Delphi_SChannelTLS
v1.0.0
SChannel is Windows built-in implementation of TLS protocols. This allows supporting secure connections without any external library.
Repo contains:
SChannel.Utils.pas - unit with transport-agnostic helper functions for easy implementation of TLS communication by means of Windows SChannel.
SChannel.SyncHandshake.pas - sample of transport-agnostic synchronous TLS handshake using callback functions for real communication
SChannel.Jwa*.pas - API declarations borrowed from JEDI project
SChannel.IcsWSocket.pas - ICS TWSocket descendant that performs TLS communication
Demo - demo project for performing any textual (mainly HTTPS) requests via secure connection
Enable TLS 1.1 and 1.2 for W7.reg - registry patch that enables TLS 1.1 and 1.2 on Windows 7 (these are actual protocol versions that are not enabled by default on W7)
There are no installable components - you can just download sources, add paths and use units. But if you prefer packages, there are two of them created with RAD XE2. Just open one of them in IDE and it should upgrade the package to current version.
SChannel_XE2.dproj contains all units except ICS socket. Use it if you have no ICS installedSChannel_XE2_ICS.dproj contains all units including ICS socket in SChannel.IcsWSocket.pas. Requires ICS installedBoth packages are configured to build units to ..Bin$(Config)$(Platform) to reduce mess and avoid recompiling SChannel units each time a project is built. So you can add SChannelBinRelease$(Platform) to your Search path and SChannelSource to Browsing path. In this case don't forget to build the package for all platforms you use. After that installation is complete.
Installation via Delphinus package manager is also possible. However, it's an initial version that has some limitations:
This project was started because I needed TLS in my Delphi apps and didn't like shipping two OpenSSL libs. Initial version was 1:1 rewrite of SChannel sample found in Internet. Currently it is used in my 24*7 projects but I implemented only those functions which I needed. I'm not familiar with all this cryptostuff so don't expect advanced certificate validations, secure servers and so on. But if you wish to add something missing I'll consider your PR with pleasure :).
There's SChannel bug that causes functions rarely and randomly return SEC_E_BUFFER_TOO_SMALL or SEC_E_MESSAGE_ALTERED status during handshake. Good description of the issue could be found here (in brief: it only happens on Windows 7 and 8, with TLSv1.2 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 cipher suites). To deal with the issue, several measures were taken:
Increased number of buffers for handshake (what cURL team did) - didn't help
Added function IsWinHandshakeBug to SChannel.Utils.pas that allows to conveniently check for the bug in except section of a DoClientHandshake call. Just a helper to make special processing like
...
try
DoClientHandshake(FSessionData, FHandShakeData);
except on E: ESSPIError do
// Hide Windows handshake bug and restart the process
if (FHandShakeData.Stage = hssReadSrvHello) and IsWinHandshakeBug(E.SecStatus) then
begin
Log(Format('Handshake bug: "%s", retrying', [E.Message]));
DeleteContext(FHandShakeData.hContext);
DoHandshakeStart;
Exit;
end
else
raise E;
end;
...TSChannelWSocket class from IcsSChannelSocket.pas and PerformClientHandshake function from SChannel.SyncHandshake.pas already implement one-time retrying invisibly to a caller.
Socket class descending from ICS TWSocket that does many things for you. Key features:
Secure property; OnTLSDone and OnTLSShutdown events will signal channel stateSessionData.SharedCreds property. When sessions are shared, handshake becomes significantly shorter so it worths it
