I'm not have expertise with Delphi and TLS using Indy.
Maybe it's not a problem, just config, I need examples.
I tried some questions on Stackoverflow too, all unsuccessfully.
Page: https://testesmoleculares.com.br/
Errors:
---------------------------
Debugger Exception Notification
---------------------------
Project IntegradorApoiado.exe raised exception
class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL.
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'.
---------------------------
Break Continue Help
---------------------------
Actual config:
LHandler.SSLOptions.Method := sslvSSLv2;
LHandler.SSLOptions.Mode := sslmClient;
LHandler.SSLOptions.SSLVersions := [sslvSSLv2];
Tried:
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
Someone can help?
Maybe providing an example of POST? I'm using Delphi XE4
Thanks!
Github issue:
https://github.com/IndySockets/Indy/issues/317
Tried:
https://stackoverflow.com/a/49061252
ssl v3 poodle and move to tls with indy
Using Indy 10 IdHTTP with TLS 1.2
https://indy.fulgan.com/SSL/?C=M;O=A
Others
Without seeing the actual handshake data, it is difficult to say for sure why it is failing.
However, I will mention that sslvSSLv2 is for SSL v2.0, which nobody uses anymore, as it is no longer secure. Same with sslvSSLv3 (SSL v3.0). So, never use sslvSSLv2 and sslvSSLv3 (unless you HAVE to, for legacy purposes).
sslvTLSv1_2 is for TLS v1.2. A lot of servers are now migrating to this. But many servers haven't fully migrated yet. So, you should enable TLS v1.0 and v1.1 as well for wider acceptance, eg (do not use SSLOptions.Method at all, just use SSLOptions.SSLVersions):
LHandler.SSLOptions.Mode := sslmClient;
LHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
By specifying multiple TLS versions, that will allow OpenSSL to negotiate an available version that both peers support.
Also, make sure you are using an up-to-date version of Indy (if you are not already) so that you have all of its fixes for TLS support, such as use of SNI (which many servers now require TLS clients to use).
I can connect to https://testesmoleculares.com.br/ in a web browser using TLS 1.2, so it should be possible to connect to it using TLS 1.2 in Indy as well.
UPDATE: based on additional comments you have posted for this same issue in Indy's issue tracker (#317: TLS - Problems with https://testesmoleculares.com.br/ on Cloudflare), you are using an outdated version of Indy (10.6.0.4975), which does not fully handle TLS 1.2. You need to upgrade to the latest version (10.6.2) in order to use TLS 1.2 properly.
Related
I use TIdHTTP for easy get requests. Mostly it works well but on some sites I cannot establish connection even if I try various settings.
I tried to follow answer from here
To truly connect to "any" server, you would have to detect a "wrong
version" error and retry with a different specific Method/SSLVersions
configuration. Unfortunately, the "wrong version" reply does not
include the server's actual version, so you have to use
trial-and-error. If SSLv23 fails, try TLSv1_2. If that fails, try
TLSv1_1. If that fails, try TLSv1. If that fails, try SSLv3.
But it didn't help.
Exception -
'Error connecting with SSL.error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'
Or undestandable SSL routines:SSL3_GET_RECORD:wrong version number.
But I cannot solve exactly SSL3_READ_BYTES:sslv3 alert
Sample code which reproduce problem and examples of websites:
begin
httpSender := TIdHTTP.Create(nil);
SSL := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
SSL.SSLOptions.Method := sslvTLSv1; //or sslvSSLv3, sslvTLSv1,sslvTLSv1_1
//or
//SSL.SSLOptions.Method := sslvSSLv23;
//SSL.SSLOptions.SSLVersions := [sslvSSLv2, sslvSSLv3, sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
httpSender.IOHandler := SSL;
//exceptions here
httpSender.Get('https://www.linux.org/');
//httpSender.Get('https://st.deviantart.net/');
//httpSender.Get('https://c.tcdn.co/fa4/aa2/fa4aa23e-f55b-11e6-ba87-040157cdaf01/channel256.png');
end;
So how should I configure TIdHTTP for connecting to these websites?
I use Delphi XE8 and openssl 1.0.1e
None of the sites in your question needs a lower TLS protocol version. They are all perfectly capable of communicating with TLS 1.2 and sometimes even TLS 1.3. But all of these sites work only if the client uses the SNI TLS extension to advertise the target hostname within the TLS handshake.
It is thus more likely that the problem is actually a missing SNI extension. This seems to be a known problem. See TIdHTTP and TLS SNI doesnt work for more information and ways how to deal with the problem.
