Recent

Author Topic: Synapse and Catalina SSL causing crash  (Read 1874 times)

josh

  • Hero Member
  • *****
  • Posts: 764
Synapse and Catalina SSL causing crash
« on: February 08, 2020, 01:07:52 pm »
Hi

Hope someone can help, and its not too complicated.

I have a app that gets incrypted data from company server, the app is working fine on everything up to Catalina, but when run on catalina it crashes out on start up. error below. The app is a company app and as such is not through the App Store.

I am using synapse fro the HTTP and HTTPS routines, as i also have windows clients of the app.

Is their a way around the New apple security system, or maybe does anyone know of an alternative HTTP HTTPS unit for osx (that is native) to by pass synapse for osx deployment, if so how can i configure a build option that does not add the lazsynapse requirement.

Quote
Application Specific Information:
/usr/lib/libcrypto.dylib
abort() called
Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib           0x00007fff65a3d7fa __pthread_kill + 10
1   libsystem_pthread.dylib          0x00007fff65affbc1 pthread_kill + 432
2   libsystem_c.dylib                0x00007fff659c4a1c abort + 120
3   libcrypto.dylib                  0x00007fff6333b804 __report_load + 352
4   dyld                             0x000000011602e15d ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 539
5   dyld                             0x000000011602e582 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 40
6   dyld                             0x0000000116028dc7 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, char const*, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 493
7   dyld                             0x0000000116026e58 ImageLoader::processInitializers(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&, ImageLoader::UninitedUpwards&) + 188
8   dyld                             0x0000000116026ef8 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 82
9   dyld                             0x0000000116018f87 dyld::runInitializers(ImageLoader*) + 82
10  dyld                             0x0000000116022ad7 dlopen_internal + 609
11  libdyld.dylib                    0x00007fff658e1a7f dlopen + 171
12  com.company.editor               0x000000010777935a 0x10764f000 + 1221466
13  com.company.editor               0x000000010765fc1f SYSTEM_$$_LOADLIBRARY$RAWBYTESTRING$$INT64 + 15
14  com.company.editor               0x0000000107ac2246 SYNAFPC_$$_LOADLIBRARY$PCHAR$$INT64 + 86 (synafpc.pas:109)
15  com.company.editor               0x0000000107acf849 0x10764f000 + 4720713
16  com.company.editor               0x0000000107acf919 SSL_OPENSSL_LIB_$$_INITSSLINTERFACE$$BOOLEAN + 175
17  com.company.editor               0x0000000107ac8067 INIT$_$SSL_OPENSSL + 10
18  com.company.editor               0x000000010765cdcc FPC_INITIALIZEUNITS + 60
19  com.company.editor               0x000000010765058d PASCALMAIN + 10

Regards

Josh
Development Installation Lazarus 1.3, FPC 2.7.1,Windows 7/8 32/64, OSX, *nix

Test Environment Lazarus & FPC Trunk on Windows and OSX (Cocoa Mainly on OSX). Testing also Crosscompile windows to OSX.. 
Any posts made from 2015 will be based on Lazarus Trunk.

Hansaplast

  • Hero Member
  • *****
  • Posts: 585
  • Tweaking4All.com
    • Tweaking4All
Re: Synapse and Catalina SSL causing crash
« Reply #1 on: February 08, 2020, 01:17:06 pm »
Catalina doesn't seem to like OpenSSL anymore.
Instead (depending if it fits your needs) use the MacOS API.
See also my other post in the forum: here.

Short version:

Under more recent macOS versions (at least as of Mojave), fphttpclient will not work.
Apple does not seem to like the OpenSSL library (default macOS setup!):


As an alternative for macOS users, use the unit "ns_url_request" by Phil Hess (file can be found here - Phil's Mac related page).
This does not require any extra libraries (beyond what comes with macOS).


