OverbyteIcsSslHttpRest : StatCode <> 0 frequently

[AndreL 0]

Hi,

 

StatCode := HttpRest1.RestRequest(Req, ReqURL, Async, Json);

 

After the call, StatCode is very frequently <> 0 when Req := httpPost

A typically after a get call even with 200 response..

NB: HttpRest1.State = httpReady

 

'Request failed: Error: No Status Code - 0  HTTP no status code (connection closed prematurely)'

 

What could be the raison of that ?

 

any help is welcome ...

 

André

Edited June 2, 2023 by AndreL

[Angus Robertson 519]

How the request is made depends on the value of the Async parameter. 

 

If Async is false, the function is blocking and waits for the request to complete, so the return code will be accurate, but true means async so it will return immediately the request starts and the OnRestRequestDone event is called when the request completes, from where you check various properties to see what happened.

 

Angus

 

[AndreL 0]

Thanks for the reply.

 

I'm replacing my old rest framework by ICS one.

I started in bloking mode and just recoding to async mode for test purpose.

 

Both case apllication is running in error after some calls, typically when changing the reqType : from get to post or post to put.

something to "clear or reset" in the TSslHttpRest ?

 

some errors in the SSL log :

Error unable to get local issuer certificate

09:19:04:015 04A5C9D0 SslHandshakeDone(0) Handle=396. SSL Connected OK with TLSv1.2, cipher ECDHE-RSA-AES256-GCM-SHA384, key auth RSA, key exchange ECDH, encryption AESGCM(256), message auth AEAD, VerifyResult=unknown certificate verification error

TLS 1.2 Alert, Warning: Close Notify, State: SSL negotiation finished successfully, Recv, DataLen: 2, Data= 0100

 

André.

Edited June 2, 2023 by AndreL

[Angus Robertson 519]

Very rarely should you need to use SSL DebugLevel logging DebugSslLow, generally DebugSsl gives all the information you need. 

 

In this case, also set SslReportChain true and it will log the certificates in the chain, allowing you to see why verification failed, either the server is misconfigured and did not send an intermediate, or the intermediate is signed by a root CA that is not in the store you specified.  ICS has different CA stores with varying numbers of certificates, there are hundreds of CAs, but only a few dozen are common.

 

Angus

 

[AndreL 0]

temporary fix :

- adding a ca-bundle.trust.pem file.  (Chain Verification Succeeded)

- redoing the call in case of  'connection closed prematurely)'   <-- to be clarify why--->

 

Socket error 10053 is also popping up.

 

to be con't

 

Thanks for your support.

Edited June 2, 2023 by AndreL

[AndreL 0]

Next status :

 

Handle Background Exception, source: TCustomWSocket.WndProc, Msg=1030:   Access violation at address 6F71F1E4  module 'libssl-3.dll'. read of addresse 00000040

 

openssl version 3.1.1 or 3.1.0

 

7:09:59:840 ResetSslSession SetShutDown FSsl handle=0
17:09:59:840 ResetSslSession FSslBio handle=0
17:09:59:840 ResetSslSession FNBio handle=0
17:09:59:850 ResetSslSession Fibio handle=0
17:09:59:852 ResetSslSession Close FSsl handle=0
17:09:59:852 0530C9D0 ResetSslSession Done
17:09:59:900 0530C9D0 Socket handle created handle=1464
17:09:59:900 TWSocket will connect to 81.240.65.4:443
17:10:01:646 Handle Background Exception, source: TCustomWSocket.WndProc, Msg=1030 - Violation d'accès à l'adresse 6F71F1E4 dans le module 'libssl-3.dll'. Lecture de l'adresse 00000040
17:10:01:650 0530C9D0 TCustomWSocket.Shutdown 1 handle=1464
17:10:01:661 0530C9D0 ResetSslSession starting handle=-1
17:10:01:670 ResetSslSession SetShutDown FSsl handle=0
17:10:01:677 ResetSslSession FSslBio handle=0
17:10:01:677 ResetSslSession FNBio handle=0
17:10:01:680 ResetSslSession Fibio handle=0
17:10:01:680 ResetSslSession Close FSsl handle=0
17:10:01:680 0530C9D0 ResetSslSession Done
17:10:01:680 0530C9D0 ResetSslSession starting handle=-1

[Angus Robertson 519]

Exceptions in OpenSSL are almost impossible to trace, but incredibly rare.  Nothing in the logs will be useful.  Does it happen to several different servers or just one specific servers? 

 

In server applications, OpenSSL errors are common when hackers attempt to access them using invalid protocols, I get dozens a day on my public servers, but rarely do they cause an exception.   I assume this is the REST client?

 

Before looking at the ICS code, always check the server actually works properly using https://www.ssllabs.com/ssltest/

 

Angus

 

[AndreL 0]

Hi Angus,

 

Yes this a rest client application (Json) running since year on top of "fabricio colombo rest client" and  Indy stacks with the latest openssl version (3.1.1).

 

My goal was to replace those 2 by your stack quite well updated. 

 

But those intemittent low level errors are very difficult to fix. :

- error linking to  "libssl-3.dll"  (~10% of the requests )

- Request failed: Error: No Status Code - 0  HTTP no status code (connection closed prematurely)'

...

Servers are apache with Openssl 3.1.1 on Windows or Rocky linux  with OpenSSL 1.1.1.

(Server Version: Apache/2.4.57 (Win64) OpenSSL/3.1.1) -( Server Version: Apache/2.4.37 (rocky) OpenSSL/1.1.1k)

 

At the end a lot of request retry, slowing down the application.

 

I also use https://www.ssllabs.com/ssltest/  to keep my servers save : score A+

 

To be con't

Edited June 2, 2023 by AndreL

[Angus Robertson 519]

<error linking to  "libssl-3.dll">  is not an ICS error message, we load the DLL once, not for each request.  So there is something else happening here...

 

<connection closed prematurely>  is usually the server saying go away for some reason, perhaps busy, might not like the SSL options offered. 

 

Angus

 

[AndreL 0]

Solved !

 

A wait loop with application.handleprocess was killing ICS logic message based.

Replaced by application.processmessages solved the case and back to speed.

 

Thank you for your time on this case and quick support.

 

André.

Edited June 3, 2023 by AndreL