OpenSSL

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

 

This library is required by components based on Indy Library when a secure connection is needed. If your application requires OpenSSL, you must have necessary files in your file system before deploying your application:

 

Currently, sgcWebSockets supports: 1.0.2, 1.1 and 3.0 to 3.3 openSSL versions.

 

Platform	API 1.0	API 1.1	API 3.*	Static/Dynamic Linking
Windows (32-bit and 64-bit)	libeay32.dll and ssleay32.dll	libcrypto-1_1.dll and libssl-1_1.dll	libcrypto-3.dll and libssl-3.dll	Dynamic
OSX	libcrypto.dylib, libssl.dylib	libcrypto.1.1.dylib, libssl.1.1.dylib	libcrypto.3.dylib, libssl.3.dylib	Dynamic
iOS Device (32-bit and 64-bit)	libcrypto.a and libssl.a	libcrypto.a and libssl.a	libcrypto.a and libssl.a	Static
iOS Simulator	libcrypto.dylib, libssl.dylib	libcrypto.1.1.dylib, libssl.1.1.dylib	libcrypto.3.dylib, libssl.3.dylib	Dynamic
Android Device	libcrypto.so, libssl.so	libcrypto.so, libssl.so	libcrypto.so, libssl.so	Dynamic

 

 

Find below how to configure OpenSSL libraries for each platform:

 

• Windows

• OSX

• Android
• iOS

 

openSSL Configurations

sgcWebSockets Indy-based components allow you to configure some OpenSSL properties. Access to the following properties:

 

• Server Components: SSLOptions.OpenSSL_Options.
• Client Components: TLSOptions.OpenSSL_Options.

 

API Version

 

Standard Indy library only allows loading 1.0.2 OpenSSL libraries; these libraries have been deprecated and the latest OpenSSL releases use the 1.1.1 API.

sgcWebSockets Enterprise allows you to load 1.1.1 openSSL libraries, you can configure in this property which openSSL API version will be loaded. Only one API version can be loaded by process (so you can't mix openSSL 1.0.2 and 1.1.1 libraries in the same application).

 

 

LibPath

 

This property allows you to set the location of openSSL libraries. This is useful for Android or OSX projects, where the location of the openSSL libraries must be set.

Accepts the following values:

 

• oslpNone: this value doesn't set any library path value (is the value by default).
• oslpDefaultFolder: this value sets the default folder of openSSL libraries. This path is different for every personality (windows, osx...).

 

 

Load Additional OpenSSL Functions

Use a callback to load additional OpenSSL functions not defined by default. You can read more at OpenSSL Load Additional Functions.

 

Ciphers

If you want to provide support for TLS 1.2 and 1.3 on your server and using the best security and performance, use the following configuration:

 

SSLOptions.Version := tls1_3;

SSLOptions.OpenSSL_Options.VersionMin := tls1_2;

SSLOptions.OpenSSL_Options.APIVersion := oslAPI_3_0;

 

And set the following cipher list.

 

AEAD-AES128-GCM-SHA256:AEAD-AES256-GCM-SHA384:AEAD-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384

 

Self-Signed Certificates

You can use self-signed certificates for testing purposes. You only need to execute the following command to create a self-signed certificate:

 

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

It will create 2 files: cert.pem (certificate) and key.pem (private key). You can combine both files into a single one. Just create a new file and copy the content of both files into it. So you will have a structure like this:

 

-----BEGIN PRIVATE KEY-----

....

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

....

-----END CERTIFICATE-----

 

Common Errors

SSL_GET_RECORD: wrong version number

 

This error means that the server and the client are using different versions of the SSL/TLS protocol. To fix it, try to set the correct version in the server and/or client component.

 

Server.SSLOptions.Version

Client.TLSOptions.Version

 

SSL3_GET_RECORD: decryption failed or bad record mac

 

Usually this error is raised when:

 

1. Check that you are using the latest OpenSSL version. If it is too old, update to the latest supported version.

2. If this error appears randomly, it is usually because more than one thread is accessing the OpenSSL connection. You can try to set NotifyEvents = neNoSync which means that the events: OnConnect, OnDisconnect, OnMessage... will be fired in the context of thread connection, this avoids some synchronization problems and provides better performance. As a down side, if for example you are updating a visual control in a form when you receive a message, you must implement your own synchronization methods because visual controls are not thread-safe.