본문 바로가기
DELPHI(델파이)

[델파이 - DELPHI] HTTPS 서버 사용시 다른 포트 바인딩 주의점

by Jcoder 2020. 11. 24.

uses

IdSSLOpenSSL, Vcl.StdCtrls, IdIOHandler, IdIOHandlerSocket, IdIOHandlerStack, IdSSL, IdBaseComponent,

  IdComponent, IdTCPConnection, IdTCPClient, IdHTTP, IdServerIOHandler, IdCustomTCPServer, IdCustomHTTPServer, IdHTTPServer;

 

type

  TForm7 = class(TForm)

    Button2 : TButton;

    procedure Button1Click(Sender : TObject);

    procedure Button2Click(Sender : TObject);

    procedure IdHTTPServerQuerySSLPort(APort : Word; var VUseSSL : Boolean); // 주의점

  private

    { Private declarations }

  public

    { Public declarations }

  end;

 

procedure TForm7.Button2Click(Sender : TObject);

var

  IdHTTPServer : TIdHTTPServer;

  IdServerIOHandlerSSLOpenSSL : TIdServerIOHandlerSSLOpenSSL;

begin

  IdHTTPServer                := TIdHTTPServer.Create(self);

  IdServerIOHandlerSSLOpenSSL := TIdServerIOHandlerSSLOpenSSL.Create(self);

  try

    IdHTTPServer.IOHandler                             := IdServerIOHandlerSSLOpenSSL;

    IdHTTPServer.Bindings.Add.IP                       := '127.0.0.1';

    IdHTTPServer.Bindings.Add.Port                     := 443; // 주의점 HTTPS일땐 기본 포트가 443임. 만약 다른 포트로 바인딩을 한다면 아래 이벤트에서 VUseSSL를 TRUE로 설정해야함.

    IdServerIOHandlerSSLOpenSSL.SSLOptions.CertFile    := 'cert 파일 경로';

    IdServerIOHandlerSSLOpenSSL.SSLOptions.KeyFile     := 'key 파일 경로';

    IdServerIOHandlerSSLOpenSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

 

    {

      취약한 암호화 리스트를 제외한 암호화 리스트, 설정 권장.

      IdServerIOHandlerSSLOpenSSL.SSLOptions.CipherList := '';

