Disabling call to SSL_CTX_set_info_callback() before SSL_free(). It i…

…s preventing subsequent OnStatusInfo/Ex events from being fired for other SSL objects that share the same SSL_CTX object. Disabling call to SSL_CTX_set_cipher_list() when CipherList property is empty. Using OpenSSL's actual compiled default now instead of using a hard-coded default that may be outdated in newer DLLs.
dpcorbett · Jul 16, 2018 · 5966bed · 5966bed
1 parent dbae34d
commit 5966bed
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/Lib/Protocols/IdSSLOpenSSL.pas b/Lib/Protocols/IdSSLOpenSSL.pas
@@ -3252,6 +3252,7 @@ procedure TIdSSLContext.InitContext(CtxMode: TIdSSLCtxMode);
     SSL_CTX_set_default_passwd_cb(fContext, @PasswordCallback);
     SSL_CTX_set_default_passwd_cb_userdata(fContext, Self);
 //  end;
+
   SSL_CTX_set_default_verify_paths(fContext);
   // load key and certificate files
   if (RootCertFile <> '') or (VerifyDirs <> '') then begin    {Do not Localize}
@@ -3293,13 +3294,20 @@ procedure TIdSSLContext.InitContext(CtxMode: TIdSSLCtxMode);
       {$ENDIF}
     );
   end else begin
+    // RLebeau: don't override OpenSSL's default.  As OpenSSL evolves, the
+    // SSL_DEFAULT_CIPHER_LIST constant defined in the C/C++ SDK may change,
+    // while Indy's define of it might take some time to catch up.  We don't
+    // want users using an older default with newer DLLs...
+    {
     error := SSL_CTX_set_cipher_list(fContext,
       {$IFDEF USE_MARSHALLED_PTRS}
       M.AsAnsi(SSL_DEFAULT_CIPHER_LIST).ToPointer
       {$ELSE}
       SSL_DEFAULT_CIPHER_LIST
       {$ENDIF}
     );
+    }
+    error := 1;
   end;
   if error <= 0 then begin
     // TODO: should this be using EIdOSSLSettingCipherError.RaiseException() instead?
@@ -3437,6 +3445,9 @@ function TIdSSLContext.SetSSLMethod: PSSL_METHOD;
 
       Todo:  Figure out a better fallback.
       }
+      // TODO: get rid of this fallack!  If the user didn't choose TLS 1.0, then
+      // don't falback to it, just fail instead, like with all of the other SSL/TLS
+      // versions...
     sslvTLSv1:
       Result := SelectTLS1Method(fMode);
     sslvTLSv1_1:
@@ -3562,10 +3573,12 @@ destructor TIdSSLSocket.Destroy;
   if fSSL <> nil then begin
     // TODO: should this be moved to TIdSSLContext instead?  Is this here
     // just to make sure the SSL shutdown does not log any messages?
+    {
     if (fSSLContext <> nil) and (fSSLContext.StatusInfoOn) and
        (fSSLContext.fContext <> nil) then begin
       SSL_CTX_set_info_callback(fSSLContext.fContext, nil);
     end;
+    }
     //SSL_set_shutdown(fSSL, SSL_SENT_SHUTDOWN);
     SSL_shutdown(fSSL);
     SSL_free(fSSL);