Delphi with Indy10: How to auto negotiate highest TLS level available?

Question

Our undeerstanding is that setting:

SSL Version: sslvSSLv23

Will cause the highest avail TLS version to be used.

However, looking at the SSL trace, this does not appear to be happening.

Observe these calls to the same server:

SSL Version: sslvTLSv1_2 -- I get a TLS 1.2 connection

Resolving hostname #####.
Connecting to ############.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA256; 
description = AES128-SHA256           
TLSv1.2 Kx=RSA      
Au=RSA  Enc=AES(128)  
Mac=SHA256
; bits = 128; version = TLSv1/SSLv3; 

Hitting the same server, but set to: SSL Version: sslvSSLv23 I would expect a TLS 1.2 connection. Well. actually I would expect the same connection as above. But observe, I end up with TLS 1.0:

Resolving hostname #####.
Connecting to ###.
SSL status: "before/connect initialization"
SSL status: "before/connect initialization"
SSL status: "SSLv2/v3 write client hello A"
SSL status: "SSLv3 read server hello A"
SSL status: "SSLv3 read server certificate A"
SSL status: "SSLv3 read server done A"
SSL status: "SSLv3 write client key exchange A"
SSL status: "SSLv3 write change cipher spec A"
SSL status: "SSLv3 write finished A"
SSL status: "SSLv3 flush data"
SSL status: "SSLv3 read finished A"
SSL status: "SSL negotiation finished successfully"
SSL status: "SSL negotiation finished successfully"
Cipher: name = AES128-SHA; description = AES128-SHA 
SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
; 
bits = 128; version = TLSv1/SSLv3; 

What is the missing , negotiate highest, magic?

Answer 1

You need to stop using the SSLOption.Method property if you are still using it. Use the SSLOption.SSLVersions property instead. That will allow you to enable multiple SSL/TLS versions at a time. sslvSSLv23 will be used internally to handle the negotiation, but it will report the highest SSL/TLS version enabled in SSLVersions to the server. If you are using a version of Indy 10 that supports TLS 1.2, and a version of the OpenSSL DLLs that support TLS 1.2, then enabling sslvTLSv1_2 in the SSLVersions property should negotiate TLS 1.2 if the server also supports TLS 1.2. Keep in mind that if the DLLs DO NOT support TLS 1.1 or 1.2, Indy will silently fall back to TLS 1.0 even when you use sslvTLSv1_1 and/or sslvTLSv1_2.