Recent

Author Topic: SSL handshake error  (Read 708 times)

nagylzs

  • New Member
  • *
  • Posts: 20
SSL handshake error
« on: October 27, 2019, 07:56:23 pm »
Using FPC 3.0.4 and Lazarus 2.0.4. I'm having trouble connecting with TIdHTTP to https. The server itself supports TLS 1.2 and TLS 1.3. I get this exception from my program:

Error connecting with SSL.
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

Exception class is  'EIdOSSLUnderlyingCryptoError', the debugger says it was raised in '.\Protocols\IdSSLOpenSSLHeaders.pas' line 19477.

For reference, I'm posting the SSL Lab reports below for both IPv4 and IPv6:

https://www.ssllabs.com/ssltest/analyze.html?d=dropzone.mess.hu&s=164.68.125.74
https://www.ssllabs.com/ssltest/analyze.html?d=dropzone.mess.hu&s=2a02%3ac207%3a2029%3a5995%3a0%3a0%3a0%3a1

The report states the this server should work with OpenSSL 1.0.1 and up:


OpenSSL 1.0.1l  R      RSA 2048 (SHA256)      TLS 1.2    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.0.2s  R      RSA 2048 (SHA256)      TLS 1.2    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.1.0k  R      RSA 2048 (SHA256)      TLS 1.2    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH x25519  FS
OpenSSL 1.1.1c  R      -      TLS 1.3    TLS_AES_256_GCM_SHA384   ECDH x25519  FS


So what is wrong? Do I need to compile Indy against a newer OpenSSL version? (How?)

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #1 on: October 27, 2019, 08:37:23 pm »
I have tried to downgrade the connection on the server side. TLS v1.0 does work with Indy. But TLSv1.1 TLSv1.2 and TSLv1.3 are not working. TLSv1.0 was accepted in 1999, 20 years ago.  :'(

Would it be possible to make Indy compatible with TLSv1.2 at least? Can somebody tell me what OpenSSL version is linked with Indy?

Thaddy

  • Hero Member
  • *****
  • Posts: 9303
Re: SSL handshake error
« Reply #2 on: October 27, 2019, 10:05:00 pm »
I have tried to downgrade the connection
Never, ever do that. Simply refuse server-side connections with anything below tls 1.1. Serious major software (google, ms, facebook etc...|) do the same and for good reason.
Never take loop holes or shortcuts when security is at stake, never, ever.
If you feel the need to do that there is something seriously wrong with either client or server software. Stronger: refuse to do that!
« Last Edit: October 27, 2019, 10:11:49 pm by Thaddy »
also related to equus asinus.

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #3 on: October 27, 2019, 10:21:33 pm »
I have tried to downgrade the connection
Never, ever do that.

Well, I suspected that the problem was with TLS 1.2 support, and I have downgraded the server to test my theory. It was only a test. TLS 1.0 was enabled for about 10 minutes, and I got what I needed. I can be sure that the problem is with Indy not supporting TLS 1.2. So I think the "never ever" is a bit strong. :-)

The question remains open: if I cannot use at least TLS 1.2 with Indy, then I cannot use Lazarus/FPC for any serious project that involves HTTPS connections. Practically making it useless.

Is it a known problem with Indy and Lazarus? Should I use a different version? Is there a chance that it will work with TLS 1.2 in the near future?

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #4 on: October 27, 2019, 10:28:02 pm »
By the way, my Indy version is 10.6.2.5494. It was installed some days ago, and it seems to be up to date. I'm not sure about the OpenSSL version, but I guess it does not load libeay32 from a dlll. OpenSSL should be linked statically, am I right?

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #5 on: November 01, 2019, 10:07:22 am »
End note. I think FPC and Lazarus is mature and it has high potential. Sadly, there are not enough developers and not enough community support. I would fix this problem myself but I don't have the knowledge to fix/rewrite Indy components and link them to an up-to-date version of OpenSSL. This cannot be used in production. There is no other choice left, I have to implement this in a different language that is more popular and has better support.

