How to Force TLS1.2 Connection?

danieleteti / delphimvcframework

DMVCFramework (for short) is a popular and powerful framework for WEB API in Delphi. Supports RESTful and JSON-RPC WEB APIs development.

Apache License 2.0

1.25k stars 360 forks source link

How to Force TLS1.2 Connection? #769

Open Alyssonpp opened 2 months ago

Alyssonpp commented 2 months ago

I need to integrate with a Bank's API (Banco do Brasil) and it requires the use of TLS1.2, even if I pass the parameter below, it has no effect and I receive a security error. Is there any way to form the connection using TLS1.2?

Res:= fRESTClient
       .SetBearerAuthorization(GetToken)
       .SetClientCertificate(CertStream, TConstantes.SenhaCertificadoA1)
       .SecureProtocols([THTTPSecureProtocol.TLS12])
       .Get(Url_Pix'));

Alyssonpp commented 2 months ago

It appears that because it informs .SecureProtocols([THTTPSecureProtocol.TLS12]) it is not being respected, causing the bank to reject the request with the message: Error sending data: (12175) Security error

Has anyone else experienced this?

Alyssonpp commented 2 months ago

I had to migrate to the indy components, and with that it worked perfectly. So it is clear that DMVC today is not using tls 1.2, but I believe it is possible to adjust this in the framework core.

Alyssonpp commented 2 months ago

Ainda continua

joaoduarte19 commented 2 months ago

I simulated a connection that only accepts TLS 1.2 and the problem did not occur. So it is probably some additional validation that the API you are accessing requires.

program Project1;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  MVCFramework.RESTClient.Intf,
  MVCFramework.RESTClient;

var
  LResponse: IMVCRESTResponse;
begin
  try
    LResponse := TMVCRESTClient.New
      .SecureProtocols([THTTPSecureProtocol.TLS12])
      .Get('https://test-tls12.messagemedia.com');
    Writeln(LResponse.Content);
  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
  Readln;
end.

Alyssonpp commented 2 months ago

Yes, I carried out your test and in fact we have the return as "TSL 1.2" in fact it is something on the Banco do Brasil side, or some encryption that is not accepted by BB, but I opened a forum at the Bank, in order to try to investigate, I don't know I have some progress on this, but for now I had to migrate to Indy for these requests

Alyssonpp commented 2 months ago

seguimos e informo quando tiver o retorno do Banco

We will follow up and let you know when we hear back from the Bank.

Alyssonpp commented 2 months ago

Boa noite,

Para que as requisições sejam atendidas em PIX/v2 o BB exige além do TLS 1.2 (exclusivamente) os certificados previamente enviados via Portal Developers para a API desejada, com os arquivos CRT+KEY gerados a partir do mesmo via open SSL.

Esta mensagem de erro de segurança não parece ter sido enviada por nosso Ambiente.

Outra característica é que são suportadas apenas as cifras abaixo:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Se sua aplicação enviar as requisições conforme especificações acima, deverão ser atendidas normalmente.

Acredito que esse seja o ponto a cifra!!!

I believe this is the point of the figure, is there any way to adjust this?