TIdHTTP 和 TLS SNI 不起作用

Question

TIdHTTP 和 TLS SNI 不起作用

com*_*ger 5 delphi ssl indy idhttp sni

在我的尝试中，TLS SNI 扩展丢失了。我不知道为什么。有人能指出我正确的方向吗？

\n\n

Embarcadero\xc2\xae RAD Studio 10 西雅图版本 23.0.21418.4207

\n\n

印地版本：10.6.2.5311

\n\n

OpenSSL：https://indy.fulgan.com/SSL/openssl-1.0.2h-i386-win32.zip

\n\n

使用和不使用解决方法的 (WireShark) 结果是相同的。

\n\n

示例/演示代码：

\n\n

unit CMTelekomTest;\n...\nvar\n  IdHTTP1: TIdHTTP;\n  IdSSLIOHandlerSocketOpenSSL1: TIdSSLIOHandlerSocketOpenSSL;\n  xml: ixmldocument;\n  root, node, sibling: ixmlnode;\n  httpreturn, xmlfile: string;\n  xmlstream: TStringStream;\nbegin\n  // xml stuff\n  xml := newxmldocument;\n  //xml.Encoding := \'utf-8\';\n  xml.Options := [doNodeAutoIndent]; // just for xml-formatting\n  root := xml.AddChild(\'MESSAGES\');\n  node := root.AddChild(\'AUTHENTICATION\');\n  node := node.AddChild(\'PRODUCTTOKEN\');\n  node.Text := \'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\';\n  node := root.AddChild(\'MSG\');\n  sibling := node;\n  sibling := node.AddChild(\'FROM\');\n  sibling.Text := \'Sender\';\n  sibling := node;\n  sibling := node.AddChild(\'TO\');\n  sibling.Text := \'0049001234567890\';\n  sibling := node;\n  sibling := node.AddChild(\'BODY\');\n  sibling.Text := \'Test via Delphi, german umlaut \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f.\';\n  xml.SaveToFile(\'C:\\temp\\delphicmtelecom.xml\');\n  xml.SaveToXML(xmlfile);\n  xmlstream := TStringStream.Create(xmlfile, TEncoding.UTF8);\n\n  // http stuff\n  IdSSLIOHandlerSocketOpenSSL1 := TIdSSLIOHandlerSocketOpenSSL.Create(nil);\n  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1;\n  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1];\n  // dont know the exact needed ciphers, so ALL\n  // http://stackoverflow.com/questions/27302773/delphi-w-indy-10-unable-to-connect-via-tls-1-2-w-ssl-best-practices-in-place\n  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.CipherList := \'ALL\';\n  IdHTTP1 := tidhttp.Create(nil);\n  IdHTTP1.IOHandler := IdSSLIOHandlerSocketOpenSSL1;\n  // https://docs.cmtelecom.com/bulk_sms/v1.0\n  // utf-8 and application/xml\n  IdHTTP1.Request.ContentEncoding := \'utf-8\';\n  IdHTTP1.Request.ContentType := \'application/xml\';\n  httpreturn := IdHTTP1.post(\'https://sgw01.cm.nl/gateway.ashx\', xmlstream);\n  // plain old http works fine, https tls is missing TLS SNI :(\n  //httpreturn := http.post(\'http://gw01.cm.nl/gateway.ashx\', xmlstream);\n\n  // finishing process stuff\n  xmlstream.Free;\n  IdHTTP1.Free;\n  IdSSLIOHandlerSocketOpenSSL1.Free;\nend;\n\n// workaround for TLS SNI - doesnt work for me, dont know why\nprocedure TForm5.IdSSLIOHandlerSocketOpenSSL1StatusInfoEx(ASender: TObject;\n  const AsslSocket: PSSL; const AWhere, Aret: Integer; const AType,\n  AMsg: string);\nbegin\n  //https://forums.embarcadero.com/thread.jspa?messageID=675017\n  //https://forums.embarcadero.com/thread.jspa?messageID=824615\n  SSL_set_tlsext_host_name(AsslSocket, \'sgw01.cm.nl\');\nend;\n...\n

Run Code Online (Sandbox Code Playgroud)\n\n

这是 WireShark 必须告诉的：

\n\n

Extensions Length: 49\n        Extension: ec_point_formats\n        Extension: elliptic_curves\n        Extension: SessionTicket TLS\n        Extension: Heartbeat\n

