Indy "Connection Reset by Peer" Err. 10054 on Specific Website - delphi

I am encountering some problems using some code that worked for ages involving Indy and the download of a web page. I use RAD Studio 10.2 Tokyo.
The web page is as follows:
https://donet.rfi.it/RFIPlatform/showDoc.do?compartimentoHidden=AN&docTypeHidden=CC
The code I am using is part of an application which has the same code since 2011 and it always worked well. The code is as follows:
IDHTTP1.Get('https://donet.rfi.it/RFIPlatform/showDoc.do?compartimentoHidden=AN&docTypeHidden=CC');
I am getting a "Connection Reset by Peer 10054" error since the website went down, some days ago, and when it came up again, the code did not work anymore.
The aforementioned web page can be called from the browser, can even be downloaded with WGET, but Indy is failing.
I tried to play with various options (Cookie Handling, Handle Redirects, HTTPOptions, etc...) and I also updated the SSL libraries to 1.0.2q (Indy cannot use OpenSSL 1.1.0 yet), but the whole thing just doesn't want to work.
Can someone help me figure out what is going on? It has to be for sure something on the website, since the code I use is the same since 2011 and it has always worked. And before that, the same code worked in a similar application since 2008.

Indy's TIdSSLIOHandlerSocketOpenSSL component enables only TLS 1.0 by default. The website in question (https://donet.rfi.it) does not accept TLS 1.0 anymore (probably why it went offline, to update its software), it will accept only TLS 1.1+ now.
TIdHTTP is able to successfully establish a TCP/IP connection to donet.rfi.it:443, but as soon as TIdSSLIOHandlerSocketOpenSSL sends a TLS 1.0 handshake request, the server forcibly closes the TCP connection. You are getting the "connection reset by peer" error while TIdSSLIOHandlerSocketOpenSSL is trying to read the server's handshake response.
You need to configure TIdSSLIOHandlerSocketOpenSSL to enable TLS 1.1 and/or 1.2. You can do that via its SSLOptions.SSLVersions property. Then TIdHTTP.Get() will work again (I tested it).

Related

Troubleshoot "SSL Handshake errors" in Indy

I use Indy TidHTTPServer and TidServerIOHandlerSSLOpenSSL on my server component to handle HTTPS request for command & control.
There are situations where - without any logged errors on the server - client receive an error "SSL handshake failed". I see no reasons on the server and - funny enough - fixes itself sometimes after some time.
Where can I step into the Indy components to see where the problem is? Which events can I use to maybe see something?
Update1 (29.05.2021): An exeption I found throught he handlers suggested by Remy Lebeau is "Error accepting connection with SSL. EOF was observed that violates the protocol". I still cant tell what is causing this, though...
I have had this (or similar) errors in the past when I forgot to put the OpenSSL dll files in the same folder as the executable. You need ssleay32.dll and libeay32.dll.
You can find them on the Indy page (link at the very bottom): https://www.indyproject.org/download/ssl/

Indy server supports SSL 2, but it should not

Indy Delphi 10.1 Berlin.
My customer had the HTTPS connection checked (using Qualys SSL Labs). The report states: "This server supports SSL 2" plus other warnings but I guess they are related to this.
The code used is as follows:
SSLIOhandler:=TIdServerIOHandlerSSLOpenSSL.Create(NIL);
SSLIOhandler.SSLOptions.Method:=sslvTLSv1_2;
SSLIOhandler.SSLOptions.Mode:=sslmServer;
SSLIOhandler.OnVerifyPeer:=OnVerifyPeer;
SSLIOhandler.SSLOptions.SSLVersions:=[sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2];
HTTPServer:=TIdHTTPServer.Create(NIL);
HTTPServer.IOhandler:=SSLIOhandler;
I have read various posts but this area remains pretty much abacadabra to me. I limited the SSLVersions to just [sslvTLSv1_2] but the warning remains. What else can I do?
Update: Sorry to waste time. The Qualys test site apparently did not reload. I've restarted and retested and indeed it no longer complains about SSL2.
Next step is to pass its complaints about the ciphers, starting with TLS_RSA_WITH_DES_CBC_SHA. I have a list of ciphers but can't find how to assign them. When I use e.g.
SSLOptions.CipherList:='TLS_RSA_WITH_3DES_EDE_CBC_SHA';
I get an error: "SetCipher failed".

Delphi Indy IdMappedPortTCP

Im using Delphi XE 5/6, default Indy version, Windows 7. IdMappedPortTCP (component put on Form) redirect local stream from FFmpeg to Twitch.tv and always near 2 hours of streaming i have IdMappedPortTCP1ExceptionSocket Error # 10053
Software caused connection abort. Tried TCPRelay and no problems so i guess something must be wrong in my app. Thanks for suggestions.
10053 is a network error. Most likely a firewall or router is cutting the connection after it is idle for too long. I would try using Indy's TIdEventStream class as explained in the answer to this post:
How to avoid getting an error 10053 (WSAECONNABORTED) if a HttpGet operation in Android is lasting too long?

