Delphi与Indy10:如何自动协商最高TLS级别？

Question

我们的不确定是设置:

SSL版本:sslvSSLv23

将导致使用最高的可用TLS版本.

但是,查看SSL跟踪,似乎并未发生这种情况.

观察对同一服务器的这些调用:

SSL版本:sslvTLSv1_2 - 我得到了TLS 1.2连接

Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256; 
description = AES128-SHA256           
TLSv1.2 Kx=RSA      
Au=RSA  Enc=AES(128)  
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3; 

命中相同的服务器,但设置为:SSL版本:sslvSSLv23我希望有一个TLS 1.2连接.好.实际上我希望与上面的连接相同.但观察,我最终得到了TLS 1.0:

Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA 
SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
; 
bits = 128; version = TLSv1/SSLv3; 

什么是失踪,谈判最高,魔术？

Answer 1

SSLOption.Method如果您仍在使用该属性,则需要停止使用该属性.请改用该SSLOption.SSLVersions属性.这将允许您一次启用多个SSL/TLS版本. sslvSSLv23将在内部用于处理协商,但它将SSLVersions向服务器报告启用的最高SSL/TLS版本.如果您使用的是支持TLS 1.2的Indy 10版本,以及支持TLS 1.2的OpenSSL DLL版本,那么如果服务器也支持TLS 1.2 ,则sslvTLSv1_2在SSLVersions属性中启用应协商TLS 1.2.请记住,如果DLL不支持TLS 1.1或1.2,即使您使用sslvTLSv1_1和/或,Indy也会无声地回退到TLS 1.0 sslvTLSv1_2.