Del Murray

I set up a simple GUI app instead of webbroker doing the exact same thing you showed above. Failed. Error was Error connecting with SSL. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Im using Delphixe7 I'll bet you are on the newest version. Did you actually run the code you showed above in example. I'm very puzzled about the reference to SSL3_get error Do you see anything here about SSL3 ??? me either. I'm beginning to think it's on their end. I set no cipher string in the test. Just plain vanilla like has always worked. Problem is thier tech support is terrible. This code in idSSLOpenSSL is never true .. if IsTLSv1_2Available then begin if not ( sslvTLSv1_2 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_2); end; end; Which seems to indicate that the libeay32 and ssleay32 may not have TLSV1_2 available. I'm using Libs just downloaded from GitHub

D12Athens, Thanks. I got them. Didn't help. I cant seem to set the CipherList option as shown above. Keep getting the "setCipher failed" message. It would be a different issue if my cipherlist for TLSV1.2 was not compatible with the API i'm trying to access but I cant get my webbroker app to accept a different set. I cant change the default list in the sslopenheader , it cant be written to AFAIK so it might be interfeering. Guess guessing ... I know what the error is but dont know how to fix it. After 45 years I'm geginning to hate this business.

Actually, I think the easiest question to answer is .... where can I find SSLEAY32.DLL and LIBEAY32.dll most current versions that work with Indy10 ? Never mind. Got 'em . SO now I get the following displayed from my app. I am using the events of the SSLhandler. OnStatus AStatusText=Resolving hostname simplifile.uat1.ice.com. OnStatus AStatusText=Connecting to 158.224.89.142. SetCipher failed.

In debug tracing thru the Indy10 code that comes with DelphiXE7(studio 15) is seems that the SSLIOHandler code is looking at the version of OpenSSL that I have installed and determines that it will not support TLSV1_2. Snippet from Indy .. the code in BOLD was not executed. ****************************** {IMPORTANT!!! Do not set SSL_CTX_set_options SSL_OP_NO_TLSv1_1 and SSL_OP_NO_TLSv1_2 if that functionality is not available. OpenSSL 1.0 and earlier do not support those flags. Those flags would only cause an invalid MAC when doing SSL.} if IsTLSv1_1Available then begin if not ( sslvTLSv1_1 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_1); end; end; if IsTLSv1_2Available then begin if not ( sslvTLSv1_2 in SSLVersions) then begin SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_2); end; end; SSL_CTX_set_mode(fContext, SSL_MODE_AUTO_RETRY); // assign a password lookup routine // if PasswordRoutineOn then begin SSL_CTX_set_default_passwd_cb(fContext, @PasswordCallback); SSL_CTX_set_default_passwd_cb_userdata(fContext, Self); // end; **********************************888 So, the question would be ,,, what is the most recent version of OPENSSL that will work with Delphi7 and Indy10 ? and .. does anyone know if that would provide me TSLV1_2 which is aparently the minimum that I need to access this vendors site. Right now I'm running SSL 1.0.2k .

