Recent

« previous next »
Pages: [1]

Author Topic: [SOLVED] Dreaded 443 Error  (Read 533 times)

lar

  • New member
  • *
  • Posts: 9
[SOLVED] Dreaded 443 Error
« on: May 22, 2025, 06:23:45 pm »
I'm trying to execute a HTTP Get request to a https URL, first using TFPHTTPClient and then the Indy components (I'm on Windows 10 / Lazarus 3.2 / FPC 3.2.2, version 1.0.2u of the SSL DLLs). In both cases the request fails with a 443 code. The status messages from the Indy code are as follows:
Code: Text  [Select][+][-]
  1. before/connect initialization
  2. before/connect initialization
  3. SSLv2/v3 write client hello A
  4. handshake failure
  5. SSLv2/v3 read server hello A
  6. Error: Error connecting with SSL.
  7. error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I believe this indicates there is a TLS/SSL issue.

When I run the URL through cURL, the retrieval is successful with the following line of cURL output appearing:
Code: Text  [Select][+][-]
  1. Server: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2
Does that mean that the server I'm trying to connect to is using v3.2 of OpenSSL while TFPHTTPClient and Indy only support an earlier version, and I'm therefore out of luck in trying to use those packages?
« Last Edit: May 25, 2025, 03:42:06 pm by lar »
Logged

Thaddy

  • Hero Member
  • *****
  • Posts: 17213
  • Ceterum censeo Trump esse delendam
Re: Dreaded 443 Error
« Reply #1 on: May 22, 2025, 07:00:08 pm »
Your OpenSSL version is too old. You need a version that supports tls 1.2 as a MINIMUM. (Which is what is indicated by the server, so your client is not up to date )

Basically your analysis is otherwise correct.
« Last Edit: May 22, 2025, 07:09:15 pm by Thaddy »
Logged
Due to censorship, I changed this to "Nelly the Elephant". Keeps the message clear.

lar

  • New member
  • *
  • Posts: 9
Re: Dreaded 443 Error
« Reply #2 on: May 25, 2025, 03:41:39 pm »
The OpenSSL version I was using with both TFPHTTPClient and Indy (OPM version) to connect to an https server was 1.0.2 which supports TLS 1.0 through 1.2. The server, however, uses TLS 1.3 and requires OpenSSL 3 which is not supported by the aforementioned libraries. I found that Synapse 40.1 does support OpenSSL 3. After installing the OpenSSL 3 libraries (libssl-3-x64.dll and libcrypto-3-x64.dll) I was able to successfully make my HTTP connection using Synapse.
Logged

Thaddy

  • Hero Member
  • *****
  • Posts: 17213
  • Ceterum censeo Trump esse delendam
Re: [SOLVED] Dreaded 443 Error
« Reply #3 on: May 25, 2025, 04:14:44 pm »
Openssl on its own has very little to do with that. The server simply gives you the minimum supported tls version if you  In want to connect. That is called a handshake. BTW, the OpenSSL 1.1.1.x version (which is long time support) also supports tls 1.3. Furthermore OpenSSL 3 can also be used with the trunk version of fcl-net/fcl-web. (and will probably - or is already - back-ported to 3.2.3/4 because it is a real security concern)
OpenSSL as such is not even a requirement: there are a lot more crypto libraries that support tls 1.3 or higher, like Windows bcrypt together with their usual networking API's. And these also work with FPC.

« Last Edit: May 25, 2025, 04:26:25 pm by Thaddy »
Logged
Due to censorship, I changed this to "Nelly the Elephant". Keeps the message clear.
Pages: [1]
« previous next »
 

TinyPortal © 2005-2018