Run Code Online (Sandbox Code Playgroud)\n\n

SNI 没有扩展名。

\n\n

Frame 61: 275 bytes on wire (2200 bits), 275 bytes captured (2200 bits) on interface 0\nEthernet II, Src: FujitsuT_5e:3a:85 (90:1b:0e:5e:3a:85), Dst: SophosLt_33:49:a8 (00:1a:8c:33:49:a8)\nInternet Protocol Version 4, Src: 192.168.10.230, Dst: 31.169.57.12\nTransmission Control Protocol, Src Port: 51554 (51554), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 221\n    Source Port: 51554\n    Destination Port: 443\n    [Stream index: 5]\n    [TCP Segment Len: 221]\n    Sequence number: 1    (relative sequence number)\n    [Next sequence number: 222    (relative sequence number)]\n    Acknowledgment number: 1    (relative ack number)\n    Header Length: 20 bytes\n    Flags: 0x018 (PSH, ACK)\n    Window size value: 260\n    [Calculated window size: 66560]\n    [Window size scaling factor: 256]\n    Checksum: 0x54d7 [validation disabled]\n    Urgent pointer: 0\n    [SEQ/ACK analysis]\nSecure Sockets Layer\n    SSL Record Layer: Handshake Protocol: Client Hello\n        Content Type: Handshake (22)\n        Version: TLS 1.0 (0x0301)\n        Length: 216\n        Handshake Protocol: Client Hello\n            Handshake Type: Client Hello (1)\n            Length: 212\n            Version: TLS 1.0 (0x0301)\n            Random\n            Session ID Length: 0\n            Cipher Suites Length: 122\n            Cipher Suites (61 suites)\n                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)\n                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)\n                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)\n                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)\n                Cipher Suite: TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037)\n                Cipher Suite: TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036)\n                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)\n                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)\n                Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086)\n                Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085)\n                Cipher Suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)\n                Cipher Suite: TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003a)\n                Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089)\n                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)\n                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)\n                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)\n                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)\n                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)\n                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)\n                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)\n                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)\n                Cipher Suite: TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031)\n                Cipher Suite: TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030)\n                Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)\n                Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)\n                Cipher Suite: TLS_DH_RSA_WITH_SEED_CBC_SHA (0x0098)\n                Cipher Suite: TLS_DH_DSS_WITH_SEED_CBC_SHA (0x0097)\n                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)\n                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)\n                Cipher Suite: TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043)\n                Cipher Suite: TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042)\n                Cipher Suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)\n                Cipher Suite: TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034)\n                Cipher Suite: TLS_DH_anon_WITH_SEED_CBC_SHA (0x009b)\n                Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046)\n                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)\n                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)\n                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)\n                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)\n                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)\n                Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)\n                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)\n                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)\n                Cipher Suite: TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)\n                Cipher Suite: TLS_DH_anon_WITH_RC4_128_MD5 (0x0018)\n                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)\n                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)\n                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)\n                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)\n                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)\n                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)\n                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)\n                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)\n                Cipher Suite: TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010)\n                Cipher Suite: TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d)\n                Cipher Suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)\n                Cipher Suite: TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b)\n                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)\n                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)\n                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)\n                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)\n            Compression Methods Length: 1\n            Compression Methods (1 method)\n            Extensions Length: 49\n            Extension: ec_point_formats\n            Extension: elliptic_curves\n            Extension: SessionTicket TLS\n            Extension: Heartbeat\n

Run Code Online (Sandbox Code Playgroud)\n

Answer 1

smo*_*y86 4

我不确定它是在哪个 Indy 版本中引入的（可能是 r5321，你有 5311），所以如果你更新到最新版本，它将自动使用 SNI。

我认为您忘记将程序分配IdSSLIOHandlerSocketOpenSSL1StatusInfoEx给IdSSLIOHandlerSocketOpenSSL1.OnStatusInfoEx事件

IdSSLIOHandlerSocketOpenSSL1.OnStatusInfoEx:=IdSSLIOHandlerSocketOpenSSL1StatusInfoEx;

Run Code Online (Sandbox Code Playgroud)

它已于 2016 年 1 月 11 日在 r5321 中引入。更新 Indy 应该可以修复它。 (2认同)
[TIdSSLIOHandlerSocketOpenSSL 中添加了客户端 SNI 支持](http://indyproject.org/Sockets/Blogs/ChangeLog/20160110B.EN.aspx)。后来有一个更新可以通过代理处理 SNI。所以，是的，请确保您使用的是最新的 SVN 版本。 (2认同)

归档时间：	9 年，1 月前
查看次数：	2563 次
最近记录：	9 年，1 月前