Recent

Author Topic: Cannot connect to https://api.1nce.com using TFPHTTPClient  (Read 10294 times)

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #30 on: August 13, 2020, 01:11:08 am »
@Trev: which units must the uses clause contain?

I've included the relevant details below.

Code: Pascal  [Select][+][-]
  1. unit Unit1;
  2.  
  3. {$mode objfpc}{$H+}
  4. {$modeswitch objectivec1}
  5. {$linkframework foundation}
  6.  
  7. interface
  8.  
  9. uses
  10. Classes, SysUtils, Forms, Controls, Graphics, Dialogs, StdCtrls,  fphttpclient, OpenSSLSockets, CocoaAll, CocoaUtils;
  11. [...]

Don't forget you need to edit .../packages/cocoaint/src/foundation/NSString.inc as noted in my earlier post and then recompile FPC 3.2.0. I use the following script to recompile:

Code: Text  [Select][+][-]
  1. #!/bin/sh
  2. make clean all FPC=/usr/local/lib/fpc/3.2.0/ppcx64 OS_TARGET=darwin CPU_TARGET=x86_64 OPT="-XR/Library/Developer/CommandLineTools//SDKs/MacOSX.sdk/"
  3. make install FPC=/usr/local/lib/fpc/3.2.0/ppcx64 OS_TARGET=darwin CPU_TARGET=x86_64

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #31 on: August 13, 2020, 01:38:24 am »
According to the SSL Server Test even OpenSSL 1.0.1l can connect.

wittbo's problematic website is www.ariva.de (not api.1nce.com). That website only accepts TLSv1.2 and TLSv1.3 protocols.

The SSL libraries on macOS 10.14.6 are not OpenSSL but LibreSSL. The default unversioned /usr/lib/libssl.dylib is linked to /usr/lib/libssl.35.dylib (LibreSSL v2.2.7). There's also /usr/lib/libssl.43.dylib (LibreSSL v2.5.5) and /usr/lib/libssl.44.dylib (LibreSSL v2.6.5).

My protocol tests indicate that FPC 3.2.0/3.3.1 fails to connect to websites that only accept TLSv1.2 or above whereas FPC 3.0.4 does connect to websites that only accept TLSv1.2 and above. I'm not sure how much clearer I can make it.

wittbo

  • Full Member
  • ***
  • Posts: 150
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #32 on: August 13, 2020, 11:54:54 am »
@Trev:
Just tested your solution for macOS (s.a.), edited the NSString.inc file; when updating the compiler, there are the following error messages:
make: *** No rule to make target `clean'.  Stop.
make: *** No rule to make target `install'.  Stop.
-wittbo-
MBAir with MacOS 10.14.6 / Lazarus 2.2.4
MacStudio with MacOS 13.0.1 / Lazarus 2.2.4

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #33 on: August 13, 2020, 03:00:21 pm »
You are doing this from the directory in which your FPC source is?
You will almost certainly need to use sudo as well.

wittbo

  • Full Member
  • ***
  • Posts: 150
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #34 on: August 13, 2020, 03:49:36 pm »
Sorry, Trev, I'm not very experienced in such operations; in fact I did it the first time.

I did not change the path after having edited NSString.inc. That was it.
Being back to /usr/local/share/fpcsrc/3.2.0 everything was running perfectly.

Thank you very much for your help. Now I have a workaround for fpc 3.2.0 for MacOS, it's OK for me. Nevertheless I will open a bug report.
-wittbo-
MBAir with MacOS 10.14.6 / Lazarus 2.2.4
MacStudio with MacOS 13.0.1 / Lazarus 2.2.4

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #35 on: August 13, 2020, 04:12:26 pm »
You're welcome!

Bi0T1N

  • Jr. Member
  • **
  • Posts: 85
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #36 on: August 13, 2020, 09:12:01 pm »
According to the SSL Server Test even OpenSSL 1.0.1l can connect.

wittbo's problematic website is www.ariva.de (not api.1nce.com). That website only accepts TLSv1.2 and TLSv1.3 protocols.
The first post uses the link I've used. However, both support TLSv1.2 and TLSv1.3 only.

According to the SSL Server Test even OpenSSL 1.0.1l can connect.

The SSL libraries on macOS 10.14.6 are not OpenSSL but LibreSSL. The default unversioned /usr/lib/libssl.dylib is linked to /usr/lib/libssl.35.dylib (LibreSSL v2.2.7). There's also /usr/lib/libssl.43.dylib (LibreSSL v2.5.5) and /usr/lib/libssl.44.dylib (LibreSSL v2.6.5).

