Comments (4)
The problem appears to be in TIdSSLIOHandlerSocketSChannel.Clone()
, which TIdFTP
calls when setting up a new data connection. TIdFTP
clones the SSLIOHandler
of the control connection, expecting the clone to reuse the same TLS session as the object it is cloned from. But TIdSSLIOHandlerSocketSChannel
is not doing that, ie it is not sharing a credential handle across multiple instances, each instance is obtaining a new credential handle for itself.
from delphi.
Hi @rlebeau what it the purpose of the Clone method ? the TLS session is bound to a specific socket, so does the Clone() method create a new instance to work with the same socket ?
if it is the case, then I can add an SSLClone method with an automatic reference counteur in TSSLInfo..
something like
function TIdSSLIOHandlerSocketSChannel.Clone: TIdSSLIOHandlerSocketBase;
begin
{$IFDEF LOG_EVENTS}System.WriteLn('TIdSSLIOHandlerSocketSChannel.Clone');{$ENDIF}
Result := TIdSSLIOHandlerSocketSChannel.Create(nil);
Result.FSSL := SSLClone(FSSL);
end;
with
function SSLClone(SSL: THandle): Handle;
var
Info: PSSLInfo absolute SSL;
begin
Result := SSL;
if SSL <> 0 then
Inc(Info.RefCount); // set to 0 in SSLStart
end;
and
function SSLClose(SSL: THandle): Integer;
var
Info: PSSLInfo absolute SSL;
begin
Result := 0;
if SSL = 0 then
Exit;
{$IFDEF TRACE}
WriteLn(Trace, '-------------');
CloseFile(Trace);
{$ENDIF}
if Info.RefCount > 0 then
begin
Dec(Info.RefCount);
end else begin
Info.Clean;
Dispose(Info);
end;
end;
from delphi.
what it the purpose of the Clone method ?
To create a new SSLIOHandler
object that shares a TLS session with an existing SSLIOHandler
object.
the TLS session is bound to a specific socket
A TLS session is not bound to a specific socket. Not in OpenSSL, not in SChannel. Multiple sockets can share a TLS session across connections. For instance, in this situation, an FTPS data connection can (and on many servers, must) share a TLS session with the FTP control connection, to avoid MITM hijacking of data connections. HTTP requests across non-persistent connections can also share TLS sessions, too.
Basically, any time a peer wants to setup authentication+encryption 1 time with another peer and then reuse that session over and over regardless of how many connections are involved.
In Indy's case, that currently only happens in TIdFTP
when the DataPortProtection
property is ftpdpsPrivate
. But there could be other uses for it in the future.
does the Clone() method create a new instance to work with the same socket ?
Not with the same socket, no. It should create a new instance that will share the same TLS session with a new socket.
if it is the case, then I can add an SSLClone method with an automatic reference counteur in TSSLInfo..
I don't think cloning the whole TSSLInfo
will work. The only thing I can find that describes the technical requirement for reusing sessions in the SChannel SSPI API is this:
https://stackoverflow.com/questions/905851/ssl-session-reuse-with-schannel-windows
I think that means AcquireCredentialsHandle()
can be called once per shared session, and then that credential handle can be reused for multiple calls to InitializeSecurityContext()
(outbound) and AcceptSecurityContext()
(inbound) socket connections.
So, you will likely still need a separate TSSLInfo
object for each Socket
+Context
, but the Credentials: TCredHandle;
member will have to be sharable across multiple TSSLInfo
instances.
from delphi.
thank you @rlebeau you mean the TLS session at the TLS protocol level.
Sorry @jdredd87 I have no time to spend on SChannel nor Indy to handle that.
I spent some time studying the TLS protocol on another project, and now I know that SChannel prohibits quite a few things (like select cipher suites) and is quite poorly documented, so it's not easy to get it to work properly :)
from delphi.
Related Issues (9)
- File \AsciiShape\Win32\Release\asciishapeeditor.exe is cosidered to be Virus HOT 2
- No license HOT 1
- Client or Server HOT 1
- [IndySchannel] Socks TransparentProxy throws Exception HOT 4
- Pointer and THandle passed as Integer HOT 1
- Indy SChannel fails with CERT_E_CN_NO_MATCH error when doing FTP List and Get
- Server IOHandler? HOT 3
- Execute.SChannel not safe init SSLAvailable
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from delphi.