Forum > Networking and Web Programming

is it possible for indy10 https to work on port not 443?

<< < (2/4) > >>

Thaddy:
When I use localhost (instead of a qualified IP) the debugger stops. Tested on a RPi3 /trunk/trunk both from today.

Michael Collier:
Good to know it works, thanks :)

I just tried localhost but no luck..

I dug deeper into open ssl..

Executed this on RPI3

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---openssl s_client -connect localhost:9443 -msg
Got this output, note "wrong version number":

--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---1996326384:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252: 
Also, from firefox browser, got this message: ssl_error_rx_record_too_long

Thaddy:
Why ssl 3? It is insecure and deprecated. Use tls 1.1 at a minimum! The browser is right. All modern browsers won't allow ssl 3/ tls 1.0.
Did you select ssl 3 yourself? Or does the fall-back inside the Pascal code did that?

Michael Collier:
I'm not sure why it refers to SSL3, here are the settings I use (I've tried loads of variations)


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---    HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1 , sslvTLSv1_2 ];    HTTPIOHandler.SSLOptions.Method := sslvTLSv1_2          ;   
I'm not sure why openssl  said ss3_get_record? I noticed further down it says:
    Protocol  : TLSv1.2
Here is a more complete message:


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---1995470320:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:---no peer certificate available---No client certificate CA names sent---SSL handshake has read 5 bytes and written 176 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    Cipher    : 0000    Session-ID:     Session-ID-ctx:     Master-Key:     PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1566333269    Timeout   : 7200 (sec)    Verify return code: 0 (ok)    Extended master secret: no 

Remy Lebeau:

--- Quote from: Michael Collier on August 20, 2019, 10:42:57 am ---But when I try binding different port numbers my browser won't connect.

--- End quote ---

Are you specifying the alternate port number in the URL you give the browser? Eg: "https://host:port/"


--- Quote from: Michael Collier on August 20, 2019, 10:42:57 am ---I don't get any errors when running in the debugger..If I remove HTTPS and just use HTTP then my browser will connect so it seems that things are running under under the hood.

--- End quote ---

Indy servers, and particularly TIdHTTPServer, handle non-standard ports just fine.  So if you are having a problem, especially when standard ports work fine, it is likely something outside of Indy.


--- Quote from: Michael Collier on August 20, 2019, 10:42:57 am ---I'm not sure if I'm doing something wrong in my code

--- End quote ---

What you have shown looks fine to me.


--- Quote from: Michael Collier on August 20, 2019, 10:42:57 am ---or if I need to do something different when creating certificates?

--- End quote ---

I wouldn't know.


--- Quote from: Michael Collier on August 20, 2019, 10:44:14 pm ---I'm not sure why it refers to SSL3, here are the settings I use (I've tried loads of variations)


--- Code: Pascal  [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---    HTTPIOHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1 , sslvTLSv1_2 ];    HTTPIOHandler.SSLOptions.Method := sslvTLSv1_2          ;   
--- End quote ---

You should NOT be using the SSLVersions and Method properties together like that.  The two properties are mutually exclusive, setting one updates the other, so setting the Method property to sslvTLS1_2 discards sslvTLSv1 and sslvTLSv1_1 from the SSLVersions.  So, in the above case, your server will only talk with TLS1.2 and nothing else.

Use ONE OR THE OTHER, not BOTH.  In fact, it is best to just ignore the Method property altogether, pretend it does not exist.  It is an old property that needs to be deprecated and removed.  Just use the SSLVersions property only.


--- Quote from: Michael Collier on August 20, 2019, 10:44:14 pm ---I'm not sure why openssl  said ss3_get_record?

--- End quote ---

Because TLS 1.x is an extension of SSL 3.0, and internally OpenSSL implements TLS using SSL3 APIs.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version