Reputation: 4827
ssl v3 poodle and move to tls with indy
As you know the new poodle is in town, Witch barks got Twitter, Cloudflare to drop support to SSL3.
The Indy(TidHttp) 10.6.0.0 revives this nice exception:
EidOsslUnerlayingCryptoError message 'Error connecting with SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'
My question is what is the definition required to handle TLS?
update: here is a code that throw the exception: full working code.
var
parameters:TStringList;
keySecretBase64:string;
stream:TStringStream;
IdEncoderMIME1 : TIdEncoderMIME;
idHttp1 : TIdHTTP;
IdSSLIOHandlerSocketOpenSSL1:TIdSSLIOHandlerSocketOpenSSL;//assume on Form
begin
stream:=TStringStream.create;
parameters:=TStringList.Create;
IdEncoderMIME1 := TIdEncoderMIME.Create(nil);
idHttp1 := TIdHTTP.Create(nil);
IdSSLIOHandlerSocketOpenSSL1:=TIdSSLIOHandlerSocketOpenSSL.Create(nil);
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
with IdSSLIOHandlerSocketOpenSSL1 do begin
SSLOptions.Method := sslvSSLv3;
SSLOptions.Mode := sslmUnassigned;
SSLOptions.VerifyMode := [];
SSLOptions.VerifyDepth := 2;
end;
with idHttp1 do begin
IOHandler := IdSSLIOHandlerSocketOpenSSL1;
ReadTimeout := 0;
AllowCookies := True;
ProxyParams.BasicAuthentication := False;
ProxyParams.ProxyPort := 0;
Request.ContentLength := -1;
Request.ContentRangeEnd := 0;
Request.ContentRangeStart := 0;
Request.ContentType := 'application/x-www-form-urlencoded';
Request.Accept := 'text/html, */*';
Request.BasicAuthentication := False;
Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
HTTPOptions := [hoForceEncodeParams];
end;
parameters.Clear;
idHttp1.Request.CustomHeaders.Clear;
IdEncoderMIME1.FillChar:='=';
try
keySecretBase64 := TIdEncoderMIME.EncodeString(key+ ':' + secret, IndyTextEncoding_UTF8);// this is twitter provided key and secret
parameters.Add('grant_type=client_credentials');
idHttp1.Request.CustomHeaders.AddValue('Authorization','Basic '+keySecretBase64);
idHttp1.post(URL,parameters,stream);
finally
stream.Free;
parameters.Free;
parameters.Free;
IdSSLIOHandlerSocketOpenSSL1.Free;
end;
end;
Upvotes: 4
Views: 5483
Answers (2)
Reputation: 36654
Your code selects TLS 1.2 in the SSLOptions property Method:
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
However, two lines later this value is overwritten with SSL 3:
with IdSSLIOHandlerSocketOpenSSL1 do begin
SSLOptions.Method := sslvSSLv3;
...
end;
So the client will not connect with the newer TLS 1.2 protocol but with SSL 3, which is no longer supported by the server.
This explains the error message, which says that the SSL 3 handshake (which the client tried) failed:
SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'
If you remove the second assignment, the IdHTTP client will use TLS 1.2 for the connect.
Upvotes: 3
Reputation: 96
SSL2, SSL3 and TLS1.0 are all vulnerable for man-in-th-middle attacks. You should use TLS 1.1 and upper for secure connection. Unfortunately, Indy 9 does not support TLS 1.1 and upper.
This answer reports that there is an option TLSv1_2 for TLS 1.2 in Indy 10, but it is not presented in Indy 10 online documentation.
Upvotes: 1
Related Questions
- TLSv1_1 and TLSv1_2 upgrade for Indy with Delphi XE2
- Dynamically making indy use TLSv1.2
- Error connecting with SSL using Indy and Delphi 10
- I can not fix error routines:SSL3_GET_RECORD:wrong version number
- indy ssl delphi server
- Indy 10 and sslvTLSv1_2
- Delphi w Indy 10: Unable to connect via TLS 1.2 w SSL "Best Practices" in place on web server
- Indy 9 with Delphi: How to enable TLS 1.0?
- Indy 10 and OpenSSL
- Delphi and Indy with SSL