ERR_CONNECTION_CLOSED with SSL TSslHttpServer

[Andriy 0]

Hi. I use Delphi 7 +8.58 2 years. Every year I just add new pem and key files (my programs is old and It does not have new version) This year my program doesn't work. My ssl was old and I create new ssl. I bought 2 ssl - rapid and than cert. I changed version ssl. Not work. Test on site - https://www.sslshopper.com/ ssl is OK - with rapid and cert.  OnGetDocument not called - browser get error -  ERR_CONNECTION_CLOSED. There are working breakpoints in my program:

GetClientConnect
GetSslSetSessionIDContext
GetSslServerName
GetSslHandshakeDone
GetClientConnect
GetSslSetSessionIDContext
GetSslServerName
GetSslHandshakeDone
and then
ERR_CONNECTION_CLOSED

My project now is down. Can you help me. Where I can found that error? Because I don't know why ics close ssl session. Today I create new project - with ics  but ssl also don't work. IF load program from bad IP (IP<>domain name) ssl don't work and OnGetDocument working fine - but withot ssl. I will appreciate your help

ssltest.zip

Edited May 6, 2021 by Andriy

[Angus Robertson 574]

Sorry, insufficient information to make any real diagnosis, you don't say what OpenSSL you are using, or which protocols, or what errors the client sees.  The client may have closed the connection and the problem is not server related. 

 

SslHandshakeDone is called for both success and failure, you are not logging what happened. 

 

I suggest you try configuring the OverbyteIcsSslMultiFtpServ.dpr sample with your certificate and IP address and try to connect to that, it has better logging.  Maybe use V8.66 as well.  The latest versions of ICS will start without SSL certificate, it creates a self signed certificate to start-up, and will then order a free certificate from Let';s Encrypt so you don't need to buy manually from RapidSSL.

 

Angus

 

[Andriy 0]

Hi, thanks for the answer. free Let's don't work 1 years without renew and my service official and works for hospitals. I don't want to use self cert. Ok I will try to update to 8.66. Now I add logger to demo project and now I got all logs. Maybe these lines? 

16:25:09:465 AlpnCB> Protocols: h2,http/1.1
16:25:09:465 ProtoMsg: None, State: SSLv3/TLS read client hello, Send, DataLen: 5, Data= 1503030002
16:25:09:465 ProtoMsg: TLS 1.2 Alert, Fatal: , State: SSLv3/TLS read client hello, Send, DataLen: 2, Data= 0278
16:25:09:465 007428D8 ICB> SSL3 alert write fatal no application protocol
16:25:09:465 007428D8 ICB> SSL_accept: error 1 in error
16:25:09:465 007428D8 BIO_read(sslbio, 0x18FCF3, 0) = -1   [20]
16:25:09:465 007428D8 BIO_should_retry(sslbio) = 0   [21]
16:25:09:465 007428D8 HandleSslError handle=284  [22] error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
16:25:09:465 007428D8 TriggerEvent handle=sslFdClose 284
16:25:09:465 007428D8 NetworkError #10053

It's from any computers, from any browsers. I add full log file

1.log

[Angus Robertson 574]

ICS only create a self signed certificate if there is no real certificate available, without which the server will not start. 

 

As I said elsewhere today, the ICS logger is designed for internal component debugging, not application errors, nor SSL debugging. 

 

What is your URL, email if necessary.

 

Angus

 

[Andriy 0]

ok, sent message

[Angus Robertson 574]

I can connect to your test server with the host name you sent, using the ICS browser component, get a 404 error no index page, uses a RapidSSL certificate:

 

SSL Connected OK with TLSv1.1, cipher ECDHE-RSA-AES256-SHA, key auth RSA, key exchange ECDH, encryption AES(256), message auth SHA1

 

TLSv1.1 and SHA1 are now obsolete and not supported by most browsers.  Somehow you have configured the server not to support TLSv1.2, either by using very old OpenSSL DLLs or with options.

 

Angus

 

 

[Andriy 0]

I updated 2 ssl files to OpenSSL v1.1.1k Win64 for ICS, http://www.overbyte.be. But it's not help. "TLSv1.1 and SHA1" it's bad param in SslContex?? Maybe you know new good working parameters?

[Angus Robertson 574]

You should really be configuring your server using IcsHosts so you can ignore the SslContext.  But try these settings:

 

SslCtx.SslMinVersion := sslVerTLS1_2;
SslCtx.SslMaxVersion := sslVerTLS1_2;
SslCtx.SslCipherList := sslCiphersMozillaSrvTLS12;   { V8.66 was sslCiphersMozillaSrvInterFS }
SslCtx.SslSecLevel := sslSecLevel112bits;

 

Angus

 

[Andriy 0]

So. I installed 8.66 on D7. I got error - [Error] OverbyteIcsThreadTimer.pas(571): Undeclared identifier: 'AtomicIncrement'. Replace on InterlockedIncrement. Then REM all call X509Log because also Undeclared identifier +copy new ssl from 8.66 folder and ssltest demo working. Then I start old project with new those ssl files and working fine too. LOL :) Thank you very much for helping. 

[Angus Robertson 574]

So your web server is accepting connections again?

 

Not many people still use Delphi 7 so don't test it very often, but I will fix V8.67 to work on it again next week.

 

Angus

 

[Andriy 0]

hi. Now It'is working fine. And thx for SslContext1.SslCertX509.ValidNotAfter - Now I use it with email notify in my projects.

And I have still one qestion. What do you reccomend ics component for creating secure ftp server and also secure ftp clients.  Week's backup for 200+ users. And what is this ftpmulti1 :) thx

[FPiette 382]

1 hour ago, Andriy said:

What do you recommend

It is better you open a new message thread for that other subject.

 

[Angus Robertson 574]

Just installed the overnight zip on Delphi 7, worked the second time after I deleted all the old units and packages and started fresh.  A number of old units were removed in V8.,66 which will no longer build.  Having trouble building samples due to them having D2007 properties, long time since I tried to downgrade forms.

 

Angus

 

[Kyle_Katarn31 0]

I still use ICS exclusively on D7 and... So far so good with official builds.