A quick (and sloppy) function pulling in HTTPS content as a string:



Code: Pascal  [Select][+][-]
  1. uses ... ns_url_request ... // Note: "ns_url_request" uses also Phil's "NSHelpers" unit.
  2.  
  3. ...
  4.  
  5. function TForm1.GetURLContent(aURL:string):string;
  6. var
  7.   HTTP: TNSHTTPSendAndReceive;
  8. begin
  9.   HTTP := TNSHTTPSendAndReceive.Create;
  10.   HTTP.Method   := 'GET';
  11.   HTTP.Address  := aURL;
  12.   HTTP.SendAndReceive(Result);
  13.   HTTP.Free;
  14. end;  


Jonas Maebe

  • Hero Member
  • *****
  • Posts: 704
Re: Synapse and Catalina SSL causing crash
« Reply #2 on: February 08, 2020, 02:51:43 pm »
Catalina doesn't seem to like OpenSSL anymore.

Even if that is true, that has absolutely nothing to do with the error message.

The issue is that OpenSSL does not provide ABI compatibility between different versions. That means that if you load the unversioned libcrypto.dylib, you may get a version of the library that uses a different ABI than the one you expect. That can lead to bugs like buffer overflows, reading uninitialised memory, or other undefined behaviour. These are sources of security holes and hence things you definitely don't want to happen when using a crypto library.

The solution is to explicitly load either /usr/lib/libcrypto.0.9.7.dylib or /usr/lib/libcrypto.0.9.8.dylib, depending on which version of OpenSSL your (Synapse) interface uses. At first sight, this needs to be fixed in a unit called ssl_openssl_lib.

Hansaplast

  • Hero Member
  • *****
  • Posts: 585
  • Tweaking4All.com
    • Tweaking4All
Re: Synapse and Catalina SSL causing crash
« Reply #3 on: February 08, 2020, 03:33:22 pm »
You're right, better explained than I did ...


My only concern with that, is that on another Mac, now or in the future, that particular library version may or may not be installed on their system?
So one may have to distribute that exact version of OpenSSL (and all that comes with it) with your application to avoid that?
Where as the other approach would not only rely on Apple's API.


(please correct me if I'm wrong)

Jonas Maebe

  • Hero Member
  • *****
  • Posts: 704
Re: Synapse and Catalina SSL causing crash
« Reply #4 on: February 08, 2020, 03:42:37 pm »
You're right, better explained than I did ...


My only concern with that, is that on another Mac, now or in the future, that particular library version may or may not be installed on their system?
So one may have to distribute that exact version of OpenSSL (and all that comes with it) with your application to avoid that?
Where as the other approach would not only rely on Apple's API.

Apple also merrily deprecates and removes its own APIs from time to time, so that's not really safer in general.

trev

  • Hero Member
  • *****
  • Posts: 665
  • Former Delphi 1-7 and 10.2 User
Re: Synapse and Catalina SSL causing crash
« Reply #5 on: February 08, 2020, 11:33:31 pm »
This is what I use - it works on macos Mojave and Catalina, FreeBSD, Ubuntu Linux and Windows.

