Recent

Author Topic: Synapse and TLS detection on Linux/MacOS vs. Windows  (Read 3370 times)

CCRDude

  • Hero Member
  • *****
  • Posts: 596
Synapse and TLS detection on Linux/MacOS vs. Windows
« on: November 05, 2018, 05:32:09 pm »
In a very simply program, I download update information and query a REST API using Synapse (40.1 from OPM). Works fine on Windows. Both https URLs, using ssl_openssl.

On Linux and MacOS, HttpGetBinary always failed. I then expanded the code to use the THTTPSend class, and was step by step logging details.

Further testing showed that the server only accepts TLS 1.1 and TLS 1.2. On Windows, this was properly negiotated. On Linux (Debian 9) and MacOS (Sierra & High Sierra), it wasn't.

The workaround is to force the mode (otherwise it would be LT_all, which would try SSL 2.3) through
Code: [Select]
FHTTPSender.Sock.SSL.SSLType := LT_TLSv1_2;
On Windows, I use OpenSSL version 1.0.2p (1.0.2.16).
Debian has 1.0.2l.
MacOS LibreSSL 2.2.7.

Since I couldn't see related OS-specific code in ssl_openssl.pas - was I lucky on Windows to always use the latest OpenSSL version? Or is there something else behind this?

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: Synapse and TLS detection on Linux/MacOS vs. Windows
« Reply #1 on: November 05, 2018, 06:05:46 pm »
Since I couldn't see related OS-specific code in ssl_openssl.pas - was I lucky on Windows to always use the latest OpenSSL version? Or is there something else behind this?
Basically in the latest Openssl, fall-backs to anything below tls 1.1 is no longer supported (unless you compile the protocols in yourself, in OpenSSL, that is!, not fpc or synapse).
So indeed, it may be a library version. In libressl it should be no different with recent libraries. Note that most current browsers will fail if at leastr tls 1.1 is not supported and even that is on the way out. In other words the major browsers no longer allow legacy. (except a.t.m. Apple   >:(  )
« Last Edit: November 05, 2018, 06:16:17 pm by Thaddy »
Specialize a type, not a var.

CCRDude

  • Hero Member
  • *****
  • Posts: 596
Re: Synapse and TLS detection on Linux/MacOS vs. Windows
« Reply #2 on: November 06, 2018, 08:17:10 pm »
Another small update: I wasn't apple to connect properly in El Capitan and Sierra (no problems on High Sierra and Mojave, where setting the SSLType helped), and while looking into sandboxing, I found that OpenSSL is not supported by sandboxed applications anyway (neither Synapse nor fcl-web worked).

So I had to change the Mac build to use NSURLConnection instead, which connects without issues on Sierra (still waiting for El Capitan test results). Since the servers do not support anything older than TLS 1.1, using NSURLConnection is no issue of falling below TLS 1.1 in my case.

 

TinyPortal © 2005-2018