[SOLVED] Indy and SSL

[DanishMale]

Solution: I found that the DateTime handling in the DLL was mixed up and had to be rewritten to form the dynamic URL



Hi,

I am going NUTS... over Indy and their OpenSSL....

I am trying to create a DLL which collects some JSON data from a website, I have got to work perfectly on numerous of other sites, however, this sites really got got my brains out...

If I create this app an run it directly as an EXE with only this changed in the SSLOptions.Method := sslvTLSv1_2 and SSLOptions.Versions := [sslvTLSv1_2] to the IdSSLIOHandlerSocketOpenSSL  it works perfectly

but as DLL NOT:

Code: Pascal  [Select]

1.  
2. function CreateSSLHandler: TIdSSLIOHandlerSocketOpenSSL;
3. var
4.   SSL_org: TIdSSLIOHandlerSocketOpenSSL;
5. begin
6.   SSL_org := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
7.   SSL_org.IPVersion := Id_IPv4;
8.   SSL_org.MaxLineAction := maException;
9.   SSL_org.MaxLineLength := 16384;
10.   SSL_org.Port := 0;
11.   SSL_org.ReadTimeout := -1;
12.   SSL_org.ReuseSocket := rsOSDependent;
13.   SSL_org.SendBufferSize := 32768;
14.   SSL_org.SSLOptions.Method := sslvTLSv1_2;
15.   SSL_org.SSLOptions.Mode := sslmUnassigned;
16.   SSL_org.SSLOPtions.SSLVersions := [sslvTLSv1_2];
17.   SSL_org.SSLOptions.VerifyDepth := 0;
18.   SSL_org.UseNagle := True;
19.   CreateSSLHandler := SSL_org;
20. end;
21.  
22. function CreateHTTP: TIdHTTP;
23. var
24.   HTTP_org: TIdHTTP;
25. begin
26.   HTTP_org := TIdHTTP.Create(nil);
27.   HTTP_org.IOHandler := CreateSSLHandler;
28.   HTTP_org.Request.ContentType := 'text/html';
29.   HTTP_org.AllowCookies := True;
30.   HTTP_org.ProxyParams.BasicAuthentication := False;
31.   HTTP_org.ProxyParams.ProxyPort := 0;
32.   HTTP_org.Request.ContentLength := -1;
33.   HTTP_org.Request.ContentRangeEnd := -1;
34.   HTTP_org.Request.ContentRangeStart := -1;
35.   HTTP_org.Request.ContentRangeInstanceLength := -1;
36.   HTTP_org.Request.Date := 0;
37.   HTTP_org.Request.Expires := 0;
38.   HTTP_org.Request.LastModified := 0;
39.   HTTP_org.Request.Accept := 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
40.   HTTP_org.Request.BasicAuthentication := False;
41.   HTTP_org.Request.UserAgent := 'My Custom UserAgent';
42.   HTTP_org.Request.Ranges.Units := 'bytes';
43.   HTTP_org.HTTPOptions := [hoForceEncodeParams];
44.   HTTP_org.ProtocolVersion := pv1_1;
45.   CreateHTTP := HTTP_org;
46. end;        
47.  

It's exactly the same settings as in the EXE file .. which works 


I am getting desperate ....

[Cyrax]

Which site you are trying to access?
Can you show to us your application main source code?

[DanishMale]

this site with this url:

https://web-api.horizon.tv/oesp/api/CH/fra/web/programschedules/20170225/1

[Cyrax]

Which version of Indy you are using?

[GetMem]

If I create this app an run it directly as an EXE with only this changed in the SSLOptions.Method := sslvTLSv1_2 and SSLOptions.Versions := [sslvTLSv1_2] to the IdSSLIOHandlerSocketOpenSSL  it works perfectly but as DLL NOT:

Ok and how exactly fails? What is the error message? I see in your description Lazarus 1.6 x64, are you creating 64bit application/dll? Make sure libeay32.dll and ssleay32.dll match your binary format so you don't mix 32 with 64 and vice versa. Of course this is just guessing...the problem may be something completely different.

[DanishMale]

The error looks like this:

Error connecting with SSL.
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure


I have used the  libeay32.dll and ssleay32.dll in previous x64 DLL / Apps

[Phil]

Error connecting with SSL.
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

I feel your pain.

I would spend the day searching that error message. I solved a recent Indy problem by trying various suggestions given here:

https://stackoverflow.com/questions/35987485/eidosslconnecterror-error-connecting-with-ssl-eof-was-observed#

Interestingly, FPC's HTTP client did not have this EOF problem at all. You could try FPC's just to see if there's any difference.

I've had a lot of problems keeping code that retrieves data from Web sites running, as they transition from http to https, change APIs, change handshake policies, change WSDL, etc. No two http clients in my experience work the same and they all have problems if you're hitting against enough different sites. I work with 4: Indy, FPC, Synapse and Foundation (Mac).

Also, who's responsible for freeing the TIdSSLIOHandlerSocketOpenSSL object? It looks like you're assuming that Indy is.

Edit: I've never seen a problem where it works in an executable and not in a dynamic library. In my experience, if it works in one, it will work in the other and vice versa. Make sure both the executable and the library are using the same SSL libraries.

[Remy Lebeau]

I am going NUTS... over Indy and their OpenSSL....

It is not OUR OpenSSL.  OpenSSL is a 3rd party open source library independent of Indy.

To use TLS 1.2 in Indy, make sure you are using up-to-date versions of Indy and OpenSSL 1.0.2 (Indy does not support OpenSSL 1.1.0 yet).

If I create this app an run it directly as an EXE with only this changed in the SSLOptions.Method := sslvTLSv1_2 and SSLOptions.Versions := [sslvTLSv1_2] to the IdSSLIOHandlerSocketOpenSSL  it works perfectly

but as DLL NOT

Neither Indy nor OpenSSL behave differently whether used in an EXE or a DLL.  So something else is going on.

It's exactly the same settings as in the EXE file .. which works 

Have you tried using a packet sniffer, like Wireshark, to look at the actual TLS handshake to see if anything is different between the EXE and DLL handshakes?

Error connecting with SSL.
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

A TLS alert comes from the peer.  So, in this case, it means the HTTP server is rejecting the TLS handshake.  Now you need to figure out why.  And that is where Wireshark comes into play.