      SRP-DSS-AES-256-CBC-SHA

      SRP-RSA-AES-256-CBC-SHA

      SRP-AES-256-CBC-SHA

      DH-DSS-AES256-GCM-SHA384

      DHE-DSS-AES256-GCM-SHA384

      DH-RSA-AES256-GCM-SHA384

      DHE-RSA-AES256-GCM-SHA384

      DHE-RSA-AES256-SHA256

      DHE-DSS-AES256-SHA256

      DH-RSA-AES256-SHA256

      DH-DSS-AES256-SHA256

      DHE-RSA-AES256-SHA

      DHE-DSS-AES256-SHA

      DH-RSA-AES256-SHA

      DH-DSS-AES256-SHA

      DHE-RSA-CAMELLIA256-SHA

      DHE-DSS-CAMELLIA256-SHA

      DH-RSA-CAMELLIA256-SHA

      DH-DSS-CAMELLIA256-SHA

      ECDH-RSA-AES256-GCM-SHA384

      ECDH-ECDSA-AES256-GCM-SHA384

      ECDH-RSA-AES256-SHA384

      ECDH-ECDSA-AES256-SHA384

      ECDH-RSA-AES256-SHA

      ECDH-ECDSA-AES256-SHA

      AES256-GCM-SHA384

      AES256-SHA256

      AES256-SHA

      CAMELLIA256-SHA

      PSK-AES256-CBC-SHA

      SRP-DSS-AES-128-CBC-SHA

      SRP-RSA-AES-128-CBC-SHA

      SRP-AES-128-CBC-SHA

      DH-DSS-AES128-GCM-SHA256

      DHE-DSS-AES128-GCM-SHA256

      DH-RSA-AES128-GCM-SHA256

      DHE-RSA-AES128-GCM-SHA256

      DHE-RSA-AES128-SHA256

      DHE-DSS-AES128-SHA256

      DH-RSA-AES128-SHA256

      DH-DSS-AES128-SHA256

      DHE-RSA-AES128-SHA

      DHE-DSS-AES128-SHA

      DH-RSA-AES128-SHA

      DH-DSS-AES128-SHA

      DHE-RSA-CAMELLIA128-SHA

      DHE-DSS-CAMELLIA128-SHA

      DH-RSA-CAMELLIA128-SHA

      DH-DSS-CAMELLIA128-SHA

      ECDH-RSA-AES128-GCM-SHA256

      ECDH-ECDSA-AES128-GCM-SHA256

      ECDH-RSA-AES128-SHA256

      ECDH-ECDSA-AES128-SHA256

      ECDH-RSA-AES128-SHA

      ECDH-ECDSA-AES128-SHA

      AES128-GCM-SHA256

      AES128-SHA256

      AES128-SHA

      CAMELLIA128-SHA

      IDEA-CBC-SHA

      PSK-AES128-CBC-SHA

      SRP-DSS-3DES-EDE-CBC-SHA

      SRP-RSA-3DES-EDE-CBC-SHA

      SRP-3DES-EDE-CBC-SHA

      EDH-RSA-DES-CBC3-SHA

      EDH-DSS-DES-CBC3-SHA

      DH-RSA-DES-CBC3-SHA

      DH-DSS-DES-CBC3-SHA

      ECDH-RSA-DES-CBC3-SHA

      ECDH-ECDSA-DES-CBC3-SHA

      PSK-3DES-EDE-CBC-SHA

      EDH-RSA-DES-CBC-SHA

      EDH-DSS-DES-CBC-SHA

      DH-RSA-DES-CBC-SHA

      DH-DSS-DES-CBC-SHA

      DES-CBC-SHA

      ECDHE-RSA-AES256-GCM-SHA384

      ECDHE-ECDSA-AES256-GCM-SHA384

      ECDHE-RSA-AES256-SHA384

      ECDHE-ECDSA-AES256-SHA384

      ECDHE-RSA-AES256-SHA

      ECDHE-ECDSA-AES256-SHA

      ECDHE-RSA-AES128-GCM-SHA256

      ECDHE-ECDSA-AES128-GCM-SHA256

      ECDHE-RSA-AES128-SHA256

      ECDHE-ECDSA-AES128-SHA256

      ECDHE-RSA-AES128-SHA

      ECDHE-ECDSA-AES128-SHA

      ECDHE-RSA-DES-CBC3-SHA

      ECDHE-ECDSA-DES-CBC3-SHA

    }

 

   IdHTTPServer.Active := True;

  finally

    IdServerIOHandlerSSLOpenSSL.DisposeOf;

    IdHTTPServer.DisposeOf;

  end;

end;

 

procedure TForm7.IdHTTPServerQuerySSLPort(APort : Word; var VUseSSL : Boolean);

begin

  VUseSSL := True;

end;

 

델파이 10.3.3 rio에서는 기본으로 true로 설정이 되어 있으나 델파이 10.4에서는 기본이 false로 설정되어 있어 따로 설정이 필요.

 

참고 :

SSL_Connect() 결과가 다름 (시드니는 실패가 리턴됨)

 

[시드니에서의 SSL_Connect() 부분에 적힌 주석 내용]

remote side, SSL_connect() will fail. In that case, before giving up, try re-connecting using a version-specific method for each enabled version, maybe one will succeed...

= 원격 측에서는 SSL_connect ()가 실패합니다. 이 경우 포기하기 전에 활성화 된 각 버전에 대해 버전 별 방법을 사용하여 다시 연결해보십시오. 성공할 수도 있습니다.

 

[위 내용을 참고하여 SSL_Connect 부분 검색한 결과]

EIdHTTPErrorParsingCommand is raised when TIdHTTPServer receives a malformed HTTP request. Since TIdHTTPServer does not process decrypted HTTPS requests until after an SSL/TLS handshake has been completed first, that implies that your server is not actually trying to perform an SSL/TLS handshake at all and thus is trying to parse the client's SSL/TLS handshake request as if it were an HTTP request. Is your SecurePort set to a non-standard HTTPS port (something other than 443)? If so, make sure your server has an OnQuerySSLPort event handler that returns VUseSSL=True for that por

= EIdHTTPErrorParsingCommand는 TIdHTTPServer가 잘못된 HTTP 요청을 수신 할 때 발생합니다. TIdHTTPServer는 SSL / TLS 핸드 셰이크가 먼저 완료 될 때까지 해독 된 HTTPS 요청을 처리하지 않기 때문에 서버가 실제로 SSL / TLS 핸드 셰이크를 전혀 수행하지 않고 클라이언트의 SSL / TLS 핸드 셰이크를 구문 분석하려고 시도하고 있음을 의미합니다. HTTP 요청 인 것처럼 요청합니다. SecurePort가 비표준 HTTPS 포트 (443 이외의 포트)로 설정되어 있습니까? 그렇다면 서버에 해당 por에 대해 VUseSSL = True를 반환하는 OnQuerySSLPort 이벤트 처리기가 있는지 확인하십시오.