Code: Pascal  [Select][+][-]
  1. {$IFDEF UNIX}
  2. function GetMicrochipPage(const URL: string): string;
  3. var
  4.   Client: TFPHttpClient;
  5.   {$IFDEF DARWIN}
  6.   MsgStr: String;
  7.   {$ENDIF}
  8. begin
  9.   Client := TFPHttpClient.Create(nil);
  10.  
  11.   Try
  12.     Client.AllowRedirect := true;
  13.     Client.AddHeader('User-Agent', 'Mozilla/5.0(compatible; fpweb)');
  14.     Result := Client.Get(URL);
  15.   except
  16.       on E: Exception do
  17.            {$IFDEF DARWIN}
  18.            begin
  19.                MsgStr := 'Retrieval of: ' + URL + LineEnding
  20.                        + 'Failed with error: ' + E.Message + LineEnding
  21.                        + 'HTTP code: ' + IntToSTr(Client.ResponseStatusCode);
  22.  
  23.                ShowAlertSheet(Form1_Main.Handle, 'Alert', MsgStr);
  24.            end;
  25.            {$ENDIF}
  26.            {$IFNDEF DARWIN}
  27.            ShowMessage('Retrieval of: ' + URL + LineEnding
  28.                        + 'Failed with error: ' + E.Message + LineEnding
  29.                        + 'HTTP code: ' + IntToSTr(Client.ResponseStatusCode));
  30.            {$ENDIF}
  31.   end;
  32. end;
  33. {$ENDIF}
  34.  
  35. {$IFDEF WINDOWS}
  36. // Need to use Windows WinInet to avoid issue with HTTPS
  37. // needing two OpenSSL DLLs to be provided with application
  38. // if using TFPHttpClient.
  39. // The WinINet API also gets any connection and proxy settings
  40. // set by Internet Explorer. Blessing or curse?
  41.  
  42. function GetMicrochipPage(const Url: string): string;
  43. var
  44.   NetHandle: HINTERNET;
  45.   UrlHandle: HINTERNET;
  46.   Buffer: array[0..1023] of Byte;
  47.   BytesRead: dWord;
  48.   StrBuffer: UTF8String;
  49. begin
  50.   Result := '';
  51.   NetHandle := InternetOpen('Mozilla/5.0(compatible; WinInet)', INTERNET_OPEN_TYPE_PRECONFIG, nil, nil, 0);
  52.  
  53.   // NetHandle valid?
  54.   if Assigned(NetHandle) then
  55.     Try
  56.       UrlHandle := InternetOpenUrl(NetHandle, PChar(Url), nil, 0, INTERNET_FLAG_RELOAD, 0);
  57.  
  58.       // UrlHandle valid?
  59.       if Assigned(UrlHandle) then
  60.         Try
  61.           repeat
  62.             InternetReadFile(UrlHandle, @Buffer, SizeOf(Buffer), BytesRead);
  63.             SetString(StrBuffer, PAnsiChar(@Buffer[0]), BytesRead);
  64.             Result := Result + StrBuffer;
  65.           until BytesRead = 0;
  66.         Finally
  67.           InternetCloseHandle(UrlHandle);
  68.         end
  69.       // o/w UrlHandle invalid
  70.       else
  71.         ShowMessage('Cannot open URL: ' + Url);
  72.     Finally
  73.       InternetCloseHandle(NetHandle);
  74.     end
  75.   // NetHandle invalid
  76.   else
  77.     raise Exception.Create('Unable to initialize WinInet');
  78. end;
  79. {$ENDIF}
  80.  

Note: I'm using FPC 3.3.1 (trunk).
o Lazarus v2.1.0 r63233, FPC v3.3.1 r45525, macOS 10.14.6 (with sup update), Xcode 11.3.1
o Lazarus v2.1.0 r61574, FPC v3.3.1 r42318, FreeBSD 12.1 (Parallels VM)
o FPC 3.0.4, FreeBSD 12-STABLE r358002
o Lazarus v2.1.0 r61574, FPC v3.0.4, Ubuntu 18.04 (Parallels VM)

MISV

  • Hero Member
  • *****
  • Posts: 683
Re: Synapse and Catalina SSL causing crash
« Reply #6 on: February 18, 2020, 12:03:09 pm »
Indy and the openssl/libressl libs included in macos generally works for me.

MISV

  • Hero Member
  • *****
  • Posts: 683
Re: Synapse and Catalina SSL causing crash
« Reply #7 on: February 18, 2020, 12:04:32 pm »
Quote
The solution is to explicitly load either /usr/lib/libcrypto.0.9.7.dylib or /usr/lib/libcrypto.0.9.8.dylib, depending on which version of OpenSSL your (Synapse) interface uses. At first sight, this needs to be fixed in a unit called ssl_openssl_lib.

