Delphi w Indy 10: Unable to connect via TLS 1.2 w SSL “Best Practices” in place on web server

Question

The question: How do we get Indy 10 to work with a web server that enforces the latest TLS 1.2 SSL Best Practices?

The Best Practices are do

Answer 1

As Remy notes on comments to OP, the solution is to use the Indy 10 SSLIOHandler's CipherList property to set a list of ciphers.

Available ciphers:

https://www.openssl.org/docs/apps/ciphers.html

Some notes:

1) We were not able to get the wildcard examples on the openssl doc page above to work. e.g.: ALL:!ADH:@STRENGTH and the like, we could not make work.

2) The correct format is a list of ciphers, with a colon delimiter. E.g. AES128-SHA256:AES128-GCM-SHA256:ECDH-RSA-NULL-SHA

3) We found that providing a long list of ciphers (40 or more) actually gave us less connectivity to a variety of ssl servers. (It appears that some may be incompatible in the same list, or that openssl does an imperfect job of negotiating with the remote server.) Subsets of the list gave better results.

4) We have not found, so far, a solid, recommended, list.

5) We have been told that some ciphers should probably be avoided due to expensive (cpu intensive) nature of some of them. We have not investigated this area further at this time.

6) To future proof your app, allow a configuration or registry entry to modify the cipher list in the field. (Who knows what will be exploited and disabled next... Today SSL v3, tomorrow TLS 1.1...)