Print Page - Indy > Could not load SSL library

Programming => Networking and Web Programming => Topic started by: RDL on March 31, 2018, 03:33:57 pm

Title: Indy > Could not load SSL library
Post by: RDL on March 31, 2018, 03:33:57 pm

Hi.
On my (manjaro linux) does not work SSL in Indy

var
HTTP: TIdHTTP;
SSL: TIdSSLIOHandlerSocketOpenSSL;
begin
SSL:=TIdSSLIOHandlerSocketOpenSSL.Create(); 
HTTP:=TIdHTTP.Create();
HTTP.IOHandler:=SSL;
HTTP.Get(URL,IndyTextEncoding_UTF8);

I get an error:
Could not load SSL library.

Code: Pascal [Select][+]

ls -l /lib64/libcrypto*
lrwxrwxrwx 1 root root            16 dec  3 01:20 /lib64/libcrypto.so -> libcrypto.so.1.1
-r-xr-xr-x 1 root root    2850616 dec  9 21:23 /lib64/libcrypto.so.1.0.0
-rwxr-xr-x 1 root root   2594952 dec  3 01:21 /lib64/libcrypto.so.1.1

Why is this happening?

PS: Indy version: svn rev.5444 (from OPM)

Title: Re: Indy > Could not load SSL library
Post by: Phil on March 31, 2018, 03:52:48 pm

Quote from: RDL on March 31, 2018, 03:33:57 pm

I get an error:
Could not load SSL library.

On Windows, that error typically means the correct bitness OpenSSL libraries are not on the path. But on Linux you should already have these installed by default.

Make sure you also have the libssl .so in addition to the libcrypto .so.

Look in Indy code for what triggers that exception. You're probably looking for places where it throws EIdOSSLCouldNotLoadSSLLibrary.

Also, maybe test with Synapse or with FPC's HTTP client to help narrow down whether it's Indy, the SSL libs, or something else.

Title: Re: Indy > Could not load SSL library
Post by: RDL on March 31, 2018, 04:21:28 pm

Quote

Also, maybe test with Synapse or with FPC's HTTP client to help narrow down whether it's Indy, the SSL libs, or something else.

checked, in synapse ssl working

Quote

Make sure you also have the libssl .so in addition to the libcrypto .so.

Code: Pascal [Select][+]

ls -l /lib64/libssl*
-rwxr-xr-x 1 root root 385952 mar 10 08:54 /lib64/libssl3.so
lrwxrwxrwx 1 root root     13 dec  3 01:20 /lib64/libssl.so -> libssl.so.1.1
-r-xr-xr-x 1 root root 498544 dec  9 21:23 /lib64/libssl.so.1.0.0
-rwxr-xr-x 1 root root 434176 mar  3 01:21 /lib64/libssl.so.1.1

Update:

Apparently indy does not support libcrypto.so.1.1
If the symbolic link libcryto.so refers to libcrypto.so.1.1, then the Could not load SSL library error occurs.

If you edit IdSSLOpenSSLHeaders.pas like this:
Row: 19483

Code: Pascal [Select][+]

SSLDLLVers: array [0..8] of string = ('', '.10', '. 1.0.2', '. 1.0.1', '. 1.0.0', '0.9.9', '. 0.9.8 ','. 0.9.7 ',' 0.9.6 ');

Replace with:

Code: Pascal [Select][+]

SSLDLLVers: array [0..8] of string = ('.0', '.10', '. 1.0.2', '. 1.0.1', '. 1.0.0', '0.9.9', '.0.9.8', '. 0.9.7', '0.9.6');

Loading libcrypto.so.1.0.0 runs currectly and SSL works!

Update:

Because of this editing, loading .so will not be possible and problems can arise on other systems.

Title: Re: Indy > Could not load SSL library
Post by: balazsszekely on March 31, 2018, 04:37:29 pm

What is the message returned by function WhichFailedToLoad(IdSSLOpenSSLHeaders.pas)?

Title: Re: Indy > Could not load SSL library
Post by: RDL on March 31, 2018, 04:46:09 pm

I edited my post above.

Title: Re: Indy > Could not load SSL library
Post by: balazsszekely on March 31, 2018, 04:53:07 pm

@RDL

Quote

I edited my post above.

Ok. I'm glad it's working. @Remy regularly visits this forum, maybe he can incorporate your changes in Indy trunk, then I can update in OPM.

Title: Re: Indy > Could not load SSL library
Post by: RDL on March 31, 2018, 05:01:42 pm

@GetMem
Let's wait for a response from @Remy
Thank.

Title: Re: Indy > Could not load SSL library
Post by: RDL on April 01, 2018, 02:46:10 am

I attach corrected IdSSLOpenSSLHeaders.pas (last svn rev. 5451) which correctly looks for:
libcrypto.so.1.0.0
libcrypto.so.1.0.0a
libcrypto.so.1.0.0b
libcrypto.so.1.0.0c
...
libcrypto.so.1.0.1
libcrypto.so.1.0.1a
libcrypto.so.1.0.1b
libcrypto.so.1.0.1c
....
libcrypto.so.1.0.2
libcrypto.so.1.0.2a
libcrypto.so.1.0.2b
libcrypto.so.1.0.2c
and so on.

Title: Re: Indy > Could not load SSL library
Post by: Remy Lebeau on May 04, 2018, 04:47:53 am

Quote from: RDL on March 31, 2018, 04:21:28 pm

Apparently indy does not support libcrypto.so.1.1

That is because Indy doesn't support OpenSSL 1.1.0+ yet, only 1.0.2 and earlier. Because there have been major API changes in 1.1.0 that break backwards compatibility, and Indy hasn't been updated to handle that yet (see #183: Support OpenSSL 1.1.0 (https://github.com/IndySockets/Indy/issues/183) in Indy's issue tracker).

Quote from: RDL on March 31, 2018, 04:21:28 pm

If the symbolic link libcryto.so refers to libcrypto.so.1.1, then the Could not load SSL library error occurs.

Makes sense. See above.

Quote from: RDL on March 31, 2018, 04:21:28 pm

If you edit IdSSLOpenSSLHeaders.pas like this:
Row: 19483
Code: Pascal [Select][+][-]
SSLDLLVers: array [0..8] of string = ('', '.10', '. 1.0.2', '. 1.0.1', '. 1.0.0', '0.9.9', '. 0.9.8 ','. 0.9.7 ',' 0.9.6 ');
Replace with:
Code: Pascal [Select][+][-]
SSLDLLVers: array [0..8] of string = ('.0', '.10', '. 1.0.2', '. 1.0.1', '. 1.0.0', '0.9.9', '.0.9.8', '. 0.9.7', '0.9.6');
Loading libcrypto.so.1.0.0 runs currectly and SSL works!

Because of this editing, loading .so will not be possible and problems can arise on other systems.

By changing the first string from '' to '.0', Indy will no longer attempt to load the unversioned libcrypto.so or libssl.so symbolic links at all. You are making it so it will skip them and find (in your case) libcrypto.so.1.0.0 and libssl.so.1.0.0 instead. That could hurt other systems, where loading the the symbolic links is preferred.

Quote from: RDL on April 01, 2018, 02:46:10 am

I attach corrected IdSSLOpenSSLHeaders.pas (last svn rev. 5451) which correctly looks for:

I have glanced at the patch and see that I need to make some tweaks to it before I incorporate it. I will report back when it is checked in to Indy's SVN.

Title: Re: Indy > Could not load SSL library
Post by: Remy Lebeau on May 04, 2018, 08:44:27 pm

Quote from: Remy Lebeau on May 04, 2018, 04:47:53 am

I have glanced at the patch and see that I need to make some tweaks to it before I incorporate it. I will report back when it is checked in to Indy's SVN.

I have just now checked in the patch. I tweaked the code to apply the lettering logic to both the KYLIXCOMPAT and BASEUNIX/VCL_POSIX branches, and to add a new IdOpenSSLSetLoadSymLinksFirst() function so users can specify whether Indy should load the symlinks before or after checking for specific versions (the default is before, to preserve existing behavior).

