TLS Issues and TLS3 message comming from Iindy

[Del Murray 0]

Running Window 7, DelphiXE7, Indy10.  SSL 1.0.2k  which may be the problem.

I have a Webbroker app that has worked for years calling an API and exchanging XML with the provider (Simplifile) to file legal documents in court houses. They moved their application from being hosted on Google servers to their own servers at another data center. I'm not sure if these are real servers or virtual servers (which of course run on real servers). All of a sudden after the move, which required a change in the URL for the service (stupid), I unable to use the service. I'm getting the error messages which appear to be TLS errors. I believe they are coming from Indy. The following are some details ....

If I set the SSLIO handler to TLS1.1 and TLS1.2  I get "Error connecting with SSL. error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol"

If I set the SSLIO handler to TLS1.2 only I get "Error connecting with SSL. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"

Note the difference in the "SSL23_Get and SSL3_Get.

Additionally .... I received this from the providers initial tech support people ...

 

 

With the migration that happened about a month ago you will want to start using https://simplifile.ice.com and I was given the following information that cipher's will need to be updated as well. I was given the list below as well. 

TLSv1.3:
- 0x13,0x01 TLS13_AES_128_GCM_SHA256
- 0x13,0x02 TLS13_AES_256_GCM_SHA384
- 0x13,0x03 TLS13_CHACHA20_POLY1305_SHA256
TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305

 

I have never had to fool with ciphers before with any of the several API's that my application interfaces with. I can interface with Stamps.Com, United States Post Office, Simplifile, and several other APIs out there that I have to have paid subscription to.

 

To make matters more interesting ... the USPS is changing their API to no longer use XML but use JSON instead and moved the testing to new test servers.  I'm having the same problem with the new USPS URL and am getting the same errors as above.

The client (my web app dll's ) has not been updated in many many months. I have tried adding these ciphers to the IOSSL handler by concatenating them together in a string with use of the plus (+) sign.  Doing so results in "Error creating SSL context."

Here is the exact code I use to do this ...

 

    try
      iSSLHandler.SSLOptions.CipherList := 
//        idSSLOpenSSLHeaders.SSL_DEFAULT_CIPHER_LIST + '+' +
        'ECDHE-ECDSA-AES128-GCM-SHA256+ECDHE-RSA-AES128-GCM-SHA256+' +
        'ECDHE-ECDSA-AES256-GCM-SHA384+CDHE-RSA-AES256-GCM-SHA384+' +
        'ECDHE-ECDSA-CHACHA20-POLY1305+ECDHE-RSA-CHACHA20-POLY1305';
    except
      on e:exception do begin
        gError.Add('Excption in ciphers');
      end;
    end;  
    
    HTTP.Request.ContentType := 'application/xml';
    HTTP.Post(sfURL, gXMLRequest, gXMLResponse);

 

I dont know what the hex numbers are infront of the info I was given but I've never seen them in any cipher info. Ignoring that, I would like to know the following.

 

1.  Are the default ciphers for TLS1.1 and TLS1.2 somehow influencing my "custom" cipher set. 

2.  Did I set the Cipher list properly ?  (not the commented out line .. that doesn't help doing it that way at all.

3.  I know everyone want Indy 10 to support TLS 3 but does it support TLS1.3.

4. Is there a rational reason as to why a client would require all their users who pay them money to change their code at this level just because they moved to different servers ?  They did not change the API, Only the location of where they are running from.

5. Have I just been lucky for 10 years that I never had to fool around at this level.

 

All suggestions will be appreciated. Let me know if you need more info or see more code. Here is my entire function that is called from several places in the program.

 

function TWebModule1.SimpliFileValidateXML() : boolean;
var
  sfURL, s : string;
begin
  result := true;
  
  gSimpliFileURL := GetCode('global', 'MasterControl', 'SFValidatePackage', 'MiscValue1');

  sfURL := gSimpliFileURL + gSimpliFileURLKey;

  if assigned(gXMLResponse) then
    gXMLResponse.Free;
  gXMLResponse := tStringStream.Create();

  if assigned(gXMLRequest) then
    gXMLRequest.Free;
  gXMLRequest  := tStringStream.Create();
  
  xmlDoc.SaveToStream(gXMLRequest);
  gXMLRequest.SaveToFile('\ValidateSentToSimplifile.xml');
  
  try
    gSSLLibLocation := GetCode('global', 'MasterControl', 'SSLLIbLocation32', 'CodeValue');
    try
      IdOpenSSLSetLibPath(gSSLLibLocation);
    except
      on E:Exception do begin
        gError.Add(WhichFailedToLoad());
        gError.Add(e.Message);
        HTTP.Disconnect();
        result := false;  
      end;  
    end;
    