Thaddy

  • Hero Member
  • *****
  • Posts: 9303
Re: SSL handshake error
« Reply #6 on: November 01, 2019, 10:19:23 am »
fpc 3.2.0 can be used....  Regarding ssl quite a llot of work has been done.
E.g. I use OpenSSL 1.1.1d  10 Sep 2019 without problems. (and no need to downgrade the protocol)
also related to equus asinus.

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #7 on: November 01, 2019, 10:38:40 am »
fpc 3.2.0 can be used....  Regarding ssl quite a llot of work has been done.
E.g. I use OpenSSL 1.1.1d  10 Sep 2019 without problems. (and no need to downgrade the protocol)

Can you please tell me how? I could only install the latest Indy from Lazarus package manager, and it was not good. I could not find any instructions about this anywhere. I also could not find related forum posts on this site, and I could not get help here (maybe until now).

Also, you mention fpc 3.2.0. But the latest downloadable stable lazarus comes with FPC 3.0.4. (At least it was that way some weeks ago.) Do I have to upgrade to 3.2.0 before I can use OpenSSL 1.1.1d?

PascalDragon

  • Hero Member
  • *****
  • Posts: 745
  • Compiler Developer
Re: SSL handshake error
« Reply #8 on: November 01, 2019, 01:58:18 pm »
Can you please tell me how? I could only install the latest Indy from Lazarus package manager, and it was not good. I could not find any instructions about this anywhere. I also could not find related forum posts on this site, and I could not get help here (maybe until now).
Indy is a third party package, so it's up to them to implement OpenSSL support correctly. FPC itself provides TFPHTTPClient which does indeed support current OpenSSL versions in 3.2.0 and newer.

Also, you mention fpc 3.2.0. But the latest downloadable stable lazarus comes with FPC 3.0.4. (At least it was that way some weeks ago.) Do I have to upgrade to 3.2.0 before I can use OpenSSL 1.1.1d?
It should be possible to pick the corresponding units from 3.2.0 or trunk and compile them with 3.0.4. They are those in packages/openssl though you'll probably also have to recompile packages/fcl-net/src/{sslbase,sslsockets,ssockets}. I have not tested it however. 3.2.0 itself is currently in "release candidate" phase (so for your purpose it should be stable enough) and we hope to release it this year.

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #9 on: November 01, 2019, 09:09:53 pm »
Indy is a third party package, so it's up to them to implement OpenSSL support correctly. FPC itself provides TFPHTTPClient which does indeed support current OpenSSL versions in 3.2.0 and newer.

In the beginning, I was trying to use TFPHTTPClient but I realized that it is broken in a different way. TFPHTTPClient can only be used to post things that fit into memory easily. For my actual programming task, that is not the case. Detailed explanation is here: https://forum.lazarus.freepascal.org/index.php/topic,47220.0.html

That was the point when I switched to Indy. I almost finished the programming with a test server (using simple http). Then I did my first tests with a real HTTPS server and I got this SSL handshake error.


It should be possible to pick the corresponding units from 3.2.0 or trunk and compile them with 3.0.4. They are those in packages/openssl though you'll probably also have to recompile packages/fcl-net/src/{sslbase,sslsockets,ssockets}. I have not tested it however. 3.2.0 itself is currently in "release candidate" phase (so for your purpose it should be stable enough) and we hope to release it this year.

You are right, I also think that it would be possible. This is why I wrote that FPC/lazarus has the potential. You are also right in that Indy is a third party component. But try to look at it from my viewpoint. I already spent days on this task, and it seems that I have three options:

  • Try to understand, tweak and recompile Indy with a different version of OpenSSL. This seems to be a lot of time and effort, with a great possibility of total failure.
  • Try to understand and refactor the code of TFPHTTPClient. It seems to be difficult, because that code was not written in a way that would make streaming possible. Even if I could do this, there should be days (possibly weeks) of testing by me and by others before it could be an accepted change and merged into the master branch of lazarus and be used in production.
  • Use a different language that already has multipart form-data streaming and TLS 1.2 support. In this case, I need to rewrite my (otherwise very simple) application in a different language.

I'm not a programming language or network library developer. I'm a simple application developer, who wants to send a big file to a HTTPS server. I think it is obvious that only the last option is viable. (Unless there is a fourth option for lazarus?)

