Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to Force TLS1.2 Connection? #769

Open
Alyssonpp opened this issue Aug 30, 2024 · 7 comments
Open

How to Force TLS1.2 Connection? #769

Alyssonpp opened this issue Aug 30, 2024 · 7 comments

Comments

@Alyssonpp
Copy link

I need to integrate with a Bank's API (Banco do Brasil) and it requires the use of TLS1.2, even if I pass the parameter below, it has no effect and I receive a security error. Is there any way to form the connection using TLS1.2?

Res:= fRESTClient
       .SetBearerAuthorization(GetToken)
       .SetClientCertificate(CertStream, TConstantes.SenhaCertificadoA1)
       .SecureProtocols([THTTPSecureProtocol.TLS12])
       .Get(Url_Pix'));  
@Alyssonpp
Copy link
Author

It appears that because it informs .SecureProtocols([THTTPSecureProtocol.TLS12]) it is not being respected, causing the bank to reject the request with the message: Error sending data: (12175) Security error

Has anyone else experienced this?

@Alyssonpp
Copy link
Author

I had to migrate to the indy components, and with that it worked perfectly. So it is clear that DMVC today is not using tls 1.2, but I believe it is possible to adjust this in the framework core.

@Alyssonpp
Copy link
Author

Ainda continua

@Alyssonpp Alyssonpp reopened this Sep 1, 2024
@joaoduarte19
Copy link
Collaborator

I simulated a connection that only accepts TLS 1.2 and the problem did not occur. So it is probably some additional validation that the API you are accessing requires.

program Project1;

{$APPTYPE CONSOLE}

{$R *.res}

uses
  System.SysUtils,
  MVCFramework.RESTClient.Intf,
  MVCFramework.RESTClient;

var
  LResponse: IMVCRESTResponse;
begin
  try
    LResponse := TMVCRESTClient.New
      .SecureProtocols([THTTPSecureProtocol.TLS12])
      .Get('https://test-tls12.messagemedia.com');
    Writeln(LResponse.Content);
  except
    on E: Exception do
      Writeln(E.ClassName, ': ', E.Message);
  end;
  Readln;
end.

image

@Alyssonpp
Copy link
Author

Yes, I carried out your test and in fact we have the return as "TSL 1.2" in fact it is something on the Banco do Brasil side, or some encryption that is not accepted by BB, but I opened a forum at the Bank, in order to try to investigate, I don't know I have some progress on this, but for now I had to migrate to Indy for these requests

@Alyssonpp
Copy link
Author

seguimos e informo quando tiver o retorno do Banco

We will follow up and let you know when we hear back from the Bank.

@Alyssonpp
Copy link
Author

Boa noite,

Para que as requisições sejam atendidas em PIX/v2 o BB exige além do TLS 1.2 (exclusivamente) os certificados previamente enviados via Portal Developers para a API desejada, com os arquivos CRT+KEY gerados a partir do mesmo via open SSL.

Esta mensagem de erro de segurança não parece ter sido enviada por nosso Ambiente.

Outra característica é que são suportadas apenas as cifras abaixo:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Se sua aplicação enviar as requisições conforme especificações acima, deverão ser atendidas normalmente.

Acredito que esse seja o ponto a cifra!!!

I believe this is the point of the figure, is there any way to adjust this?

@Alyssonpp Alyssonpp reopened this Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants