delphi - tidhttp: weird SSLv3_READ_BYTES error (with directly set up TLSv1_2 connection) -
simple code:
procedure tform1.button1click(sender: tobject); //var //h: tidhttp; //ssl: tidssliohandlersocketopenssl; begin h.iohandler := ssl; ssl.ssloptions.method := sslvtlsv1_2; ssl.slloptions.sslversion := [sslvtlsv1_2]; //must set automatically after setmethod, sure h.get('https://www.deviantart.com/users/login'); end; that simple code gives me error:
error connecting ssl.
error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure
i use delphi xe3 , openssl 1.0.2b libs. can't figure out, looking sources, there strings in connection initiation disable not used versions:
if not (sslvsslv2 in sslversions) begin ssl_ctx_set_options(fcontext, ssl_op_no_sslv2); end; if not (sslvsslv3 in sslversions) begin ssl_ctx_set_options(fcontext, ssl_op_no_sslv3); end; if not (sslvtlsv1 in sslversions) begin ssl_ctx_set_options(fcontext, ssl_op_no_tlsv1); end; but sslv3 operations still getting in somehow. doesn't component's bug. library internal, or indy doesn't consider when setting parameters?
or it's me, didn't notice important? hope don't need go through hell named "indy components update".
test on (tried methods including tls1.2) https://www.deviantart.com/users/login
resolving hostname www.deviantart.com. connecting 54.230.96.81. handshake start: before/connect initialization connect loop: before/connect initialization connect loop: sslv3 write client hello fatal read alert: handshake failure connect failed: sslv3 read server hello error: error connecting ssl. error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure - for ssl3 , tls1/1.1/1.2 result identical;
- for sslv23 answers ssl23_get_server_hello:sslv3 alert handshake failure;
- for sslv2 doesn't answer;
test on similar resource (tls1.2 only) https://files.yande.re/image/da9afa6d9ca43a9f154fad69f76adb85.jpg
resolving hostname files.yande.re. connecting 5.39.10.56. handshake start: before/connect initialization connect loop: before/connect initialization connect loop: sslv3 write client hello connect loop: sslv3 read server hello connect loop: sslv3 read server certificate connect loop: sslv3 read server key exchange connect loop: sslv3 read server done connect loop: sslv3 write client key exchange connect loop: sslv3 write change cipher spec connect loop: sslv3 write finished connect loop: sslv3 flush data connect loop: sslv3 read server session ticket connect loop: sslv3 read finished handshake done: ssl negotiation finished connect exit: ssl negotiation finished my wireshark tests:
- indy:
http://imgur.com/bz84cl3(response handshake failure); - firefox:
http://imgur.com/pkyjvno; - response firefox request:
http://imgur.com/m9ni3tv;
alert handshake failure means initial handshake failing on server side, sends alert notify client before closing connection. did not setup compatible certificate or cipher suite server expecting. or maybe server not support tls 1.2. try using tls 1.0 or tls 1.1 instead. also, can try using openssl's own s_client tool debug connection problems until figure out correct settings, , apply them indy needed. or, use wireshark @ actual handshake , see @ stage failing.
Comments
Post a Comment