These are too old with regards to TLS support for many websites in my experience. But macos has newer openssl/libressl which I believe works OK (at least with Indy)

Thaddy

  • Hero Member
  • *****
  • Posts: 10110
Re: Synapse and Catalina SSL causing crash
« Reply #8 on: February 18, 2020, 01:11:20 pm »
It also works on OSX, any version as long as tls 1.2 is *specifically* specified.
Modern browsers ignore anything less.
You can also try fcl-web. That is more resilient than synapse. (and imho now much better)
I am more like donkey than shrek

esvignolo

  • Full Member
  • ***
  • Posts: 157
  • Using FPC in Windows, Linux, Macos
Re: Synapse and Catalina SSL causing crash
« Reply #9 on: February 18, 2020, 04:15:12 pm »
Indy and the openssl/libressl libs included in macos generally works for me.

Hi MISV do you have a link to donwload the openssl binaries?

Thanks!

MISV

  • Hero Member
  • *****
  • Posts: 683
Re: Synapse and Catalina SSL causing crash
« Reply #10 on: February 18, 2020, 06:14:37 pm »
You probably already have LibreSSL installed on your Mac OS system (and those versions overall seem compatible with regards to HTTPS usage. Newer versions of LibreSSL may differ)

https://github.com/IndySockets/Indy/issues/231#issuecomment-566542370

(0.9.7 / 0.9.8 will not work for many websites.) 
« Last Edit: February 19, 2020, 01:44:44 am by MISV »

Thaddy

  • Hero Member
  • *****
  • Posts: 10110
Re: Synapse and Catalina SSL causing crash
« Reply #11 on: February 18, 2020, 06:20:11 pm »
The latter doesn't mean too much for OSX, as long as you specify tls 1.2. (although I just could connect with 1.1, which is also legacy, on my apple iMac)
Old code with e.g. ssl2 or ssl3 or tls 1.0 simply will not work. There is a reason for that......
If your code tries to use older encryption, you could have known that it will be refused and your code obviously does not handle that.
That is your fault, not the library. We have try except for that. And NEVER use deprecated protocols anywhere when it concerns encryption.
« Last Edit: February 18, 2020, 09:15:27 pm by Thaddy »
I am more like donkey than shrek

esvignolo

  • Full Member
  • ***
  • Posts: 157
  • Using FPC in Windows, Linux, Macos
Re: Synapse and Catalina SSL causing crash
« Reply #12 on: February 18, 2020, 10:22:50 pm »
You probably already have LibreSSL installed on your Mac OS system (and those versions overall seem compatible with regards to HTTPS usage. Newer versions of LibreSSL may differ)

https://github.com/IndySockets/Indy/issues/231#issuecomment-566542370

The problem is de fphttp is not working with https in trunk. I think, maybe if i put de dylib in the binary directory maybe work.

Thaddy

  • Hero Member
  • *****
  • Posts: 10110
Re: Synapse and Catalina SSL causing crash
« Reply #13 on: February 18, 2020, 10:34:45 pm »
I only test with FPC trunk or 3.20, do you mean Lazarus trunk 2.10?
FPC trunk works (although there are some general issues as is known)
I am more like donkey than shrek

MISV

  • Hero Member
  • *****
  • Posts: 683
Re: Synapse and Catalina SSL causing crash
« Reply #14 on: February 19, 2020, 10:16:24 am »
You probably already have LibreSSL installed on your Mac OS system (and those versions overall seem compatible with regards to HTTPS usage. Newer versions of LibreSSL may differ)

https://github.com/IndySockets/Indy/issues/231#issuecomment-566542370

The problem is de fphttp is not working with https in trunk. I think, maybe if i put de dylib in the binary directory maybe work.

Just dug up some comments I made in my source code concerning Mac LibreSSL fork of OpenSSL which appears compatible:

LibreSSL 2.2.7 - in /usr/lib 0.35
LibreSSL 2.8.3 - in /usr/lib 0.44

seems to work OK (but no guarantees)

On Windows you can find .dll files at
https://indy.fulgan.com/SSL/


 

TinyPortal © 2005-2018