8

I am using TIdSSLIOHandlerSocketOpenSSL to open a TLS/SSL connection. I currently want to support tls 1.0 to 1.2.

I initialize the IOHandler like this.

TIdSSLIOHandlerSocketOpenSSL(FSocket.IOHandler).SSLOptions.SSLVersions := [sslvTLSv1_2,sslvTLSv1_1, sslvTLSv1];

After the connection is made, how can I get which protocol was negotiated for the connection? (Both for ensuring the configuration of both the client and test server is correct, and eventually for statistics purpose).

I checked SSLContext.Method after the connection, but it still shows sslvSSLv23 after the connection. SSLContext.SSLVersions shows [sslvTLSv1_2,sslvTLSv1_1, sslvTLSv1].

So how do I get that information?

Ken White
  • 123,280
  • 14
  • 225
  • 444
Ken Bourassa
  • 6,363
  • 1
  • 19
  • 28

1 Answers1

5

The specific negotiated protocol is in the TIdSSLIOHandlerSocketOpenSSL.SSLSocket.Cipher.Version property after the SSL/TLS session is established. OpenSSL also has a SSL_get_version() function (which Indy does not use, but you can call directly).

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • `Cipher.Version` doesn't seem to contain the current protocol in use (Or I'm seriously missing something). If, for example, I force using only TLS1.1 on the client, `Cipher.Version` returns 'TLSv1/SSLv3'. I'm going to look into SSL_get_version. – Ken Bourassa Dec 13 '16 at 20:41
  • SSL_get_version did give me the information I was looking for. Thanks. – Ken Bourassa Dec 13 '16 at 21:50
  • 1
    @KenBourassa hmm, `SSL_CIPHER_get_version()` didn't used to be that way, but it looks like the [documentation](https://www.openssl.org/docs/manmaster/man3/SSL_CIPHER_get_version.html) has changed since I last saw it, so the behavior has apparently changed over time. In that case, stick with `SSL_get_version()`. I might integrate a new property for it. – Remy Lebeau Dec 13 '16 at 22:15