2

Doing some testing with Indy 10.6.2.5366 on Tokyo 10.2.3 I have both the client and server set with the following SSLOptions, which in my mind would force the connection to TLS 1.2

  SSLOptions.Method := sslvTLSv1_2;
  SSLOptions.SSLVersions := [sslvTLSv1_2];

However, the OnStatus(Info) messages shown below report SSLv3. Digging in code gets to an API call SSL_state_string_long, that apparently returns the string so I couldn't dig further. Is this actually TLSv1.2 as cipher message seems to indicate and SSLv3 text is in error, or it it actually falling back to SSLv3 for some reason?

SSL status: "SSLv3 read server session ticket A"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES256-GCM-SHA384; description = AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
; bits = 256; version = TLSv1/SSLv3; 
Connected to server
Greg Stevenson
  • 21
  • 3
  • Apparently this is a [known issue](https://github.com/openssl/openssl/issues/6165) in the OpenSSL library. You can [see in the source](https://github.com/openssl/openssl/blob/master/ssl/ssl_stat.c) how the constants are actually named TLS, but still contain SSLv3 in their text. My guess is that this is done to maintain backwards compatibility with clients that rely on this text, but I'm not involved in this project and I'm not sure about the reasons. – GolezTrol Aug 07 '18 at 17:51
  • 1
    Oh, actually "read server session" and ["read finished"](https://github.com/openssl/openssl/blob/4e360445473c3da938703a8142a36cf6ee86a191/ssl/ssl_stat.c#L63) seem to be updated already. Maybe you're using an older version of the OpenSSL libraries? – GolezTrol Aug 07 '18 at 17:53
  • 1
    TLS is based off of SSL 3.0, so technically TLS 1.x is also known as SSL v3.1+x (TLS 1.0 = SSL 3.1, TLS 1.1 = SSL 3.2, TLS 1.2 = SSL 3.3, etc), and that is how TLS is implemented inside of OpenSSL. That is why you still see references to SSLv3 in relation to TLS in OpenSSL – Remy Lebeau Aug 07 '18 at 20:05

0 Answers0