Remove dependancies on IdSSLOpenSSLHeaders and IdSSLOpenSSL units #376
Comments
rlebeau
added
Type: Enhancement
|
Hello Remy, since I had chased and found the SSL3_STATE.write_mac_secret field issue I know how much complex the TLS implementation is. Therefore my toughts may be sound a little bit easier said than done but I suggest to not integrate TLS 1.1.x and 3.0.0 into the old 1.0.x stuff. It might be better to encapsulate all of them into each individual "universes", selectable by an compiler switch like {$IFDEF USE_TLS_102}, {$IFDEF USE_TLS_111} and {$IFDEF USE_TLS_300}. With a view to 3.0.0 i mean: Sometimes a total demolition and new construction is easier and cleaner than an addition, in particular for the future evolvement of OpenSSL. |
|
I never said the new OpenSSL 1.1.x/3.0 stuff was being incorporated into the old 1.0.x stuff. Indeed, it is being kept separate, the new 1.1.x/3.0 stuff is being implemented in a new set of units and SSLIOHandler classes. This ticket is meant for removing some hard-coded dependencies on the older units. I'll consider the IFDEF approach, but I don't think it will work out, at least initially. AFAIK, the new SSLIOHandler classes are not a drop-in replacement for the old classes, so there will be a transition period where people will have to re-write existing code, so the 2 sets of code will have to co-exist for awhile. Eventually, the old classes will have to be deprecated and then removed. But all of this is moot at the moment since the newer units aren't even finalized and incorporated into the main code yet. |
|
Ah ok, then I'd misunderstand you :) Generally I prefer separate Units. And, BTW: I suggest to change the name for the new Handler from TIdSSLIOHandlerSocketOpenSSL to TIdTLSIOHandlerSocket. Simply because we do not have another external crypto but OpenSSL and the "SSL" part is a little bit outdated. |
|
|
rlebeau
added
Type: Maintenance
rlebeau
added
the
Status: Review Needed
|
I noticed the problem with IdAuthenticationNTLM when I was preparing my proposed update (https://github.com/MWASoftware/Indy.proposedUpdate). To solve these dependency issues, I would propose:
The downside is that existing code will need to be modified to use the new package, The upside is that the dependency tree is cleaner. Note: NTMLv2 uses RC4 and which is deprecated in OpenSSL 3. |
Why? Nothing in the Core package uses SSL/TLS, encryption, or hashing APIs. All of that is in the Protocols package.
I had thought of that before, just hadn't implemented it yet. And it might make sense to have other SSLIOHandler's (ie SChannel, etc) be implemented in their own packages, too.
Not necessary if |
I proposed this because IdSSL seems to be the only unit in the protocols package that is used by the OpenSSL units. Moving it to "core" would mean that an OpenSSL package would be dependent on "core" and not "protocols" - unless I have missed something of course.
Good idea. I would use pascal "interfaces" as the abstraction. BTW, checking through IdNTLMv2: the unit loads the RC2 functions but then I can't find any use of them.
Providing an interface to DES in IdSSL would be the best way of leaving it in Protocols IMHO and better than my original proposal. |
|
FYI, a new GitHub repo has now been created to separate the OpenSSL logic, most likely into a new package, so it can be updated independently of the main Indy library. |
… IdAuthenticationNTLM, and IdNTLM units (#376). Will remove them from IdRegister and IdDsnRegister units when the new IndyTLSOpenSSL package has been released. - Adding additional function pointers in IdFIPS unit to load an external Hashing library and to create NTLM challenge responses. - Moving functions that use OpenSSL to create NTLM challenge responses into IdSSLOpenSSLHeaders unit.
rlebeau
added
Status: In Progress
rlebeau
added
Status: Pending
Several units depend directly on the
IdSSLOpenSSLHeadersandIdSSLOpenSSLunits, namely:IdAuthenticationNTLM.pasIdDsnRegister.pasIdNTLM.pasIdNTLMv2.pasIdRegister.pasThis means that when new SSLIOHandlers are used, such as the one being worked on for #299, the old
TIdSSLIOHandlerSocketOpenSSLis also being used/registered, which causes issues forTIdHTTPfor instance (defaultSSLIOHandlercreation, use ofTIdAuthenticationNTLM, etc).In
IdCompilerDefines.incthere is aUSE_OPENSSLconditional, but it is currently being ignored by some of the above units (the relevantIFDEFs are commented out).So, this makes it very difficult to upgrade Indy to support OpenSSL 1.1.x/3.0.0 when 1.0.2 is still being depended on in places.
Need to expose new function pointers to abstract away all access to the older
IdSSLOpenSSL...units. Maybe add them to theIdFIPS.pasunit, with the existing hash function pointers? Or maybe in another unit would make more sense, perhapsIdSSL.pas?The text was updated successfully, but these errors were encountered: