Indy 10, POP3 and SSL/TLS

Discussion:

(too old to reply)

Sasa Zeman

2006-04-21 11:15:21 UTC

I begin to using Indy 10 (indy10.0.52_source.zip) instead of Indy 9
(9.0.14) in order to use SSL/TLS and POP3 client.

Used components are TIdSSLIOHandlerSocketOpenSSL and TIdPOP31 only. It
is used additionally provided OpenSSL libraries (ver. 0.96).
Experienced differenced and dificulties in comparison with Indy 9:

1. Even without SSL IO Handler components, application with POP3
component trigger firewall immediately after application runs - not
after first attempt to connect. Assume this is normal behavior for Indy
10.

2. While using SSL/TLS, implicit approach only works. Other
possibilities (explicit or reqired TLS) are not functioning or there is
need to use some other component.

3. Is there available main difference comparison page between Indy 9
and current version of Indy 10? Reading documentation is currently
difficult, due quite limited spare time.

Thanks in advance.

Sasa

--
www.szutils.net

Remy Lebeau (TeamB)

2006-04-21 17:13:11 UTC

Permalink

Post by Sasa Zeman
I begin to using Indy 10 (indy10.0.52_source.zip) instead
of Indy 9 (9.0.14) in order to use SSL/TLS and POP3 client.

10.0.52 is an old version. You should consider using the current 10.1.5
snapshot instead.

Post by Sasa Zeman
Used components are TIdSSLIOHandlerSocketOpenSSL
and TIdPOP31 only. It is used additionally provided
OpenSSL libraries (ver. 0.96).

Older Indy versions required the use of custom OpenSSL DLLs. Did you
install those files?

Recent updates to Indy 10 allow it to now use the standard OpenSSL DLLs
instead. No more custom DLLs.

Post by Sasa Zeman
Even without SSL IO Handler components, application with POP3
component trigger firewall immediately after application runs - not
after first attempt to connect. Assume this is normal behavior for Indy
10.

That likely has nothing to do with Indy.

Post by Sasa Zeman
While using SSL/TLS, implicit approach only works. Other
possibilities (explicit or reqired TLS) are not functioning

Just saying it doesn't work says nothing at all about the actual problem you
are having. What EXACTLY is happening?

Post by Sasa Zeman
or there is need to use some other component.

Did you attach any SASL components to the TIdPOP3? What did you assign to
the AuthType property?

Post by Sasa Zeman
Is there available main difference comparison page between
Indy 9 and current version of Indy 10?

No.

Gambit

Sasa Zeman

2006-04-21 20:09:58 UTC

Permalink

Post by Remy Lebeau (TeamB)
Older Indy versions required the use of custom OpenSSL DLLs. Did you
install those files?

As mentioned, only used are:

1. TIdPOP31
2. TIdSSLIOHandlerSocketOpenSSL
3. OpenSSL libraries 0.96 (two DLLs), downloaded from Fulgan and copied
to app. directory.

Implicit SSL works correctly, set trough POP3 component. Other SSL's
types return no error - simply freeze the application.

Post by Remy Lebeau (TeamB)
Recent updates to Indy 10 allow it to now use the standard OpenSSL
DLLs instead. No more custom DLLs.

After updating to 10.1.5, application return that cannot load in
directory present OpenSSL libraries. Perhaps is required to copy it to
system32 folder, but that is not prefered currently.

Post by Remy Lebeau (TeamB)
That likely has nothing to do with Indy.

1. Application with Indy 9 - trigger firewall on first Connect request
2. The same application with Indy 10 - trigger firewall when
application starts

This imply that Indy 10 try to access internet during POP3 component
initialization. Just interested of the cause of it.

Post by Remy Lebeau (TeamB)
Just saying it doesn't work says nothing at all about the actual
problem you are having. What EXACTLY is happening?

It frezee the application (upper POP3 example) instead to return an
error. Is there available a simple example of using SASL components
instead of downloading complete 20MB file with 56Kbps DialUp
connection? Onlie documentation page seems to be currently unavailable.

Sasa

--
www.szutils.net

Remy Lebeau (TeamB)

2006-04-21 21:17:47 UTC

Permalink

Post by Sasa Zeman
After updating to 10.1.5, application return that cannot load
in directory present OpenSSL libraries.

What EXACTLY does it say? 10.1.5 has been tested with the latest OpenSSL
version, so you probably just didn't set the files up right.

Post by Sasa Zeman
Perhaps is required to copy it to system32 folder

No.

Post by Sasa Zeman
1. Application with Indy 9 - trigger firewall on first Connect request
2. The same application with Indy 10 - trigger firewall when
application starts

When you say "trigger the firewall", what EXACTLY is happening?

Post by Sasa Zeman
This imply that Indy 10 try to access internet during POP3
component initialization.

It does not.

Gambit

Sasa Zeman

2006-04-22 10:11:23 UTC

Permalink

Post by Remy Lebeau (TeamB)

Post by Sasa Zeman
After updating to 10.1.5, application return that cannot load
in directory present OpenSSL libraries.

What EXACTLY does it say? 10.1.5 has been tested with the latest
OpenSSL version, so you probably just didn't set the files up right.

Which version exactly should be loaded from http://www.openssl.org/ for
the latest dev. Indy 10 snapshot ? All current files are downloaded
from Fulgan and there is no available newer OpenSSL version than 0.96.

Post by Remy Lebeau (TeamB)

Post by Sasa Zeman
1. Application with Indy 9 - trigger firewall on first Connect
request 2. The same application with Indy 10 - trigger firewall when
application starts

When you say "trigger the firewall", what EXACTLY is happening?

It happend exactly I wrote. By "trigger the firewall" - firewall show
that application tries to access internet in these specific moment.
That differs from Indy 9.

Post by Remy Lebeau (TeamB)

Post by Sasa Zeman
This imply that Indy 10 try to access internet during POP3
component initialization.

It does not.

I wrote exaclty what happens and I'm unable to provide more precise
informationa than that. I do not see nothing else which cause that
specific behavior.

Sasa

--
www.szutils.net

Ciaran Costelloe

2006-04-22 22:36:24 UTC

Permalink

Post by Sasa Zeman

Post by Remy Lebeau (TeamB)

Post by Sasa Zeman
This imply that Indy 10 try to access internet during POP3
component initialization.

It does not.

I wrote exaclty what happens and I'm unable to provide more precise
informationa than that. I do not see nothing else which cause that
specific behavior.

Use a packet sniffer like the free Ethereal at http://www.ethereal.com/
to show you exactly what packet is triggering the firewall.

Ciaran

Remy Lebeau (TeamB)

2006-04-24 19:37:20 UTC

Permalink

Post by Sasa Zeman
Which version exactly should be loaded from http://www.openssl.org/ for
the latest dev. Indy 10 snapshot ?

As I said earlier, the latest version - which is 0.9.8a

Post by Sasa Zeman
All current files are downloaded from Fulgan

Which is your first problem...

Post by Sasa Zeman
and there is no available newer OpenSSL version than 0.96.

You are not downloading the official OpenSSL DLs to begin with. As I told
you earlier, the OpenSSL files on the mirrors are Indy's custom versions of
OpenSSL. For a LONG time, Indy could not use the official OpenSSL DLLs at
all, and as such Indy was usually several versions behind on security
updates. That is no longer the case.

Post by Sasa Zeman
It happend exactly I wrote. By "trigger the firewall" - firewall show
that application tries to access internet in these specific moment.
That differs from Indy 9.

There is nothing in TIdPOP3 that tries to access the Internet before
Connect() is called.

Gambit

Sasa Zeman

2006-04-25 07:09:55 UTC

Permalink

Post by Remy Lebeau (TeamB)

Post by Sasa Zeman
Which version exactly should be loaded from http://www.openssl.org/
for the latest dev. Indy 10 snapshot ?

As I said earlier, the latest version - which is 0.9.8a

Yes, I have notice your suggestion earlier. I was intented to formulate
question as: "Which minimum version..."

Post by Remy Lebeau (TeamB)
There is nothing in TIdPOP3 that tries to access the Internet before
Connect() is called.

I have manage to find some free time to locate the cause. Starting from:

procedure TIdPOP3.InitComponent;
begin
inherited;
...

End breakpoint is calling of gethostname, which actually trigger
firewall:

function Stub_gethostname (name: PChar; len: Integer): Integer; stdcall;
begin
FixupStub('gethostname', @gethostname); {Do not Localize}
Result := gethostname(name, len);
end;

This gives unexpected result in both cases (on DialUp when internet
connection is established or not) - firewall show trying accessing to
last connected IP.

At this point, this is windows system library WS2_32.DLL issue.

Sasa

--
www.szutils.net

Remy Lebeau (TeamB)

2006-04-25 18:00:21 UTC

Permalink

Post by Sasa Zeman
procedure TIdPOP3.InitComponent;
begin
inherited;
...
End breakpoint is calling of gethostname, which actually trigger

There are only 4 places throughout Indy where gethostname() is ever called:

- IndyComputerName() in IdGlobalProtocols.pas under Linux only

- ReadHostName() in IdStackDotNet.pas, IdStackLinux.pas, and
IdStackWindows.pas

None of those are called by TIdPOP3 directly. Looking into it further, I
believe the real cause of the issue is in IdStack.pas:

function IdStackFactory: TIdStack;
begin
Result := GStackClass.Create;
...
Result.FHostName := Result.ReadHostName; // <-- here
end;

That means that the HostName is being read when Indy initializes its socket
API stack at startup. Why that is being done, I do not know.

Gambit