-www-form-urlencoded';
      Request.Accept := 'text/html, */*';

      Request.BasicAuthentication := False;
      Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
      HTTPOptions := [hoForceEncodeParams];
    end;
    parameters.Clear;
    idHttp1.Request.CustomHeaders.Clear;
    IdEncoderMIME1.FillChar:='=';

  try
    keySecretBase64 := TIdEncoderMIME.EncodeString(key+ ':' + secret, IndyTextEncoding_UTF8);// this is twitter provided key and secret
    parameters.Add('grant_type=client_credentials');
    idHttp1.Request.CustomHeaders.AddValue('Authorization','Basic '+keySecretBase64);
    idHttp1.post(URL,parameters,stream);
  finally
    stream.Free;
    parameters.Free;
    parameters.Free;
    IdSSLIOHandlerSocketOpenSSL1.Free;
  end;
end;

Answer 1

您的代码在 SSLOptions 属性 Method 中选择 TLS 1.2:

IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];

但是，两行之后这个值被 SSL 3 覆盖:

with IdSSLIOHandlerSocketOpenSSL1 do begin
  SSLOptions.Method := sslvSSLv3;
  ...
end;

因此客户端将不会连接较新的 TLS 1.2 协议(protocol)，而是连接服务器不再支持的 SSL 3。

这解释了错误消息，它表示 SSL 3 握手(客户端尝试)失败:

SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'

如果删除第二个分配，IdHTTP 客户端将使用 TLS 1.2 进行连接。