Watch, Follow, &
Connect with Us

Please visit our new home
community.embarcadero.com.


Welcome, Guest
Guest Settings
Help

Thread: REST: TRESTRequest with TLS 1.1 or 1.2


This question is not answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 3 - Last Post: Sep 26, 2017 4:05 AM Last Post By: Christoph Schwe...
Christoph Schwe...

Posts: 2
Registered: 5/2/08
REST: TRESTRequest with TLS 1.1 or 1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 18, 2017 7:34 AM
We have a REST Server with the following configuration:

  LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FServer);
  LIOHandleSSL.SSLOptions.CertFile := ACertFile;
  LIOHandleSSL.SSLOptions.RootCertFile := ARootCertFile;
  LIOHandleSSL.SSLOptions.KeyFile := AKeyFile;
  LIOHandleSSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
  case ATLSModus of
    hrtmTLSv1:
      LIOHandleSSL.SSLOptions.Method := sslvTLSv1;
    hrtmTLSv1_1:
      LIOHandleSSL.SSLOptions.Method := sslvTLSv1_1;
    hrtmTLSv1_2:
      LIOHandleSSL.SSLOptions.Method := sslvTLSv1_2;
  end;
  LIOHandleSSL.SSLOptions.Mode := sslmServer;
  LIOHandleSSL.OnGetPassword := OnGetSSLPassword;
  FServer.IOHandler := LIOHandleSSL;


On the client side we're doing the following:
  FRESTClient := TRESTClient.Create('https://<server>:<port>/');
  FRESTRequest := TRESTRequest.Create(nil);
  FRESTRequest.Client := FRESTClient;
  FRESTRequest.Response := FRESTResponse;
 
  FRESTResponse.ResetToDefaults;
  FRESTRequest.ResetToDefaults;
 
  FRESTRequest.Timeout := 600000;
 
  FRESTRequest.Resource := '<ENDPOINT>';
 
  FRESTRequest.Method := TRESTRequestMethod.rmGET;
  FRESTRequest.Execute;


This works fine if we set the TLS method to
sslvTLSv1
but when we're using
sslvTLSv1_1
or
sslvTLSv1_2
we're getting a certificate error (
TWinHTTPClient.DoExecuteRequest
returns
TWinHTTPClient.TExecutionResult.ServerCertificateInvalid
).
Firefox tells us (under the technical details of the security information): "TLS_RSA_WITH_AES_128_CBC_SHA, 128-Bit-Key, TLS 1.2" with a valid certificate.

Connecting to an IIS with TLS 1.2 enabled doesn't work either, so it looks like our client is missing something.

We're using Delphi 10.1 Berlin Update 2 and the OpenSSL.dll is 1.0.2l from https://indy.fulgan.com/SSL/.

Thanks in advance!
Eli M

Posts: 1,346
Registered: 11/9/13
Re: REST: TRESTRequest with TLS 1.1 or 1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 18, 2017 8:56 PM   in response to: Christoph Schwe... in response to: Christoph Schwe...
Is it a self signed cert? Does it work with TNetHTTPClient?
Kai Espe

Posts: 1
Registered: 4/3/11
Re: REST: TRESTRequest with TLS 1.1 or 1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 19, 2017 12:10 AM   in response to: Eli M in response to: Eli M
Eli M wrote:
Is it a self signed cert? Does it work with TNetHTTPClient?

The certificate is from GlobalSign, so not a self signed cert and from a trusted authority.
It also doesn't work with TNetHTTPClien, the Get() raises the following exception: "Serverzertifikat ung├╝ltig oder nicht vorhanden." ("Server certificate invalid or not present.", ENetHTTPClientException)

If we set the server SSL-method to sslvTLSv1 it works as expected, but 1_1 and 1_2 yield the above exception.
The same applies if we try to connect to the TLS 1.2 enabled IIS
Christoph Schwe...

Posts: 2
Registered: 5/2/08
Re: REST: TRESTRequest with TLS 1.1 or 1.2  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Sep 26, 2017 4:05 AM   in response to: Christoph Schwe... in response to: Christoph Schwe...
Looks like a bug in the implementation as neither TNetHTTPClient nor TRESTRequest are working. TIdHTTP however works flawlessly with the OpenSSL-IO-Handler.
We opened a bug report: https://quality.embarcadero.com/browse/RSP-19135
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02