简体繁体 English

Delphi Indy-如何使用Indy 10为SSL-TCP客户端/服务器链接获取SSL证书

[英]Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10

原文 2014-11-28 19:17:28 2 1 delphi/ ssl/ tcp/ indy/ delphi-xe6

I'm completely new to SSL and these ciphering stuff but I need to make communicate client and server Delphi XE6 apps running on mobile devices. 我对SSL和这些加密技术完全陌生，但是我需要使通信客户端和服务器在移动设备上运行的Delphi XE6应用程序有效。 The TCP communication has to be safely ciphered. 必须对TCP通信进行安全加密。

To start, I simply wrote the Delphi/Indy TIdTCPServer/TIdTCPClient based Win32 client and server exchanging strings. 首先，我只写了基于Delphi / Indy TIdTCPServer / TIdTCPClient的Win32客户端和服务器交换字符串。 (Issued from the indy10clieservr demos found on SourceForge: svn://svn.code.sf.net/p/indy10clieservr/code/1_sample Simple String Exchange) （摘自SourceForge上的indy10clieservr演示：svn：//svn.code.sf.net/p/indy10clieservr/code/1_sample简单字符串交换）

I tried to modify them to cipher the communication by adding a TIdServerIOHandlerSSLOpenSSL component on the Server, and a TIdSSLIOHandlerSocketOpenSSL on the Client, attaching them respectively to the TIdTCPServer and TIdTCPClient. 我试图通过在服务器上添加TIdServerIOHandlerSSLOpenSSL组件，并在客户端上添加TIdSSLIOHandlerSocketOpenSSL组件，将它们分别添加到TIdTCPServer和TIdTCPClient上，以对它们进行加密以加密通信。

I set their following properties on both sides: - SSLOptions.Method = sslvSSSv23 - SSLOptions.Mode = sslmServer / sslmClient (respectively) - SSLOptions.VerifyDepth = 2 我在两侧都设置了以下属性：-SSLOptions.Method = sslvSSSv23-SSLOptions.Mode = sslmServer / sslmClient（分别）-SSLOptions.VerifyDepth = 2

And I added an OnGetPassword Event handler setting the Password parameter to 'password' on both sides too. 我还添加了一个OnGetPassword事件处理程序，也在两侧将Password参数设置为'password'。 (What is the role of this password ? Is it critical for the privacy of the communication ? What if it is found by analysing/reverse enginering the binary file ?) （此密码的作用是什么？对于通信的私密性至关重要吗？如果通过分析/反向处理二进制文件找到了该密码，该怎么办？）

Finaly, in the server's OnConnect event handler I set the TIdSSLIOHandlerSocketBase(AContext.Connection.IOHandler).PassThrough property to false. 最后，在服务器的OnConnect事件处理程序中，我将TIdSSLIOHandlerSocketBase（AContext.Connection.IOHandler）.PassThrough属性设置为false。

But what about the 3 SSLOptions certificate properties ?? 但是3个SSLOptions证书属性呢？ - CertFile - KeyFile - RootCertFile -CertFile-KeyFile-RootCertFile

How to generate and deploy them on my target devices to make run my SSL layer on the client and server ? 如何在目标设备上生成和部署它们，以使我的SSL层在客户端和服务器上运行？

Moreover, is there something special to do or to take into acount if I intend to deploy later my server and/or clients on IOS or Android mobile device. 此外，如果我打算以后在IOS或Android移动设备上部署我的服务器和/或客户端，还有什么特别的事情要做或要考虑的。

I'm aware that I have few knowledge on this SSL topic. 我知道我对此SSL主题知之甚少。 Sorry if I ask something trivial. 对不起，如果我问些琐碎的事情。 Any basic documentation explaining all of this tricky stuff to a newbie would be greatly appreciated. 任何向新手解释所有这些棘手问题的基本文档，将不胜感激。

1 个解决方案

As I told you in my answer to your same question on the Embarcadero forums , certificates are optional. 正如我在Embarcadero论坛上回答您的相同问题时告诉您的那样，证书是可选的。 They are used to allow peers to validate each other's identities, not for encryption. 它们用于允许对等方验证彼此的身份，而不用于加密。 Certificates help avoid man-in-the-middle attacks, by allowing a client to verify it is connected to the correct server it is expecting to be connected to, and vice versa. 证书通过允许客户端验证其是否已连接到期望与之连接的正确服务器上，反之亦然，从而有助于避免中间人攻击。 It is not common for a client to have a certificate, except maybe when making a proprietary system where only authorized clients are allowed to connect. 客户端通常不具有证书，除非在建立仅允许授权客户端连接的专有系统时。 But it is pretty common for servers to have certificates, at least. 但是，至少有服务器具有证书是很普遍的。 Certificates can be password-protected, so if you do use them, you have to provide the correct password for the certificate(s) that you are actually using. 证书可以受密码保护，因此，如果您确实要使用它们，则必须为实际使用的证书提供正确的密码。 A certificate's password can't be retrieved from the certificate itself, but if an attacker gains access to your certificate files then you have bigger issues to deal with. 无法从证书本身中检索证书的密码，但是，如果攻击者获得了对您的证书文件的访问权限，那么您将面临更大的问题。

As for SSLv23, it is a wildcard that allows dynamic version negotiation in cases where client and server support different SSL/TLS versions. 对于SSLv23，它是一个通配符，在客户端和服务器支持不同的SSL / TLS版本的情况下允许进行动态版本协商。 SSLv23 allows them to figure out and use the highest version common to both parties. SSLv23允许他们找出并使用双方通用的最高版本。 If a server needs to support a wide range of clients, it makes sense to use SSLv23 on the server side. 如果服务器需要支持广泛的客户端，则在服务器端使用SSLv23是有意义的。 Not so much on the client side. 在客户端没有那么多。 Since you control both client and server, you should use use a specific version instead, preferrably TLSv1 or higher. 由于同时控制客户端和服务器，因此应该使用特定版本，最好是TLSv1或更高版本。