I import WinHTTP and try execute a request in a https url, like this:
function TForm1.GetPage(AURL: String): String;
var
WinHttpRequest: IWinHTTPRequest;
begin
CoInitialize(nil);
try
WinHttpRequest := CoWinHttpRequest.Create;
WinHttpRequest.Open('GET', AURL, False);
WinHttpRequest.Send(EmptyParam);
Result := WinHttpRequest.ResponseText;
finally
WinHTTPRequest := nil;
CoUninitialize;
end;
end;
It works in same pages (ex: https://www.google.com), but not in others (ex: https://sourceforge.net), with error "The connection with the server was terminated abnormally".
Are there any additional settings I'm forgetting?
I'm using Delphi 2010.
Most servers have migrated away from accepting SSL incoming traffic in favor of TLS protocol. Windows 7 and 8 do not have TLS protocol defined and hence VBA sendss traffic with SSL which is then blocked/dropped by such servers.
You will need to apply a 2-step patch/update to fix this for windows 7,
Step 1. Get Microsoft Update:
Download relevant (32-bits or 64-bits of user's Windows version)
Microsoft Security Protocol Update and install if not already install.
Step 2. Download Microsoft Easy Fix:
Download Microsoft “Easy Fix” from
Microsoft Support Article, and execute to set TLS 1.1+ as default.
Source : Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
Can anyone diagnose my failure to connect to smtp.office365.com using Delphi 2010 and Indy 10.5.5?
I have read the code examples provided by Indy expert Remy Lebeau in this question: Using INDY 10 SMTP with Office365.
I have taken each of the two alternate code samples (one using AuthType satDefault and the other satSASL) from that question and cut-and-pasted them into a console application. In each case get the following error when run:
EIdOSSLUnderlyingCryptoError: Error connecting with SSL.
Error connecting with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
When I change UseTLS to utUseExplicitTLS (as suggested in some other answers that state a plain text connection is required before attempting TLS) I get the following error:
EIdOSSLConnectError: Error connecting with SSL.
Error connecting with SSL.
EOF was observed that violates the protocol
I notice some references in other answers to setting SSLOptions.SSLVersions instead of SSLOptions.Method (which is said to be deprecated) but that property does not appear to exist on TIdSSLIOHandlerSocketOpenSSL in my version of Indy.
I believe I have the version of Indy which shipped with the D2010 updates but that it's somewhat out-of-date. I would be willing to update a newer version if one exists but can't seem to find anyway to do so without installing SVN, learning it, checking out from Development, and recompiling.
Finally, I've tried running all four variants of my console application with no DLLs present in the executable directory and with the DLLs from OpenSSL v1.0.2h present without any apparent effect.
EDIT: One other piece of information. The SMTP credentials supplied by the client (this project sends emails through a single dedicated outbound email address) is of the form project#myclientsdomain.com, rather than #office365.
Apparently, since Remy wrote the answer in the linked question, Office365 has stopped supporting SSLv3 (presumably to avoid a known exploit) and now requires TLS. The code from his answer in the original question works if you change these two lines:
idSMTP1.UseTLS := utUseImplicitTLS;
TIdSSLIOHandlerSocketOpenSSL(idSMTP1.IOHandler).SSLOptions.Method := sslvSSLv3;
to:
idSMTP1.UseTLS := utUseExplicitTLS;
TIdSSLIOHandlerSocketOpenSSL(idSMTP1.IOHandler).SSLOptions.Method := sslvTLSv1;
I've written a Windows service in Delphi 2007 using Indy 10 (10.5.8.0) that connects to an email server via IMAP and reads 10 emails, processes them and disconnects.
This is repeated throughout the day.
This works fine as long as the service doesn't connect using SSL/TLS.
When connecting using TLS it seems to work the first time, but gives a "start SSL negotiation failed" error on subsequent attempts.
I'm using the following Indy settings in my service:
FIMAP4.Port := 143
FIMAP4.UseTLS := utUseRequireTLS;
FIdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvSSLv23;
The email server runs Exchange 2010 and operates TLS on port 143 and SSL on port 993.
I'm using the latest version of the ssl dlls (1.0.1.3).
I'm disconnecting by doing:
FIMAP4.IOHandler.InputBuffer.Clear;
FIMAP4.Disconnect;
UPDATE:
Extract from EurekaLog:
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|TLSNotAvailable |416[4] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|TLSNotAvailable |412[0] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|ProcessTLSNotAvail|342[2] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|ProcessTLSNotAvail|341[1] |
|IdIMAP4.pas |TIdIMAP4 |Login |1957[16]|
|IdIMAP4.pas |TIdIMAP4 |Connect |2019[28]|
This would seem to indicate TLS is NOT available (I would have expected TLSNotAvailable to raise a
EIdTLSClientTLSNotAvailable.Create(RSTLSSLSSLNotAvailable);
rather than a
EIdTLSClientTLSNotAvailable.Create(RSTLSSLSSLCmdFailed);
but this has led me to wonder if the email server does not support TLS, at least on port 143).
