How to enforce tls 1.x using wininet - c++

I'm using wininet library in my aplication, after it turned out that sslv3 loooves poodle, some websites turn it off, and my aplication does not working on some PC's unless user set in Internet settings in windows to use TLS 1.X. Does anyone know way to force wininet to use tls 1.x connection ?

Wininet uses schannel.dll for the SSL/TLS communication and will automatically negotiate TLS if the server side offers TLS. There is nothing for you to do.
I should add that TLS support varies based on Windows version. For up to date TLS support, the minimum Windows versions are Win 7 and Win 2008 R2.
Detail: https://learn.microsoft.com/en-us/archive/blogs/kaushal/support-for-ssltls-protocols-on-windows

Related

TLS for Windows Store and Windows 7+ Desktop

I want a client/server C++ application that can use TLS for secure communication, including client certificates, and potential to select and validate certificates myself.
I have used Schannel to do this before, but the key InitializeSecurityContext is marked [desktop apps only].
Have Microsoft provided a new equivalent API?
Although in theory I could replace the whole thing (since in the end, I can still have a normal plaintext TCP socket) I would rather stick to OS components if possible.

Configure Microsoft C++ Rest SDK to use TLS 1.1 or 1.2

How is the Microsoft C++ Rest SDK for http_client configured to connect using TLS 1.1 or 1.2? It is failing to connect because it is using a lower level of TLS that the server does not accept. I don't see how to configure it to set the TLS level of the client.
The SDK does not have a setting for TLS version.
On Windows, the library is based on WinHttp. Thus the library uses WinHttp defaults, which varies between Windows versions. See Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows for details. You can use WinHttpSetOption to change the WINHTTP_OPTION_SECURE_PROTOCOLS option yourself if the default is unacceptable.
On Linux the SDK uses boost::asio::ssl::context::sslv23 which I think already supports TLS 1.1 and 1.2. For fine control you can call SSL_CTX_set_options.
Microsoft C++ Rest supports TLS 1.1 and 1.2 in version 2.10 and higher. Here is section of http_client_winhttp.cpp that does this:
// Enable TLS 1.1 and 1.2
#if !defined(CPPREST_TARGET_XP)
BOOL win32_result(FALSE);
DWORD secure_protocols(WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 | WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2);
win32_result = ::WinHttpSetOption(
m_hSession, WINHTTP_OPTION_SECURE_PROTOCOLS, &secure_protocols, sizeof(secure_protocols));
if (FALSE == win32_result)
{
return GetLastError();
}
#endif

Using OpenSSL in Delphi webservice - available protocols and ciphers

I'm a bit confused about using OpenSSL in my Delphi webservice in relation to the available ciphers for a HTTPS connection.
Setup:
My webservice runs on a client's server. OpenSSL is installed there. The webservice uses Indy (a TIdHTTPWebBrokerBridge) and the OpenSSL DLLs (with TIdServerIOHandlerSSLOpenSSL) to load the client's certificate
Our Android/iOS apps connect to this webservice over HTTPS
The client has configured a domain and IP that the app users can connect to and reach my webservice. If we test that domain using e.g. the SSLLabs server test we get an overview of the supported ciphers and protocols (SSLLabs even mimics handshakes from devices and browsers and shows what ciphers were negotiated).
Question: Is there anything my webservice (in combination with OpenSSL) has to do/can do to influence the available ciphers for the TLS handshake between app and webservice? Is there anything additional that needs to be setup with OpenSSL?
I thought the answer is 'no', i.e. that it is just the server setup that (in the handshake with the app through Android/iOS) determines which cipher to use from the available server ones. Is this a correct assumption? Or do I miss something?
(As a matter of fact, I am not actually interested in limiting or expanding the available ciphers, but the client insists that something "should be done" in/with the webservice/OpenSSL to have it communicate "safely" with the apps. The SSLLabs test shows that their domain only supports TLS 1.0 and ciphers with the RSA key exchange mechanism, so e.g. no Perfect Forward Secrecy. To me, that looks like something that needs to be fixed anyway).
Notes:
This SO question suggests I may have to do something, but it has no answers.
I posted an earlier somewhat related question, but that has no answers.
This SO post states OpenSSL honors the client's cipher preference, not the server's, during the SSL handshake, which again suggest there are things I can do?
I had some doubts whether this question is in the proper place here (also because Why we are not customer support), but since this may be relevant to more programmers I decided to put it on SO.
You can specify available ciphers via TIdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList (as well as SSL/TLS versions via TIdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions).
If you want Perfect Forward Secrecy, you has to create DHParam keys using openssl.exe (fill TIdServerIOHandlerSSLOpenSSL.SSLOptions.DHParamsFile by result file name). If you want not only DHE, but ECDHE ciphers you need to call some additional openssl api, see a Support for Perfect Forward Secrecy in SSL with indy 10 for example.

