SSL/TLS (Delphi)
Setting up the Transport-Level Security (TLS) for your Remoting SDK server is very easy.
Using TLS allows your clients to connect with the more secure https://, superhttps://, tcps:// and supertcps:// protocols.
Indy-based servers
You should create/drop TIdServerIOHandlerSSLOpenSSL component, setup it and link it with correspondent property of internal Indy component:
- TROIndyHTTPServer:
ROIndyHTTPServer1.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
Note: Some modern versions of Indy (in Delphi 10.4+) may require additional code like
type
TSSLHelper = class
// This helper class is neccessary to set ssl true
// as it defaults to false on non standard ssl ports
procedure QuerySSLPort(APort: Word; var VUseSSL: boolean);
end;
procedure TSSLHelper.QuerySSLPort(APort: Word; var VUseSSL: boolean);
begin
VUseSSL := true;
end;
...
ROIndyHTTPServer.Server.OnQuerySSLPort := SSLHelper.QuerySSLPort;
- TROIndyTCPServer:
ROIndyTCPServer1.IndyServer.IOHandler := IdServerIOHandlerSSLOpenSSL1;
- TROIndySuperTCPServer:
ROIndySuperTCPServer1.Server.IOHandler := IdServerIOHandlerSSLOpenSSL1;
Note: the Server property of TROIndySuperTCPServer wasn't published so assigning isn't possible in designtime via Object Inspector.
See Indy help about using TIdServerIOHandlerSSLOpenSSL component.
Note: SSL support requires OpenSSL 1.0.2.
Check the Binaries (wiki.openssl) article for sites where you can download OpenSSL binaries. https://indy.fulgan.com/SSL/ url is recommended for Indy.
Native (socket) servers
You should set OpenSSL.SSLEnabled to True. A certificate can be either loaded from a storage file on startup, or auto-generated the first time the server is run. If provided via file, it should be a PEM certificate. Password for certificate can be specified via correspondent the OnPassword event.
Note: SSL support requires OpenSSL 3.x.
Check the Binaries (wiki.openssl) article for sites where you can download OpenSSL binaries.
WinHttp-based server
This server can be configured with netsh or HttpSysManager utility.
PEM certificate should contain server certificate and private key like:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
optionally, it can include server CA and root CA like:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----