Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: Indy 10.0.52 SSL problem


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 3 - Last Post: Apr 25, 2016 10:51 AM Last Post By: Ian Bainbridge
Ian Bainbridge

Posts: 3
Registered: 5/12/06
Indy 10.0.52 SSL problem  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 23, 2016 2:11 PM
HI,

Having to support a D7 project that uses Indy10 and need to get SSL working, but having issues.

Using TidHTTP with TidSSLIOHandlerSocketOpenSSL and
libeay32.dll dated 6/17/2004 and ssleay32.dll with same date. Looking at the Fulgan site, the versions of these DLL's are endless! Could I have the wrong DLL's?

No problem connected using http but https gives error 'Error connecting with SSL.'

Is there any specific setup for the IOHandler? I am using 'sslvSSLv3' and 'sslmUnassigned'

My test is trying to connect to 'https://api.ipify.org/'

I have Indy 10.0.52 installed

Thanks
Ian
Ian Bainbridge

Posts: 3
Registered: 5/12/06
Re: Indy 10.0.52 SSL problem  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 24, 2016 10:34 AM   in response to: Ian Bainbridge in response to: Ian Bainbridge
More...

Found that 'sslvSSLv23' works but 'sslvSSLv3' doesnt.

How is one to know what option works for a certain site? Is there no standard for SSL isn't v3 compatible with v23?

Thanks again for looking
Ian

Ian Bainbridge wrote:
HI,

Having to support a D7 project that uses Indy10 and need to get SSL working, but having issues.

Using TidHTTP with TidSSLIOHandlerSocketOpenSSL and
libeay32.dll dated 6/17/2004 and ssleay32.dll with same date. Looking at the Fulgan site, the versions of these DLL's are endless! Could I have the wrong DLL's?

No problem connected using http but https gives error 'Error connecting with SSL.'

Is there any specific setup for the IOHandler? I am using 'sslvSSLv3' and 'sslmUnassigned'

My test is trying to connect to 'https://api.ipify.org/'

I have Indy 10.0.52 installed

Thanks
Ian
Angus Robertson

Posts: 205
Registered: 3/17/00
Re: Indy 10.0.52 SSL problem  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 25, 2016 12:33 AM   in response to: Ian Bainbridge in response to: Ian Bainbridge
Found that 'sslvSSLv23' works but 'sslvSSLv3' doesnt.

How is one to know what option works for a certain site? Is there
no standard for SSL isn't v3 compatible with v23?

sslvSSLv23 was always badly named, it really means sslvSSLBest, and
that's what I renamed it in the ICS SSL implementation to avoid
confusion. It allows SSLv3, TLSv1, 1.1 or 1.2 to be negotiated,
provided there are ciphers supporting those protocols. SSLv2 is no
longer supported by new OpenSSL versions.

sslvSSLv3 means use only SSLv3 protocol, which very few sites will
support now, it's long obsolete.

OpenSSL is currently beta testing version 1.1.0 which corrects a lot of
these old issues, specifically sslvSSLv23 has disappeared, and there is
now the ability to set a lowest and highest TLS protocol instead, which
currently can only be done by using sslvSSLv23 and setting Options to
disable those protocols you don't want.

The bad news is OpenSSL 1.1.0 requires a lot of implementation effort,
the DLL names are different, lots of exports have gone, some are
renamed, and lots of other changes. I've just finished updating ICS
for OpenSSL 1.1.0, but it won't be released until the final OpenSSL
release in May.

Angus
Ian Bainbridge

Posts: 3
Registered: 5/12/06
Re: Indy 10.0.52 SSL problem  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Apr 25, 2016 10:51 AM   in response to: Angus Robertson in response to: Angus Robertson
Thanks for the explanation, I will look to ICS when it is released.

Angus Robertson wrote:
Found that 'sslvSSLv23' works but 'sslvSSLv3' doesnt.

How is one to know what option works for a certain site? Is there
no standard for SSL isn't v3 compatible with v23?

sslvSSLv23 was always badly named, it really means sslvSSLBest, and
that's what I renamed it in the ICS SSL implementation to avoid
confusion. It allows SSLv3, TLSv1, 1.1 or 1.2 to be negotiated,
provided there are ciphers supporting those protocols. SSLv2 is no
longer supported by new OpenSSL versions.

sslvSSLv3 means use only SSLv3 protocol, which very few sites will
support now, it's long obsolete.

OpenSSL is currently beta testing version 1.1.0 which corrects a lot of
these old issues, specifically sslvSSLv23 has disappeared, and there is
now the ability to set a lowest and highest TLS protocol instead, which
currently can only be done by using sslvSSLv23 and setting Options to
disable those protocols you don't want.

The bad news is OpenSSL 1.1.0 requires a lot of implementation effort,
the DLL names are different, lots of exports have gone, some are
renamed, and lots of other changes. I've just finished updating ICS
for OpenSSL 1.1.0, but it won't be released until the final OpenSSL
release in May.

Angus
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02