Jump to content
Andriy

ERR_CONNECTION_CLOSED with SSL TSslHttpServer

Recommended Posts

Hi. I use Delphi 7 +8.58 2 years. Every year I just add new pem and key files (my programs is old and It does not have new version) This year my program doesn't work. My ssl was old and I create new ssl. I bought 2 ssl - rapid and than cert. I changed version ssl. Not work. Test on site - https://www.sslshopper.com/ ssl is OK - with rapid and cert.  OnGetDocument not called - browser get error -  ERR_CONNECTION_CLOSED. There are working breakpoints in my program:

GetClientConnect
GetSslSetSessionIDContext
GetSslServerName
GetSslHandshakeDone
GetClientConnect
GetSslSetSessionIDContext
GetSslServerName
GetSslHandshakeDone
and then
ERR_CONNECTION_CLOSED

My project now is down. Can you help me. Where I can found that error? Because I don't know why ics close ssl session. Today I create new project - with ics  but ssl also don't work. IF load program from bad IP (IP<>domain name) ssl don't work and OnGetDocument working fine - but withot ssl. I will appreciate your help

ssltest.zip

Edited by Andriy

Share this post


Link to post

Sorry, insufficient information to make any real diagnosis, you don't say what OpenSSL you are using, or which protocols, or what errors the client sees.  The client may have closed the connection and the problem is not server related. 

 

SslHandshakeDone is called for both success and failure, you are not logging what happened. 

 

I suggest you try configuring the OverbyteIcsSslMultiFtpServ.dpr sample with your certificate and IP address and try to connect to that, it has better logging.  Maybe use V8.66 as well.  The latest versions of ICS will start without SSL certificate, it creates a self signed certificate to start-up, and will then order a free certificate from Let';s Encrypt so you don't need to buy manually from RapidSSL.

 

Angus

 

Share this post


Link to post

Hi, thanks for the answer. free Let's don't work 1 years without renew and my service official and works for hospitals. I don't want to use self cert. Ok I will try to update to 8.66. Now I add logger to demo project and now I got all logs. Maybe these lines? 

16:25:09:465 AlpnCB> Protocols: h2,http/1.1
16:25:09:465 ProtoMsg: None, State: SSLv3/TLS read client hello, Send, DataLen: 5, Data= 1503030002
16:25:09:465 ProtoMsg: TLS 1.2 Alert, Fatal: , State: SSLv3/TLS read client hello, Send, DataLen: 2, Data= 0278
16:25:09:465 007428D8 ICB> SSL3 alert write fatal no application protocol
16:25:09:465 007428D8 ICB> SSL_accept: error 1 in error
16:25:09:465 007428D8 BIO_read(sslbio, 0x18FCF3, 0) = -1   [20]
16:25:09:465 007428D8 BIO_should_retry(sslbio) = 0   [21]
16:25:09:465 007428D8 HandleSslError handle=284  [22] error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
16:25:09:465 007428D8 TriggerEvent handle=sslFdClose 284
16:25:09:465 007428D8 NetworkError #10053

It's from any computers, from any browsers. I add full log file

1.log

Share this post


Link to post

ICS only create a self signed certificate if there is no real certificate available, without which the server will not start. 

 

As I said elsewhere today, the ICS logger is designed for internal component debugging, not application errors, nor SSL debugging. 

 

What is your URL, email if necessary.

 

Angus

 

Share this post


Link to post

I can connect to your test server with the host name you sent, using the ICS browser component, get a 404 error no index page, uses a RapidSSL certificate:

 

SSL Connected OK with TLSv1.1, cipher ECDHE-RSA-AES256-SHA, key auth RSA, key exchange ECDH, encryption AES(256), message auth SHA1

 

TLSv1.1 and SHA1 are now obsolete and not supported by most browsers.  Somehow you have configured the server not to support TLSv1.2, either by using very old OpenSSL DLLs or with options.

 

Angus

 

 

Share this post


Link to post

I updated 2 ssl files to OpenSSL v1.1.1k Win64 for ICS, http://www.overbyte.be. But it's not help. "TLSv1.1 and SHA1" it's bad param in SslContex?? Maybe you know new good working parameters?

Share this post


Link to post

You should really be configuring your server using IcsHosts so you can ignore the SslContext.  But try these settings:

 

SslCtx.SslMinVersion := sslVerTLS1_2;
SslCtx.SslMaxVersion := sslVerTLS1_2;
SslCtx.SslCipherList := sslCiphersMozillaSrvTLS12;   { V8.66 was sslCiphersMozillaSrvInterFS }
SslCtx.SslSecLevel := sslSecLevel112bits;

 

Angus

 

Share this post


Link to post

So. I installed 8.66 on D7. I got error - [Error] OverbyteIcsThreadTimer.pas(571): Undeclared identifier: 'AtomicIncrement'. Replace on InterlockedIncrement. Then REM all call X509Log because also Undeclared identifier +copy new ssl from 8.66 folder and ssltest demo working. Then I start old project with new those ssl files and working fine too. LOL :) Thank you very much for helping. 

Share this post


Link to post

So your web server is accepting connections again?

 

Not many people still use Delphi 7 so don't test it very often, but I will fix V8.67 to work on it again next week.

 

Angus

 

Share this post


Link to post

hi. Now It'is working fine. And thx for SslContext1.SslCertX509.ValidNotAfter - Now I use it with email notify in my projects.

And I have still one qestion. What do you reccomend ics component for creating secure ftp server and also secure ftp clients.  Week's backup for 200+ users. And what is this ftpmulti1 :) thx

Share this post


Link to post
1 hour ago, Andriy said:

What do you recommend

It is better you open a new message thread for that other subject.

 

Share this post


Link to post

Just installed the overnight zip on Delphi 7, worked the second time after I deleted all the old units and packages and started fresh.  A number of old units were removed in V8.,66 which will no longer build.  Having trouble building samples due to them having D2007 properties, long time since I tried to downgrade forms.

 

Angus

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×