If I don't use TLS, I get a:
EIdReplyIMAP4Error: Command received in Invalid state.
|IdReplyIMAP4.pas |TIdReplyIMAP4 |RaiseReplyError |242[1] |
|IdTCPConnection.pas|TIdTCPConnection|RaiseExceptionForLastCmdResult|576[1] |
|IdIMAP4.pas |TIdIMAP4 |Login |1970[29]|
|IdIMAP4.pas |TIdIMAP4 |Connect |2019[28]|
This seems to be an authentication failed message, although I'm not sure why.
Try using sslvTLSv1 instead of sslvSSLv23.
Fixed!
Two critical settings were wrong:
FIdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1;
FIMAP4.UseTLS := utUseImplicitTLS;
setting these up (still on port 143) resolved the issue.
The latest Indy 10 version works much better at TLS, SSL, IMAP, SMTP, and SASL, than the one that shipped in Delphi 2007. Heck, Delphi 2007 shipped in 2006 at some point, and so the Indy 10 version is a snapshot from 2006, that's SIX YEARS AGO.
Upgrade your Indy10 sources, and then try different SSL options.
You may also have a bad SSL (ssleay, libssl) DLL version. Use the versions recommended on the Indy page.
I'm using the TIdSSLIOHandlerSocketOpenSSL Indy component in Delphi XE2 to send data to an SSL server (Apple Push Notification Service) over TCP. I've got it working to a degree but not sure if I'm going about it the best way. I'm doing the following :
Set the SSL properties inc. path to certificates
Call the .Open method to open the connection
Check the AType parameter in the OnStatusInfoEx event until I get a 'Handshake Done'
Send the data using .WriteDirect
Close the connection with .Close
Is there a better way to know when the connection is ready to send data? Does anybody have sample code using the TIdSSLIOHandlerSocketOpenSSL component directly over TCP? The samples I've found are mainly for HTTP calls where the TIdSSLIOHandlerSocketOpenSSL component is just attached to secure the connection.
Since you are using the client component, you only need to setup the certificates on the client if the server is going to authenticate the client's certificate.
Otherwise, set the TIdSSLIOHandlerSocketOpenSSL's SSLOptions.Mode to sslmClient, and you should be able to connect.
It's a good idea to enable the VerifyMode and use the OnVerifyPeer event on the socket component to verify the fingerprint on the server certificate in order to avoid man in the middle attacks.
Depending on your version of Indy, you may need to set the SSLOptions Method to sslvTLSv1. Some web servers no longer support SSLv2, which Indy 9 defaults to.
Here's some sample code that demonstrates retrieving a web page over SSL using the TCP component:
procedure TForm1.Button1Click(Sender: TObject);
var
s: String;
begin
IdTCPClient1.Host := 'example.com';
IdTCPClient1.Port := 443;
IdTCPClient1.Connect;
IdTCPClient1.WriteLn('GET / HTTP/1.1');
IdTCPClient1.WriteLn('Host: example.com');
IdTCPClient1.WriteLn('');
// Retrieve all the data until the server closes the connection
s := IdTCPClient1.AllData;
Memo1.Lines.Add(s);
end;
Don't forget to include the OpenSSL libraries libeay32.sll and ssleay32.dll in the same folder as your EXE on Windows. Use the standard (latest) binaries for Indy 10.
This is what works for me. I am using Delphi 2010, but it this probably works just as well on Delphi XE2 (not tested). I use the current tip revision of Indy, which is revision 4774, rather that the out-of-the-box version.
I have 3 components on a datamodule or webmodule:
TIdHTTP
TIdSSLIOHandlerSocketOpenSSL
TidCookieManager
Hook all the components up to each other at design-time, with the following change at run-time: If the protocol is plain http:, then disconnect the TIdSSLIOHandlerSocketOpenSSL component. If the protocol is https:, then set the Handler property of the IdHTTP to the IdSSLIOHandlerSocketOpenSSL.
In the SSL Options, set method to sslvSSLv23 and SSLVersions to [sslvSSLv2,sslvSSLv3,sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2]. I found that other permutations these properties just did not work. I can't explain it. I just know that this works with a wide range of webservers.
From there it is dead easy. To GET, simple call the Get() method on the TIdHTTP. For POST, call Post(). Parameters and Cookies are accessible by obviously named properties.
I had a lot of trouble get the out-of-the-box version to POST correctly, but with the tip revision, and setting the options as I mentioned, its been a breeze.