See Changes for how OpenSSL is loaded on *Nix platforms (http://www.indyproject.org/Sockets/Blogs/ChangeLog/20180504.aspx) on Indy's Changelog blog.

Title: Re: Indy > Could not load SSL library
Post by: RDL on May 05, 2018, 09:07:56 am

@Remy Lebeau
Why is this part of the code inactive in Linux?

Checked on linux manjaro.
Does not work. Could not load SSL library.

Update:
I replaced IdSSLOpenSSLHeaders.pas with my own, it worked.

Is it an indy error or am I doing something wrong?

Title: Re: Indy > Could not load SSL library
Post by: Remy Lebeau on May 07, 2018, 11:11:40 pm

Quote from: RDL on May 05, 2018, 09:07:56 am

Why is this part of the code inactive in Linux?

Looking at my previous checkin, it looks like I made a mistake in a new {$DEFINE} I had added:

Code: [Select]

  {$UNDEF USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT}
  {$IFDEF USE_BASEUNIX_OR_VCL_POSIX}
    {$UNDEF USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT} // <--
  {$ENDIF}
  {$IFDEF KYLIXCOMPAT}
    {$UNDEF USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT} // <--
  {$ENDIF}

Should be this instead:

Code: [Select]

  {$UNDEF USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT}
  {$IFDEF USE_BASEUNIX_OR_VCL_POSIX}
    {$DEFINE USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT} // <--
  {$ENDIF}
  {$IFDEF KYLIXCOMPAT}
    {$DEFINE USE_BASEUNIX_OR_VCL_POSIX_OR_KYLIXCOMPAT} // <--
  {$ENDIF}

I have checked in that fix now (rev 5457).

Title: Re: Indy > Could not load SSL library
Post by: RDL on May 08, 2018, 09:46:21 am

@Remy Lebeau
I checked, it works!
Good job, thank you! :)

Title: Re: Indy > Could not load SSL library
Post by: hsvandrew88 on March 31, 2019, 08:11:06 am

I know this is a Lazarus thread, but for those viewing it relating to Delphi, or perhaps FPC as well, using the Indy source from March 2019 I had to change

{$IFDEF UNIX}
var
GIdLoadSymLinksFirst: Boolean = false;

in IdSSLOpenSSLHeaders.pas to make it work with OpenSSL 1.0.2k on Centos 7

This then didn't require the change to the SSLVers string

Title: Re: Indy > Could not load SSL library
Post by: Remy Lebeau on April 02, 2019, 09:27:26 pm

Quote from: hsvandrew88 on March 31, 2019, 08:11:06 am

I know this is a Lazarus thread, but for those viewing it relating to Delphi, or perhaps FPC as well, using the Indy source from March 2019 I had to change

{$IFDEF UNIX}
var
GIdLoadSymLinksFirst: Boolean = false;

in IdSSLOpenSSLHeaders.pas to make it work with OpenSSL 1.0.2k on Centos 7

If you read my earlier messages in this thread, you will see that GIdLoadSymLinksFirst is set to True by default on purpose for backwards compatible, and that there is a new IdOpenSSLSetLoadSymLinksFirst() function added if you want to change the default at runtime, eg in your app startup code:

Code: [Select]

IdOpenSSLSetLoadSymLinksFirst(False);

Title: Re: Indy > Could not load SSL library
Post by: AndroidCat on July 13, 2019, 10:21:37 pm

This thread was helpful in solving two problems I had with Raspbian Buster:

The first was a Pi updated to Buster. It had libssl and libcrypto files for 1.1 and 1.0.2, as well as a symbolic link from libcrypto.so to 1.1. Renaming the link out of the way solved that problem. (Hopefully without breaking anything else.)

The second, with a fresh install of Buster, only had the 1.1 libs. sudo apt-get install libssl1.0.2 fixed that.

Title: Re: Indy > Could not load SSL library
Post by: Remy Lebeau on July 17, 2019, 12:10:24 am

FYI, I have just now added a new IdOpenSSLSetCanLoadSymLinks() function if you want to tell Indy to not load the symbolic links at all, eg:

Code: [Select]

IdOpenSSLSetCanLoadSymLinks(False);