//    TFile.WriteAllText('\transfer\URL.txt', sfURL);
//    s := idsslopensslheaders.SSL_DEFAULT_CIPHER_LIST;
//    tfile.WriteAllText('cypherlist.txt',s);

    try
      iSSLHandler.SSLOptions.CipherList := 
//        idSSLOpenSSLHeaders.SSL_DEFAULT_CIPHER_LIST + '+' +
        'ECDHE-ECDSA-AES128-GCM-SHA256+ECDHE-RSA-AES128-GCM-SHA256+' +
        'ECDHE-ECDSA-AES256-GCM-SHA384+CDHE-RSA-AES256-GCM-SHA384+' +
        'ECDHE-ECDSA-CHACHA20-POLY1305+ECDHE-RSA-CHACHA20-POLY1305';
    except
      on e:exception do begin
        gError.Add('Excption in ciphers');
      end;
    end;  
    
    HTTP.Request.ContentType := 'application/xml';
    HTTP.Post(sfURL, gXMLRequest, gXMLResponse);
  except
    on E:Exception do begin
      gError.Add(WhichFailedToLoad());
      gError.Add(e.Message);
      HTTP.Disconnect();
      result := false;  
    end;  
  end;

  gXMLResponse.Position := 0;
  gXMLResponse.SaveToFile('\ValidateXMLReceived.xml');

end;

 

 

 

 

 

[DelphiUdIT 244]

May be, the ChiperList list should be construct like this:

 

       CipherList :=  '!EXPORT:!LOW:!aNULL:!eNULL:!RC4:!ADK:!3DES:!DES:!MD5:!PSK:!SRP:!CAMELLIA'+
                      ':ECDHE-RSA-AES128-GCM-SHA256'+
                      ':ECDHE-RSA-AES256-GCM-SHA384'+
                      ':ECDHE-RSA-CHACHA20-POLY1305'+
                      ':ECDHE-ARIA256-GCM-SHA384'+
                      ':ECDHE-ARIA128-GCM-SHA256'+
                      //Weak ma good with old prducts
                      ':ECDHE-RSA-AES256-SHA384';

And take care that scanning the site you indicate, there is a mandatory support to SNI. I don't think if Indy support SNI.

 

EDIT: with Indy Bundle (Delphi 12.3) and TLSv1_2 (OpenSSL ver. 1.0.2u) X64 is working the connection with that host.

Edited Tuesday at 09:15 PM by DelphiUdIT

[Remy Lebeau 1605]

7 hours ago, Del Murray said:

I know everyone want Indy 10 to support TLS 3 but does it support TLS1.3.

No, it does not support OpenSSL 3.x or TLS 1.3 at this time. But, you can use a 3rd party SSLIOHandler that does, such as TaurusTLS (https://github.com/JPeterMugaas/taurustls).

7 hours ago, Del Murray said:

Is there a rational reason as to why a client would require all their users who pay them money to change their code at this level just because they moved to different servers ?

Security requirements change all the time. They have to update their systems every so often to keep up.

7 hours ago, Del Murray said:

They did not change the API, Only the location of where they are running from.

There is much more to HTTP/S than just URLs.

7 hours ago, Del Murray said:

Have I just been lucky for 10 years that I never had to fool around at this level.

Yes.

5 hours ago, DelphiUdIT said:

there is a mandatory support to SNI. I don't think if Indy support SNI.

Yes, it does, at least on the client side, and has for 8 years now.

 

[Del Murray 0]

In debug tracing thru the Indy10 code that comes with DelphiXE7(studio 15) is seems that the SSLIOHandler code is looking at the version of OpenSSL that I have installed and determines that it will not support TLSV1_2.

 

Snippet from Indy .. the code in BOLD was not executed.

 

******************************

{IMPORTANT!!!  Do not set SSL_CTX_set_options SSL_OP_NO_TLSv1_1 and
SSL_OP_NO_TLSv1_2 if that functionality is not available.  OpenSSL 1.0 and
earlier do not support those flags.  Those flags would only cause
an invalid MAC when doing SSL.}
  if IsTLSv1_1Available then begin
    if not ( sslvTLSv1_1 in SSLVersions) then begin
      SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_1);
    end;
  end;
  if IsTLSv1_2Available then begin
    if not ( sslvTLSv1_2 in SSLVersions) then begin
      SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_2);
    end;
  end;
  SSL_CTX_set_mode(fContext, SSL_MODE_AUTO_RETRY);
  // assign a password lookup routine
//  if PasswordRoutineOn then begin
    SSL_CTX_set_default_passwd_cb(fContext, @PasswordCallback);
    SSL_CTX_set_default_passwd_cb_userdata(fContext, Self);
//  end;

 

**********************************888

 

So, the question would be ,,, what is the most recent version of OPENSSL that will work with Delphi7 and Indy10 ?  and .. does anyone know if that would provide me TSLV1_2 which is aparently the minimum that I need to

access this vendors site.  Right now I'm running SSL 1.0.2k .    

[Del Murray 0]

Actually, I think the easiest question to answer is .... where can I find SSLEAY32.DLL and LIBEAY32.dll  most current versions that work with Indy10  ?

