Jump to content
o815

Delphi Update 10.3.2 -> 11.3 -> no more TLS1.2 handshake

Recommended Posts

Hey there,

 

I recently updated out Delphi from 10.3.2 to 11.3. We are communicating as a TLS-Client to our hardware (TLS-Server) via TLS 1.2.

On Delphi 10.3.2 everything was working fine, but since the updated Version, I get a "bad hello message" at the handshake of my server.

 

We are using the OpenSSL librariers and Indy

libeay32.dll

ssleay32.dll

 

procedure myFoo;

var

   FIdTCPClient : TIdTCPClient;

   FIdSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL;

begin

      FIdTCPClient := TIdTCPClient.Create;

 

      FIdTCPClient.Host := '10.10.10.10';
      FIdTCPClient.Port := 10007;
       

      FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create;
      FIdSSLIOHandler.SSLOptions.Mode := sslmClient;
      FIdSSLIOHandler.SSLOptions.VerifyMode := [];
      FIdSSLIOHandler.SSLOptions.VerifyDepth  := 0;
      FIdSSLIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];
      FIdSSLIOHandler.SSLOptions.Method := sslvTLSv1_2;
      FIdTCPClient.IOHandler := FIdSSLIOHandler;

 

 

     FIdTCPClient.Connect;

 

     FIdTCPclient.Send([0,1,2,3]); // send testdata -> server says "bad hello message" --> testdata is working @ Delphi 10.3.2;    Delphi 11.3 not

end;

 

So I tried the "ICS" component and did in my opinion the same thing, just advanced the demo "...\icsv870\Samples\Delphi\SslInternet\OverbyteIcsSimpleSslCli.dproj".

With this component, the communication is working! So it seems like an issue with indy.

 

procedure TForm1.Button1Click(Sender: TObject);
begin
    Sock.Addr := '10.10.10.10';
    Sock.Port := '10007';
    RecStream.Size := 0;
    Sock.SslEnable := TRUE;
    Sock.Connect; //-->

    sock.TimeoutIdle    := 60000;
    sock.TimeoutConnect := 60000;
    Sock.StartSslHandshake; // connected with server
end;

procedure TForm1.Button2Click(Sender: TObject);
begin
   Sock.SendTB([0,1,2,3,4,5,6,7,8,9]); // this data was received by server
end;

 

Embarcadero support could't help me, because indy isn't a component developed by them.

So anybody else having issues wiht TLS1.2 after updating?

 

Did I miss something to set another parameter in indy?

 

Thanks in advance.

 

By the way, I am using the  libeay32.dll, ssleay32.dll with the timestamp of (2019-12-21). I am not able to use the current DLLs which are recommended by embarcadero:

https://docwiki.embarcadero.com/RADStudio/Sydney/de/OpenSSL

 

If I use them, I get an error (" Could not open SSL library "), which I found already there:

 

 

On worst case, I have to switch to "ICS", I try to avoid 3rd party tools and significant changed on TLS communication....

 

 

Edited by o815

Share this post


Link to post
4 hours ago, o815 said:

      FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create;

The FIdSSLIOHandler.PassThrough property is True by default, so the connection is treated as a plain TCP connection.  You need to set the PassThrough property to False to initialize the TLS handshake. So, that is why you are getting the error on your 1st Send().  Your application data is the 1st thing being transmitted, so the server is mistaking that as the TLS handshake, hence the error.

 

You can set the PassThrough to False either before calling Connect() (ie, for implicit TLS, sending the handshake as soon as the TCP connection is established) or afterwards (ie, for explicit TLS, to allow for a protocol-level STARTTLS-style command before sending the handshake):

procedure myFoo;
var
  FIdTCPClient : TIdTCPClient;
  FIdSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL;
begin
  FIdTCPClient := TIdTCPClient.Create;
  FIdTCPClient.Host := '10.10.10.10';
  FIdTCPClient.Port := 10007;

  FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create;
  FIdSSLIOHandler.SSLOptions.Mode := sslmClient;
  FIdSSLIOHandler.SSLOptions.VerifyMode := [];
  FIdSSLIOHandler.SSLOptions.VerifyDepth := 0;
  FIdSSLIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_2];
  FIdTCPClient.IOHandler := FIdSSLIOHandler;

  FIdSSLIOHandler.PassThrough := False; // <-- either here

  FIdTCPClient.Connect; // <-- will send the handshake if PassThrough is False

  FIdSSLIOHandler.PassThrough := False; // <-- or here, optionally after sending a STARTTLS command

  FIdTCPClient.Send([0,1,2,3]);
end; 
Quote

So I tried the "ICS" component and did in my opinion the same thing ... With this component, the communication is working!

That is because you are explicitly setting Sock.SslEnable to True and then calling Sock.StartSslHandshake() after calling Sock.Connect().  You are not doing the equivalent with Indy.

Quote

So it seems like an issue with indy.

No, it is a bug in your code.  You are telling ICS to initiate the TLS handshake, but you are not telling Indy to do the same.

Quote

So anybody else having issues wiht TLS1.2 after updating?

This is not a new issue in 11.3.  This is how Indy has always behaved.

Quote

Did I miss something to set another parameter in indy?

Yes - the PassThrough property.

Quote

By the way, I am using the  libeay32.dll, ssleay32.dll with the timestamp of (2019-12-21). I am not able to use the current DLLs

OpenSSL DLLs that are known to work with Indy are available in Indy's GitHub repo:

 

https://github.com/IndySockets/OpenSSL-Binaries

 

 

Edited by Remy Lebeau
  • Like 1
  • Thanks 1

Share this post


Link to post

Hey man, thanks a lot!

passthrough := false did the trick!

 

Seems this variable was set default false at 10.3.2 and now is default true in 11.3, but you are right: not setting this variable explicit is my bad.

 

Share this post


Link to post
15 hours ago, o815 said:

Seems this variable was set default false at 10.3.2 and now is default true in 11.3

Ah, that issue, yes.  I keep forgetting about that.  Yes, that was originally a bug in Indy that was fixed in 2019 prior to the release of 10.4.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×