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 681
    • Lebeau Software
Re: SSL handshake error
« Reply #10 on: November 01, 2019, 11:51:35 pm »
TLS v1.0 does work with Indy. But TLSv1.1 TLSv1.2 and TSLv1.3 are not working.

Would it be possible to make Indy compatible with TLSv1.2 at least?

Indy supports TLS v1.1 and TLS v1.2, but it enables only TLS v1.0 by default.  You can manually enable TLS v1.1 and TLS v1.2 by setting the sslvTLSv1_1 and sslvTLSv1_2 flags in the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property.

There is no sslvTLSv1_3 flag yet, as TLS v1.3 requires OpenSSL v1.1.x, which Indy does not currently support (work is in progress on that).

Can somebody tell me what OpenSSL version is linked with Indy?

Indy is not linked to any specific version of OpenSSL.  It supports multiple versions up to OpenSSL v1.0.2.  OpenSSL DLLs that are compatible with Indy are available at https://indy.fulgan.com/SSL/.
« Last Edit: November 01, 2019, 11:54:34 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #11 on: November 02, 2019, 09:37:11 am »
TLS v1.0 does work with Indy. But TLSv1.1 TLSv1.2 and TSLv1.3 are not working.

Would it be possible to make Indy compatible with TLSv1.2 at least?

Indy supports TLS v1.1 and TLS v1.2, but it enables only TLS v1.0 by default.  You can manually enable TLS v1.1 and TLS v1.2 by setting the sslvTLSv1_1 and sslvTLSv1_2 flags in the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property.

There is no sslvTLSv1_3 flag yet, as TLS v1.3 requires OpenSSL v1.1.x, which Indy does not currently support (work is in progress on that).

That was the fourth option I was looking for! :-) I'm sorry, I dit not know about the TIdSSLIOHandlerSocketOpenSSL class and its options. I'm a recommencing greenhorn. I was a Delphi programmer once, about 10 years ago. Delphi shortcuts are still in my muscle memory, but lots of things has changed since then. I also started on this project in C# but I did not like that I have to choose a .NET framework that might not be available everywhere. I like the way lazarus compiles a standalone native exe file that is portable. Just I could not use it until now. But I'm a happy camper now!

Interestingly, .net 4.5 has the very same problem - they have disabled TLS 1.1 by default, and you have to manually enable.

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #12 on: November 02, 2019, 09:40:08 am »
Can somebody tell me what OpenSSL version is linked with Indy?

Indy is not linked to any specific version of OpenSSL.  It supports multiple versions up to OpenSSL v1.0.2.  OpenSSL DLLs that are compatible with Indy are available at https://indy.fulgan.com/SSL/.

Does it mean that Indy will load libleay32.dll and ssleay32.dll dynamically? Does it load the dll with a specific search path? I need to create a portable program that runs from a flash drive. Would it be enough to copy the good OpenSSL DLL Files in the same directory, or do I need to do something specific to load those exact DLL files?

Sorry for asking so much.

Thaddy

  • Hero Member
  • *****
  • Posts: 9303
Re: SSL handshake error
« Reply #13 on: November 02, 2019, 09:53:02 am »
You can put them in the same directory as the application, or a sub directory, although I would recommend to build in a check if in the official windows directories for libraries a version is already available and if not put them there..
also related to equus asinus.

nagylzs

  • New Member
  • *
  • Posts: 20
Re: SSL handshake error
« Reply #14 on: November 02, 2019, 12:26:37 pm »
You can put them in the same directory as the application, or a sub directory, although I would recommend to build in a check if in the official windows directories for libraries a version is already available and if not put them there..

That would require administrative rights, and I would like to create a portable program that can be started from a flash drive, without installation.

After the last Windows 10 upgrade (2019 Q4) I noticed that Windows Defender is being overprotective. For example, I could not start Lazarus installer easily because of smartscreen warning. Then the installer could not create a shortcut on my own desktop. Defender did this protection without asking if I want to allow it or not, and I could only look it up in the logs afterwards. I suspect that writting into the windows system32 dir would banish my program completely. :-)