Indy IMAP4 over SSL

I've written a Windows service in Delphi 2007 using Indy 10 (10.5.8.0) that connects to an email server via IMAP and reads 10 emails, processes them and disconnects.
This is repeated throughout the day.
This works fine as long as the service doesn't connect using SSL/TLS.
When connecting using TLS it seems to work the first time, but gives a "start SSL negotiation failed" error on subsequent attempts.
I'm using the following Indy settings in my service:
FIMAP4.Port := 143
FIMAP4.UseTLS := utUseRequireTLS;
FIdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvSSLv23;
The email server runs Exchange 2010 and operates TLS on port 143 and SSL on port 993.
I'm using the latest version of the ssl dlls (1.0.1.3).
I'm disconnecting by doing:
FIMAP4.IOHandler.InputBuffer.Clear;
FIMAP4.Disconnect;
UPDATE:
Extract from EurekaLog:
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|TLSNotAvailable |416[4] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|TLSNotAvailable |412[0] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|ProcessTLSNotAvail|342[2] |
|IdExplicitTLSClientServerBase.pas|TIdExplicitTLSClient|ProcessTLSNotAvail|341[1] |
|IdIMAP4.pas |TIdIMAP4 |Login |1957[16]|
|IdIMAP4.pas |TIdIMAP4 |Connect |2019[28]|
This would seem to indicate TLS is NOT available (I would have expected TLSNotAvailable to raise a
EIdTLSClientTLSNotAvailable.Create(RSTLSSLSSLNotAvailable);
rather than a
EIdTLSClientTLSNotAvailable.Create(RSTLSSLSSLCmdFailed);
but this has led me to wonder if the email server does not support TLS, at least on port 143).
If I don't use TLS, I get a:
EIdReplyIMAP4Error: Command received in Invalid state.
|IdReplyIMAP4.pas |TIdReplyIMAP4 |RaiseReplyError |242[1] |
|IdTCPConnection.pas|TIdTCPConnection|RaiseExceptionForLastCmdResult|576[1] |
|IdIMAP4.pas |TIdIMAP4 |Login |1970[29]|
|IdIMAP4.pas |TIdIMAP4 |Connect |2019[28]|
This seems to be an authentication failed message, although I'm not sure why.
Try using sslvTLSv1 instead of sslvSSLv23.
Fixed!
Two critical settings were wrong:
FIdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1;
FIMAP4.UseTLS := utUseImplicitTLS;
setting these up (still on port 143) resolved the issue.
The latest Indy 10 version works much better at TLS, SSL, IMAP, SMTP, and SASL, than the one that shipped in Delphi 2007. Heck, Delphi 2007 shipped in 2006 at some point, and so the Indy 10 version is a snapshot from 2006, that's SIX YEARS AGO.
Upgrade your Indy10 sources, and then try different SSL options.
You may also have a bad SSL (ssleay, libssl) DLL version. Use the versions recommended on the Indy page.

cookies using Delphi 2010 and Indy

I'm new to dealing with cookies and not sure if my code or maybe Indy version is the problem based on researching other posts.
Using Delphi 2010 and Indy 10.5.5.
Have set up a cookiemanager at design time. I can send an initial login request (using the POST method) to the server that is successful (get a "success" code back from the server app) and the cookie manager shows that it has accepted a cookie from the server.
When I try to reply to the server (again using POST) to get the next set of information, I get an error code back from the server app which indicates an authorization failure and I'm being told by the server tech support people to check the cookie being sent with the reply.
How can I check the contents of the cookie header that is being sent back to the server?
Also, in another post I saw that Indy 10 IdCookieManager.pas and IdCookie.pas have been updated in 2011. Should I update my Indy to the latest version as this might be my problem?
Thanks in advance.
Here is some more info:
Thank you for your previous assistance; I appear to be getting closer to reinstalling Indy10.
I purged my system of all Indy stuff except the most recent version (10.5.8) which I downloaded yesterday. [Actually I just moved the old stuff into a directory with an unusual name.]
Now I get a clean compile on all 5 packages.
I was able to add the two main packages (the ones starting with dcl) to my program's project list.
But I get "[DCC Fatal Error] E2202 Required Package IndyCore not found." when I try to compile my main program.
I tried removing and reinstalling the dcl packages to my project. When I removed them, I got the message that IndyCore and 3 other packages would also be removed - so it seems to know that dclIndyCode140 uses IndyCore140.
I've added some directories to my search path and tried placing the 5 bpl's in different directories. None of that had any effect and at this point I am stumped.
Ideas? Suggestions?
Steve
Upgrading to the latest release is definate recommended. Links are on Indy`s website. Yes, cookie support was broken in earlier Indy 10 releases but it working again now.
As for your other question, to see what TIdHTTP is sending, you have a few choices:
Look at the TIdHTTP.Request.RawHeaders property after sending a request.
Attach one of Indy's TIdLog... components to TIdHTTP, such as TIdLogFile, and look at the output.
Use an external packet sniffer, such as Wireshark.

Resources