Never mind.  Got 'em . SO now I get the following displayed from my app. I am using the events of the SSLhandler.

 

OnStatus
AStatusText=Resolving hostname simplifile.uat1.ice.com.
OnStatus
AStatusText=Connecting to 158.224.89.142.

SetCipher failed.

Edited 6 hours ago by Del Murray

[DelphiUdIT 244]

42 minutes ago, Del Murray said:

Actually, I think the easiest question to answer is .... where can I find SSLEAY32.DLL and LIBEAY32.dll  most current versions that work with Indy10  ?

Never mind.  Got 'em .

This is the Indy binaries repo for SSL, the bundle version of Indy ('till now) works with 1.0.2.u :  https://github.com/IndySockets/OpenSSL-Binaries

[Del Murray 0]

D12Athens, Thanks. I got them. Didn't help. I cant seem to set the CipherList option as shown above. Keep getting the "setCipher failed" message.

It would be a different issue if my cipherlist for TLSV1.2 was not compatible with the API i'm trying to access but I cant get my webbroker app to accept a different set. 

I cant change the default list in the sslopenheader , it cant be written to AFAIK so it might be interfeering.  Guess guessing ... I know what the error is but dont know how to fix it.

After 45 years I'm geginning to hate this business.

 

Edited 6 hours ago by Del Murray

[DelphiUdIT 244]

I tried now (like I tried Tuesday) with the host that you gave us, and it works for me.

And I tried with and without set the Chiperlist: since the host use TLSv1_2 and TLSV1_3  and as the A+ evaluation you don't need to setup a ChiperList. Normally the connection between Client and Server use the chiper choose by server and setup a ChiperList in your client is for your security.

The ChiperList between server and client must match at least one element.

 

To try I simply put an TIdHTTP and an SSLIO Handler and setup only two properties on IDHTTP1 (HandleRedirects and IOHandler), and one on SSLIOHandler (Methods->sslvTLSv1_2 in SSLOptions):

 

 

 

Try to do a GET from HTTP like this:

 

If you don't have any errors, it is OK.

Edited 5 hours ago by DelphiUdIT

[DelphiUdIT 244]

58 minutes ago, Del Murray said:

It would be a different issue if my cipherlist for TLSV1.2 was not compatible with the API i'm trying to access but I cant get my webbroker app to accept a different set. 

I cant change the default list in the sslopenheader , it cant be written to AFAIK so it might be interfeering.  Guess guessing ... I know what the error is but dont know how to fix it.

After 45 years I'm geginning to hate this business. 

Webbroker should use only the communication channel, doesn't mind what is the crypto protocol used and how is used, That is how the stack should works, So, if you set the SSLIOHandler correctly all should work.

[Del Murray 0]

1 hour ago, DelphiUdIT said:

Webbroker should use only the communication channel, doesn't mind what is the crypto protocol used and how is used, That is how the stack should works, So, if you set the SSLIOHandler correctly all should work.

I set up a simple GUI app instead of webbroker doing the exact same thing you showed above. Failed.

Error was

Error connecting with SSL.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
 

Im using Delphixe7  I'll bet you are on the newest version. Did you actually run the code you showed above in example.  I'm very puzzled about the reference to SSL3_get error  

 

 

Do you see anything here about SSL3 ??? me either.  I'm beginning to think it's on their end.  I set no cipher string in the test. Just plain vanilla like has always worked.  Problem is thier tech support is terrible.

 

This code in idSSLOpenSSL is never true ..

  if IsTLSv1_2Available then begin
    if not ( sslvTLSv1_2 in SSLVersions) then begin
      SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1_2);
    end;
  end;

 

Which seems to indicate that the libeay32 and ssleay32  may not have TLSV1_2 available.  I'm using Libs just downloaded from GitHub

 

 

[DelphiUdIT 244]

1 hour ago, Del Murray said:

Do you see anything here about SSL3 ??? me either

I think the SSL3 is only an symbol to identify the security protocol SSL in general way, not really about SSL3 protocol.

 

But really I don't know way the client doesn't respond to TLS ... I try with a VM ,,, stay tuned ...

[DelphiUdIT 244]

It doesn't work with Windows 7 in a VM. OpenSSL 1.0.2u X64. Rad Studio 12.3. Indy Bundle.

 

UPDATE: It works if the chiperlist is in use ...

 

Edited 1 hour ago by DelphiUdIT

[DelphiUdIT 244]

Uhmm, this is a topic about your error and they solve using the update version of Indy and Delphi (from Seattle to Berlin) : https://en.delphipraxis.net/topic/2950-indy-http-error1408f10bssl3_get_recordwrong-version-number/

 

I don't know if is the same trouble ...

 

EDIT, try this old thing: set the PassThrough of SSLIOHandler to false.

 

After setting the ChiperList inserto this line:

  IdSSLIOHandlerSocketOpenSSL1.PassThrough := false;

 

Edited 39 minutes ago by DelphiUdIT