How to write client and server with TLS encryption in Qt?

I am relatively new to Qt and have no experience in network programming. I am trying to write a minimal TCP-client-server connection with TLS encryption in Qt using the QSslSocket class. So far I established a connection between server and client both running on localhost without encryption. For TLS encryption I found this example on gitHub: https://github.com/GuiTeK/Qt-SslServer
and followed carefully the given instructions (including the OpenSSL installation). Nevertheless I can not establish a connection between client and server (even if I set timeout to -1). The error messages for the server and client are depicted below.
Can anybody help me with that ? If someone has complete code examples in Qt for client and server which exchange data via TCP using encryption SSL encryption I would highly appreciate. I am working with QtCreator running Qt 5.5.0 MSVC2013 64 bit.
Launch Qt Creator. On Welcome screen hit "Examples" button. Then at search box write "ssl". You will see several fully working Qt examples for ssl clients and servers. This is the good place for start. Also read this link.

wince 6 smart device Could not establish secure channel for SSL / TLS error

I have a web service which i need to access through https. We have a workbout pro 4 with win ce 6.0 running on it. When we were developing our app we had tested it through http. wihtout any problem. When we went live and needed access to https based server we have received the error stated on subject field under VS 2008 Smart Device Project. On the device we receive an error "could not display..." . We have tried to import the standard certificate issued by global si. We still have no success accessing the web service. We can acces the web service on phone, tablet, pc but not with Pro 4:). It would be kind if anyone can share his/her experience with https based web service access or can guide us to over come our problem.
Secure connection is not implemented on CE fully. Something to do with cert management. Here is what i am considering for my project and it gives a little more info what the issue is. http://labs.rebex.net/HTTPS
Here is some quotes from the site in case its down or something.
.NET Compact Framework does not support TLS 1.2, 1.1, SNI or SHA-2
based certificates.
.NET CF's HttpWebRequest is outdated. It does not support TLS 1.2 or
1.1, it doesn't support Server Name Identification (SNI), and it does not support SHA-2 in X509 certificates. It also suffers from several
authentication-related bugs with no known workaround. This makes it
unusable in a growing number of scenarios, and Microsoft will never
fix this because it no longer cares about these legacy platforms.
Fortunately, it's now possible to work around these shortcomings using
a beta version of Rebex HTTPS library. It features a HttpWebRequest
replacement object for .NET Compact Framework that plugs into the
existing .NET CF WebRequest API and provides the features the default
HTTP/HTTPS provider lacks. Most importantly, it adds support for TLS
1.2, TLS 1.1, SNI and SHA-2, it works even on old devices based on Windows CE 5.0 and it makes it simple to add TLS 1.2 support to
existing SOAP web service clients.
We had a similar issue on CE 7.0.
HTTPS connections using SHA1 certificates would work, however ones with SHA2 certificates would return the error
Could not establish trust relationship with remote server
If possible, try testing your code against a host that uses a SHA1 certificate to see if the issue might be related to missing SHA2 support in CE 6.0.
I should mention that we never formally approached Microsoft to get confirmation on whether SHA2 was supported or not in CE 6.0/7.0, it was just our conclusion after numerous tests that it wasn't.