Running Window 7, DelphiXE7, Indy10. SSL 1.0.2k which may be the problem. I have a Webbroker app that has worked for years calling an API and exchanging XML with the provider (Simplifile) to file legal documents in court houses. They moved their application from being hosted on Google servers to their own servers at another data center. I'm not sure if these are real servers or virtual servers (which of course run on real servers). All of a sudden after the move, which required a change in the URL for the service (stupid), I unable to use the service. I'm getting the error messages which appear to be TLS errors. I believe they are coming from Indy. The following are some details .... If I set the SSLIO handler to TLS1.1 and TLS1.2 I get "Error connecting with SSL. error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol" If I set the SSLIO handler to TLS1.2 only I get "Error connecting with SSL. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" Note the difference in the "SSL23_Get and SSL3_Get. Additionally .... I received this from the providers initial tech support people ... With the migration that happened about a month ago you will want to start using https://simplifile.ice.com and I was given the following information that cipher's will need to be updated as well. I was given the list below as well. TLSv1.3: - 0x13,0x01 TLS13_AES_128_GCM_SHA256 - 0x13,0x02 TLS13_AES_256_GCM_SHA384 - 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256 TLSv1.2: - 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256 - 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256 - 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384 - 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384 - 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305 - 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305 I have never had to fool with ciphers before with any of the several API's that my application interfaces with. I can interface with Stamps.Com, United States Post Office, Simplifile, and several other APIs out there that I have to have paid subscription to. To make matters more interesting ... the USPS is changing their API to no longer use XML but use JSON instead and moved the testing to new test servers. I'm having the same problem with the new USPS URL and am getting the same errors as above. The client (my web app dll's ) has not been updated in many many months. I have tried adding these ciphers to the IOSSL handler by concatenating them together in a string with use of the plus (+) sign. Doing so results in "Error creating SSL context." Here is the exact code I use to do this ... try iSSLHandler.SSLOptions.CipherList := // idSSLOpenSSLHeaders.SSL_DEFAULT_CIPHER_LIST + '+' + 'ECDHE-ECDSA-AES128-GCM-SHA256+ECDHE-RSA-AES128-GCM-SHA256+' + 'ECDHE-ECDSA-AES256-GCM-SHA384+CDHE-RSA-AES256-GCM-SHA384+' + 'ECDHE-ECDSA-CHACHA20-POLY1305+ECDHE-RSA-CHACHA20-POLY1305'; except on e:exception do begin gError.Add('Excption in ciphers'); end; end; HTTP.Request.ContentType := 'application/xml'; HTTP.Post(sfURL, gXMLRequest, gXMLResponse); I dont know what the hex numbers are infront of the info I was given but I've never seen them in any cipher info. Ignoring that, I would like to know the following. 1. Are the default ciphers for TLS1.1 and TLS1.2 somehow influencing my "custom" cipher set. 2. Did I set the Cipher list properly ? (not the commented out line .. that doesn't help doing it that way at all. 3. I know everyone want Indy 10 to support TLS 3 but does it support TLS1.3. 4. Is there a rational reason as to why a client would require all their users who pay them money to change their code at this level just because they moved to different servers ? They did not change the API, Only the location of where they are running from. 5. Have I just been lucky for 10 years that I never had to fool around at this level. All suggestions will be appreciated. Let me know if you need more info or see more code. Here is my entire function that is called from several places in the program. function TWebModule1.SimpliFileValidateXML() : boolean; var sfURL, s : string; begin result := true; gSimpliFileURL := GetCode('global', 'MasterControl', 'SFValidatePackage', 'MiscValue1'); sfURL := gSimpliFileURL + gSimpliFileURLKey; if assigned(gXMLResponse) then gXMLResponse.Free; gXMLResponse := tStringStream.Create(); if assigned(gXMLRequest) then gXMLRequest.Free; gXMLRequest := tStringStream.Create(); xmlDoc.SaveToStream(gXMLRequest); gXMLRequest.SaveToFile('\ValidateSentToSimplifile.xml'); try gSSLLibLocation := GetCode('global', 'MasterControl', 'SSLLIbLocation32', 'CodeValue'); try IdOpenSSLSetLibPath(gSSLLibLocation); except on E:Exception do begin gError.Add(WhichFailedToLoad()); gError.Add(e.Message); HTTP.Disconnect(); result := false; end; end; // TFile.WriteAllText('\transfer\URL.txt', sfURL); // s := idsslopensslheaders.SSL_DEFAULT_CIPHER_LIST; // tfile.WriteAllText('cypherlist.txt',s); try iSSLHandler.SSLOptions.CipherList := // idSSLOpenSSLHeaders.SSL_DEFAULT_CIPHER_LIST + '+' + 'ECDHE-ECDSA-AES128-GCM-SHA256+ECDHE-RSA-AES128-GCM-SHA256+' + 'ECDHE-ECDSA-AES256-GCM-SHA384+CDHE-RSA-AES256-GCM-SHA384+' + 'ECDHE-ECDSA-CHACHA20-POLY1305+ECDHE-RSA-CHACHA20-POLY1305'; except on e:exception do begin gError.Add('Excption in ciphers'); end; end; HTTP.Request.ContentType := 'application/xml'; HTTP.Post(sfURL, gXMLRequest, gXMLResponse); except on E:Exception do begin gError.Add(WhichFailedToLoad()); gError.Add(e.Message); HTTP.Disconnect(); result := false; end; end; gXMLResponse.Position := 0; gXMLResponse.SaveToFile('\ValidateXMLReceived.xml'); end;