how should i know if SAFE_CIPHERLIST needed

profh · 2024-12-17 14:57:27

i use THttpClientWebSockets to create a websocket client with TLS.

the key line is in the following code of unit mormot.lib.openssl11:

     procedure TOpenSslNetTls.SetupCtx(var Context: TNetTlsContext; Bind: boolean);
     var
        v, mode: integer;
     begin
       _PeerVerify := self; // safe and simple context for the callbacks

     ...

     if Context.CipherList = '' then
        Context.CipherList := SAFE_CIPHERLIST[HasHWAes];
      EOpenSslNetTls.Check(self, 'SetupCtx set_cipher_list',
        SSL_CTX_set_cipher_list(fCtx, pointer(Context.CipherList)),              <--- this line
        @Context.LastError);

    ...

if i keep this line, i will get error message:
TOpenSslNetTls.AfterConnection connect: OpenSSL 30400000 error 5 [SSL_ERROR_SYSCALL (10054 ERROR_WSAECONNRESET)]

if i omit it, everything is fine without error.

how should i know if SAFE_CIPHERLIST needed?

thanks!

ab · 2024-12-17 19:51:37

We can't reproduce the problem here with the default SAFE_CIPHERLIST.

The error means that the server did reset/close the socket connection, for any reason specific to itself.
You can try to set your own list within TNetContextTls.CipherList, to please the server.

profh · 2024-12-18 01:53:59

after i add the SAFE_CIPHERLIST on th server side, testing on https://www.ssllabs.com/ssltest/index.html, the Overall Rating from B upgrade to A , thanks!

i handle the code like this now and it works:

    if Context.CipherList = '' then
    begin
      if Bind then
        Context.CipherList := SAFE_CIPHERLIST[HasHWAes]
      else
        Context.CipherList := 'DEFAULT';
       end;
    end;

thanks again!

Last edited by profh (2024-12-18 01:55:43)

mORMot Open Source

#1 2024-12-17 14:57:27

how should i know if SAFE_CIPHERLIST needed

#2 2024-12-17 19:51:37

Re: how should i know if SAFE_CIPHERLIST needed

#3 2024-12-18 01:53:59

Re: how should i know if SAFE_CIPHERLIST needed

Board footer