My protocol tests indicate that FPC 3.2.0/3.3.1 fails to connect to websites that only accept TLSv1.2 or above whereas FPC 3.0.4 does connect to websites that only accept TLSv1.2 and above. I'm not sure how much clearer I can make it.
According to this it's no longer allowed to load the unversioned one but I also don't know which one is loaded then as the DLLVersions array doesn't contain any of your numbers.
So it would be good to add the code I've posted above to see which version really gets loaded - maybe an ancient version which doesn't support TLS1.2 or higher.

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #37 on: August 14, 2020, 03:39:00 am »
@BiOT1N

FPC 3.2.0 reports using OpenSSL 0.9.8zh 14 January 2016

FPC 3.0.4 reports using LibreSSL 2.2.7 (The default unversioned /usr/lib/libssl.dylib or /usr/lib/libssl.35.dylib  ).

I found /usr/lib/libssl.0.9.7.dylib and /usr/lib/libssl.0.9.8.dylib which I somehow inexplicably missed the first time,

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #38 on: August 14, 2020, 03:54:52 am »
Reverting the "fix" for Bug ID 36484 fixes the issue on FPC 3.2.0.

Updated Bug ID 36484.
« Last Edit: August 14, 2020, 04:03:06 am by trev »

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #39 on: August 14, 2020, 11:06:48 am »
The better solution than reverting the original fix (tested on trunk):

Code: Pascal  [Select][+][-]
  1. --- openssl.pas (revision 45778)
  2. +++ openssl.pas (working copy)
  3. @@ -111,7 +111,7 @@
  4.    { ADD NEW ONES WHEN THEY APPEAR!
  5.      Always make .so/dylib first, then versions, in descending order!
  6.      Add "." .before the version, first is always just "" }
  7. -  DLLVersions: array[1..19] of string = ('', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
  8. +  DLLVersions: array[1..26] of string = ('', '.48', '.47', '.46', '.45', '.44', '.43', '.35', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
  9.                                          '.1.0.2', '.1.0.1','.1.0.0','.0.9.8',
  10.                                          '.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4',
  11.                                          '.0.9.3', '.0.9.2', '.0.9.1');

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #40 on: August 15, 2020, 10:36:14 am »
Updated because (at least on macOS) the libssl and libcrypto version numbers are out of sync:

Code: Pascal  [Select][+][-]
  1. --- openssl.pas (revision 45778)
  2. +++ openssl.pas (working copy)
  3. @@ -111,7 +111,7 @@
  4.    { ADD NEW ONES WHEN THEY APPEAR!
  5.      Always make .so/dylib first, then versions, in descending order!
  6.      Add "." .before the version, first is always just "" }
  7. -  DLLVersions: array[1..19] of string = ('', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5', '.1.0.4', '.1.0.3',
  8. +  DLLVersions: array[1..29] of string = ('', '.48', '.47', '.46', '.45', '.44', '.43', '.42', '.41',
  9.                                             '.38', '.35', '.1.1', '.11', '.10', '.1.0.6', '.1.0.5',
  10.                                             '.1.0.4', '.1.0.3', '.1.0.2', '.1.0.1', '.1.0.0', '.0.9.8',
  11.                                             '.0.9.7', '.0.9.6', '.0.9.5', '.0.9.4', '.0.9.3', '.0.9.2',
  12.                                             '.0.9.1');

>> EDIT <<

This is no longer a good idea in light of further information - please see the Wiki article OpenSSL, LibreSSL, Secure Transport, Network Framework for why. 
« Last Edit: March 07, 2021, 10:59:32 pm by trev »

wittbo

  • Full Member
  • ***
  • Posts: 150
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #41 on: August 15, 2020, 11:59:02 am »
Would it work, if I modify openssl.pas on my mac (laz 2.0.10/ fpc 3.2.0) as you described?
Or has something more to be done? Recompile the compiler, ...?
-wittbo-
MBAir with MacOS 10.14.6 / Lazarus 2.2.4
MacStudio with MacOS 13.0.1 / Lazarus 2.2.4

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #42 on: August 15, 2020, 12:36:19 pm »
You need to make the patch as described and then recompile FPC (like you did before). Should work fine with FPC 3.2.0.

wittbo

  • Full Member
  • ***
  • Posts: 150
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #43 on: August 16, 2020, 09:53:53 am »
Perfect. It's working as desired. Laz 2.0.10, fpc 3.2.0  MacOS Mojave
Thanks for help.
-wittbo-
MBAir with MacOS 10.14.6 / Lazarus 2.2.4
MacStudio with MacOS 13.0.1 / Lazarus 2.2.4

trev

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2020
  • Former Delphi 1-7, 10.2 user
Re: Cannot connect to https://api.1nce.com using TFPHTTPClient
« Reply #44 on: August 16, 2020, 09:58:28 am »
Happy to have helped :)

 

TinyPortal © 2005-2018