o815 0 Posted April 18, 2023 (edited) Hey there, I recently updated out Delphi from 10.3.2 to 11.3. We are communicating as a TLS-Client to our hardware (TLS-Server) via TLS 1.2. On Delphi 10.3.2 everything was working fine, but since the updated Version, I get a "bad hello message" at the handshake of my server. We are using the OpenSSL librariers and Indy libeay32.dll ssleay32.dll procedure myFoo; var FIdTCPClient : TIdTCPClient; FIdSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL; begin FIdTCPClient := TIdTCPClient.Create; FIdTCPClient.Host := '10.10.10.10'; FIdTCPClient.Port := 10007; FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create; FIdSSLIOHandler.SSLOptions.Mode := sslmClient; FIdSSLIOHandler.SSLOptions.VerifyMode := []; FIdSSLIOHandler.SSLOptions.VerifyDepth := 0; FIdSSLIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_2]; FIdSSLIOHandler.SSLOptions.Method := sslvTLSv1_2; FIdTCPClient.IOHandler := FIdSSLIOHandler; FIdTCPClient.Connect; FIdTCPclient.Send([0,1,2,3]); // send testdata -> server says "bad hello message" --> testdata is working @ Delphi 10.3.2; Delphi 11.3 not end; So I tried the "ICS" component and did in my opinion the same thing, just advanced the demo "...\icsv870\Samples\Delphi\SslInternet\OverbyteIcsSimpleSslCli.dproj". With this component, the communication is working! So it seems like an issue with indy. procedure TForm1.Button1Click(Sender: TObject); begin Sock.Addr := '10.10.10.10'; Sock.Port := '10007'; RecStream.Size := 0; Sock.SslEnable := TRUE; Sock.Connect; //--> sock.TimeoutIdle := 60000; sock.TimeoutConnect := 60000; Sock.StartSslHandshake; // connected with server end; procedure TForm1.Button2Click(Sender: TObject); begin Sock.SendTB([0,1,2,3,4,5,6,7,8,9]); // this data was received by server end; Embarcadero support could't help me, because indy isn't a component developed by them. So anybody else having issues wiht TLS1.2 after updating? Did I miss something to set another parameter in indy? Thanks in advance. By the way, I am using the libeay32.dll, ssleay32.dll with the timestamp of (2019-12-21). I am not able to use the current DLLs which are recommended by embarcadero: https://docwiki.embarcadero.com/RADStudio/Sydney/de/OpenSSL If I use them, I get an error (" Could not open SSL library "), which I found already there: On worst case, I have to switch to "ICS", I try to avoid 3rd party tools and significant changed on TLS communication.... Edited April 18, 2023 by o815 Share this post Link to post
Remy Lebeau 1392 Posted April 18, 2023 (edited) 4 hours ago, o815 said: FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create; The FIdSSLIOHandler.PassThrough property is True by default, so the connection is treated as a plain TCP connection. You need to set the PassThrough property to False to initialize the TLS handshake. So, that is why you are getting the error on your 1st Send(). Your application data is the 1st thing being transmitted, so the server is mistaking that as the TLS handshake, hence the error. You can set the PassThrough to False either before calling Connect() (ie, for implicit TLS, sending the handshake as soon as the TCP connection is established) or afterwards (ie, for explicit TLS, to allow for a protocol-level STARTTLS-style command before sending the handshake): procedure myFoo; var FIdTCPClient : TIdTCPClient; FIdSSLIOHandler : TIdSSLIOHandlerSocketOpenSSL; begin FIdTCPClient := TIdTCPClient.Create; FIdTCPClient.Host := '10.10.10.10'; FIdTCPClient.Port := 10007; FIdSSLIOHandler := TIdSSLIOHandlerSocketOpenSSL.Create; FIdSSLIOHandler.SSLOptions.Mode := sslmClient; FIdSSLIOHandler.SSLOptions.VerifyMode := []; FIdSSLIOHandler.SSLOptions.VerifyDepth := 0; FIdSSLIOHandler.SSLOptions.SSLVersions := [sslvTLSv1_2]; FIdTCPClient.IOHandler := FIdSSLIOHandler; FIdSSLIOHandler.PassThrough := False; // <-- either here FIdTCPClient.Connect; // <-- will send the handshake if PassThrough is False FIdSSLIOHandler.PassThrough := False; // <-- or here, optionally after sending a STARTTLS command FIdTCPClient.Send([0,1,2,3]); end; Quote So I tried the "ICS" component and did in my opinion the same thing ... With this component, the communication is working! That is because you are explicitly setting Sock.SslEnable to True and then calling Sock.StartSslHandshake() after calling Sock.Connect(). You are not doing the equivalent with Indy. Quote So it seems like an issue with indy. No, it is a bug in your code. You are telling ICS to initiate the TLS handshake, but you are not telling Indy to do the same. Quote So anybody else having issues wiht TLS1.2 after updating? This is not a new issue in 11.3. This is how Indy has always behaved. Quote Did I miss something to set another parameter in indy? Yes - the PassThrough property. Quote By the way, I am using the libeay32.dll, ssleay32.dll with the timestamp of (2019-12-21). I am not able to use the current DLLs OpenSSL DLLs that are known to work with Indy are available in Indy's GitHub repo: https://github.com/IndySockets/OpenSSL-Binaries Edited April 18, 2023 by Remy Lebeau 1 1 Share this post Link to post
o815 0 Posted April 19, 2023 Hey man, thanks a lot! passthrough := false did the trick! Seems this variable was set default false at 10.3.2 and now is default true in 11.3, but you are right: not setting this variable explicit is my bad. Share this post Link to post
Remy Lebeau 1392 Posted April 19, 2023 15 hours ago, o815 said: Seems this variable was set default false at 10.3.2 and now is default true in 11.3 Ah, that issue, yes. I keep forgetting about that. Yes, that was originally a bug in Indy that was fixed in 2019 prior to the release of 10.4. Share this post Link to post