All geek questions in one place

Tidhttp: weird SSLv3_READ_BYTES error (with TLSv1_2 direct connection)

Simple code:

procedure TForm1.Button1Click(Sender: TObject); //var //h: tIdHTTP; //SSL: TIdSSLIOHandlerSocketOpenSSL; begin h.IOHandler := SSL; SSL.SSLOptions.Method := sslvTLSv1_2; SSL.SLLOptions.SSLVersion := [sslvTLSv1_2]; //must be set automatically after SetMethod, but just to be sure h.Get('https://www.deviantart.com/users/login'); end;

This simple code gives me an error:

Error connecting to SSL.
Error: 14094410: SSL routines: ssl3_read_bytes: sslv3 rejection of a handshake message

I use the Delphi XE3 and OpenSSL 1.0.2b libraries. I can’t understand this, looking at the sources, in the connection initiation there are lines that disable unused versions:

 if not (sslvSSLv2 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv2); end; if not (sslvSSLv3 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv3); end; if not (sslvTLSv1 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1); end;

But sslv3 operations still arise. Not like a component error. Is something internal or indy library not taking something into account when setting parameters?

Or is it really me who has not noticed something important? I really hope that I don’t need to go through hell called “updating Indy components”.

Test for (tried all methods, including TLS1.2) https://www.deviantart.com/users/login

 Resolving hostname www.deviantart.com. Connecting to 54.230.96.81. Handshake Start: before/connect initialization Connect Loop: before/connect initialization Connect Loop: SSLv3 write client hello A fatal Read Alert: handshake failure Connect Failed: SSLv3 read server hello A ERROR: Error connecting with SSL. error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  • for the result, SSL3 and TLS1 / 1.1 / 1.2 are identical;
  • for SSLv23 responses SSL23_GET_SERVER_HELLO: crash on sslv3 message failure;
  • for SSLv2 not responding;

Testing on a similar resource (ONLY ONLY ONLY TLS1) https://files.yande.re/image/da9afa6d9ca43a9f154fad69f76adb85.jpg

 Resolving hostname files.yande.re. Connecting to 5.39.10.56. Handshake Start: before/connect initialization Connect Loop: before/connect initialization Connect Loop: SSLv3 write client hello A Connect Loop: SSLv3 read server hello A Connect Loop: SSLv3 read server certificate A Connect Loop: SSLv3 read server key exchange A Connect Loop: SSLv3 read server done A Connect Loop: SSLv3 write client key exchange A Connect Loop: SSLv3 write change cipher spec A Connect Loop: SSLv3 write finished A Connect Loop: SSLv3 flush data Connect Loop: SSLv3 read server session ticket A Connect Loop: SSLv3 read finished A Handshake Done: SSL negotiation finished successfully Connect Exit: SSL negotiation finished successfully

My WireShark tests:

  • Indy: http://imgur.com/BZ84Cl3 (the answer is a handshake failure);
  • Firefox: http://imgur.com/pkYJvnO ;
  • Response to a Firefox request: http://imgur.com/M9ni3TV ;
+5
source share
2 answers

A handshake error of alerts means that the initial handshake fails on the server side, so it sends an alert to notify its client before closing the connection. You probably did not install the compatible certificate or cipher suite that the server expects. Or perhaps the server simply does not support TLS 1.2. Instead, try using TLS 1.0 or TLS 1.1. Alternatively, you can try using the native s_client OpenSSL tool to debug connection problems until you find the correct settings, and then apply them to Indy as needed. Or, use Wireshark to look at the actual handshake and see at what stage it fails.

0
source

I fixed a handshake problem this morning by comparing the wire logs in Google Chrome (which worked fine) and my application (with handshake problems). It turned out that I needed to enable the "signature_algorithms" extension.

However, I use SecureBlackBox (not indy and openssl) because I had to dynamically load the client certificate, but maybe this can help you (compare and debug it using wirehark!).

0
source

Source: https://habr.com/ru/post/1232620/

More articles:


All Articles