Jump to content
GabrielMoraru

"SSL routines:ssl3_read_bytes:tlsv1 alert internal" error when CDN active

By GabrielMoraru, in Indy

Recommended Posts

GabrielMoraru    32

GabrielMoraru
Posted (edited)

I have massive issues with this code when the CDN (cloudflare) is on. The error is: 

Quote

Exception class EIdOSSLUnderlyingCryptoError with message
               'Error connecting with SSL.
               error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error'.

 

If I change to  [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] I get:

Quote

          error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error'.

 

I use "openssl-1.0.2u-i386-win32.zip".
Delphi 11.3 (with its current Indy version 10.6.2).

If I deactivate CDN, it works.

I see a similar BUT different thread here: 

The difference:

1. My code works (without CDN)

2. That thread does not mention the CDN.

  

var
  Response: string;
  HTTPClient: TIdHTTP;
  JsonResponse: TJSONObject;
  DataObject: TJSONObject;
  JsonRequest: TStringStream;
  SSLHandler: TIdSSLIOHandlerSocketOpenSSL;
begin
  ServerResp.LicenseActive:= FALSE;
  CheckedToday:= TRUE;
  Result      := FALSE;
  HTTPClient  := NIL;
  SSLHandler  := NIL;
  JsonRequest := NIL;

  TRY
    // Configure SSL/TLS
    IdOpenSSLSetLibPath(AppData.SysDir);  // the folder where libeay32.dll can be found
    SSLHandler                        := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    SSLHandler.OnStatusInfo           := StatusInfo;
    SSLHandler.SSLOptions.Method      := sslvTLSv1_2; //sslvTLSv1_2;
    SSLHandler.SSLOptions.SSLVersions := [sslvTLSv1_2]; // [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // Can I add sslvTLSv1_3 here?  No. Not supported by Indy.
  //SSLHandler.SSLOptions.CipherList := 'DEFAULT';   // Optionally, set a cipher list to ensure compatibility with Cloudflare
    SSLHandler.SSLOptions.CipherList := 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; // Or use specific modern ciphers
    SSLHandler.SSLOptions.Mode        := sslmClient;
    SSLHandler.SSLOptions.VerifyDepth := 2;

    // !!!!!!!! // Temporary, for testing only
    SSLHandler.SSLOptions.VerifyMode  := [];


    HTTPClient                        := TIdHTTP.Create(nil);
    HTTPClient.IOHandler              := SSLHandler;
    HTTPClient.Request.ContentType    := 'application/json';
    HTTPClient.Request.Accept         := 'application/json';

    // Prepare JSON request
    JsonRequest := TStringStream.Create(Format('{"activation_token": "%s", "user_id": "%s"}', [aKey, UserID]), TEncoding.UTF8);

    if Assigned(FStatusChanged)
    then FStatusChanged(Self, 'SSL versions: ' + LogSSLVersion(SSLHandler.SSLOptions.SSLVersions));

    try
      // Send POST request
      Assert(URL <> '');
      Response := HTTPClient.Post(URL, JsonRequest);
    except
      on E: Exception do
      begin
        if Assigned(FStatusChanged)
        then FStatusChanged(Self, 'Error during server request: ' + E.Message);
        Exit;
      end;
    end;

    // Parse JSON response
    JsonResponse := TJSONObject.ParseJSONValue(Response) as TJSONObject;
    if not Assigned(JsonResponse) then
      begin
        if Assigned(FStatusChanged)
        then FStatusChanged(Self, 'Invalid server response format. Unable to parse JSON.');
        Exit;
      end;
    try
      if not JsonResponse.GetValue<Boolean>('success', False) then
        begin
          VAR s:= JsonResponse.GetValue<string>('message', '?');
          if Assigned(FStatusChanged)
          then FStatusChanged(Self, s); // User not found
          Exit;
        end;

      // Extract data object from response
      DataObject := JsonResponse.GetValue<TJSONObject>('data');
      if not Assigned(DataObject) then
        begin
          if Assigned(FStatusChanged)
          then FStatusChanged(Self, 'No data object found in server response.');
          Exit;
        end;

 

Edited by GabrielMoraru

Share this post

Link to post

Remy Lebeau    1534

Remy Lebeau
Posted
3 hours ago, GabrielMoraru said:

Delphi 11.3 (with its current Indy version).

Does that mean you are using the "current" Indy version that shipped with 11.3, or you are using the "current" version from Indy's GitHub?  11.3 was released 2 years ago.

Share this post

Link to post

Angus Robertson    620

Angus Robertson
Posted

I've seen problems with Cloudflare and ICS, it can be sensitive to the User-Agent or strange request headers, it tries to be too clever and fails. Using a real browser User-Agent might help. 

 

Angus

 

Share this post

Link to post

GabrielMoraru    32

GabrielMoraru
Posted (edited)

For the moment it works with TNetHTTPClient.
But I still have both versions of the code.
I will try also Indy with proper "useragent" string. 

____
Update:
Nope. Still does not work.

Edited by GabrielMoraru

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Indy
×