Indy10 HTTP & SSL issues

[JD]

Hi there everybody,

I'm trying to connect to an Indy HTTP server from an Indy HTTP client using the code below:

Server side:

Code: Pascal  [Select][+][-]

1.   //
2.   HTTPServer := TIdHTTPServer.Create(nil);
3.   HTTPIOHandler := TIdServerIOHandlerSSLOpenSSL.Create(nil);
4.   HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
5.  
6.   //
7.   with HTTPServer do
8.   begin
9.     IOHandler         := HTTPIOHandler;
10.     OnCommandGet      := @HTTPServerCommandGet;
11.     OnCommandOther    := @HTTPServerCommandOther;
12.     OnConnect         := @HTTPServerConnect;
13.     OnCreateSession   := @HTTPServerCreateSession;
14.     OnDisconnect      := @HTTPServerDisconnect;
15.     OnSessionEnd      := @HTTPServerSessionEnd;
16.     OnSessionStart    := @HTTPServerSessionStart;
17.     KeepAlive         := True;
18.   end;
19.  

Client side:

Code: Pascal  [Select][+][-]

1.   lHTTP := TIdHTTP.Create(nil);
2.   lIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
3.   lIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
4.   //
5.   try
6.     lHTTP.Request.Username := Trim(User.Text);
7.     lHTTP.Request.Password := Trim(Password.Text);
8.     lHTTP.IOHandler := lIOHandler;
9.     lHTTP.HandleRedirects := True;
10.     s := lHTTP.Get(Format('https://%s:%d' + '/login', [Host, Port]));
11.     ShowMessage(s);
12.   finally
13.     lHTTP.Free;
14.     lIOHandler.Free;
15.   end;
16.  

The client throws an exception saying sslv3 alert handshake failure (see attached screenshot). Everything works perfectly without the SSL related code parts. In addition, I'm using the latest libeay32.dll and ssleay32.dll that I downloaded from the indy.fulgan.com site.

Can anyone tell me what I'm doing wrong?

Thanks,

JD

[Phil]

That looks like an Indy exception. Find where that occurs in Indy source. Might be a clue as to what's happening.

If it were related to the SSL .dll's, I would expect a different exception.

Also, it looks like something to do with the version of SSL. I'm not familiar with that, but what "version" certificate does your server have?

[JD]

That looks like an Indy exception. Find where that occurs in Indy source. Might be a clue as to what's happening.

If it were related to the SSL .dll's, I would expect a different exception.

Also, it looks like something to do with the version of SSL. I'm not familiar with that, but what "version" certificate does your server have?

I'm not using any certificates at all.

[Phil]

Does it make any difference if you use FPC HTTP client and server instead of Indy?

You'll probably need an SSL certificate eventually:

https://www.startssl.com/

[JD]

Does it make any difference if you use FPC HTTP client and server instead of Indy?

You'll probably need an SSL certificate eventually:

https://www.startssl.com/

I can't use FPC HTTP client because the code snippets I posted are part of a large application & rewriting it is simply not possible. I'll take a look at the link you gave me & see what I can learn from it.

Thanks

JD

[Phil]

Many links turn up for that error message.

http://eigenjoy.com/2008/04/26/fix-for-sslv3-alert-handshake-failure-opensslsslsslerror/

[Thaddy]

Many links turn up for that error message.

http://eigenjoy.com/2008/04/26/fix-for-sslv3-alert-handshake-failure-opensslsslsslerror/

Google on POODLE attack: SSL3 is highly unsafe and not accepted any more by recent decent server software. You should not use it!

No, I mean, really should not use it!!!!
Better to use a recent version (1.1 or higher) of TLS.
There's a good write-up in wikipedia: https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0

Btw: whereas the wiki states that SSLv2 is prohibited, it is considered somewhat safe as a bottom-line fall-back, whereas SSLv3 should be avoided like the plague.
Hence you will get errors if your software tries to connect to properly maintained servers if you do ONLY support  SSLv3 on the client side.
That is programmer error big time.

E.g. in OpenSLL compiled from source you have to EXPLICITLY enable SSLv3 to be able to support it. And you will get abused by warnings
Do not try this at home. OpenSSL is very, very,very difficult to compile correctly from source.

Since the majority of server software use OpenSSL, like Apache and ngynx, SSLv3 won't work anymore unless your engineer is called "sleeping beauty".

[Thaddy]

Btw: I am surprised (NOT!  )that Indy still seems to support SSLv3? 

(Yes,yes, yes, Indy Bashing. Icecubes are gone, but temperature is down too, so garden is safe)

BTW: Answering the original question: TLS 1.0 almost equals SSLv3 so the exception is correct. Because of what I descibed above.
You can remove sslvTLSv1 and your code should work. For older software you can add sslv2 as the only allowed fallback.

[edit]
Indy uses opensll (and you have a recent version of openSSL installed, hence it returns the exception) but Indy should throw a compile-time warning or better error  when you want to use ssl3 or tls1.
Or remove the option, but that would break legacy too easy. I know that.

But QED: OpenSSL doesn't work anymore.... With SSLv3 that is....

Remy is up to the job to correct this. I think.

[edit2]

Note TLS1.2 will not fall back to ssl2. tls1.1 needs to be in the chain to fall back to sslv2 but that is still allowed for the time being afaik. ssl3 and tls1 are always out of the fall back chain in current OpenSSL versions.

[Thaddy]

This code should work with up-to-date OpenSSL:

Server side:

Code: Pascal  [Select][+][-]

1.   //
2.   HTTPServer := TIdHTTPServer.Create(nil);
3.   HTTPIOHandler := TIdServerIOHandlerSSLOpenSSL.Create(nil);
4.   HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_1, sslvTLSv1_2];
5.  
6.   //
7.   with HTTPServer do
8.   begin
9.     IOHandler         := HTTPIOHandler;
10.     OnCommandGet      := @HTTPServerCommandGet;
11.     OnCommandOther    := @HTTPServerCommandOther;
12.     OnConnect         := @HTTPServerConnect;
13.     OnCreateSession   := @HTTPServerCreateSession;
14.     OnDisconnect      := @HTTPServerDisconnect;
15.     OnSessionEnd      := @HTTPServerSessionEnd;
16.     OnSessionStart    := @HTTPServerSessionStart;
17.     KeepAlive         := True;
18.   end;
19.  

Client side:

Code: Pascal  [Select][+][-]

1.   lHTTP := TIdHTTP.Create(nil);
2.   lIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
3.   lIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_1, sslvTLSv1_2];
4.   //
5.   try
6.     lHTTP.Request.Username := Trim(User.Text);
7.     lHTTP.Request.Password := Trim(Password.Text);
8.     lHTTP.IOHandler := lIOHandler;
9.     lHTTP.HandleRedirects := True;
10.     s := lHTTP.Get(Format('https://%s:%d' + '/login', [Host, Port]));
11.     ShowMessage(s);
12.   finally
13.     lHTTP.Free;
14.     lIOHandler.Free;
15.   end;
16.