“1408F10B:SSL 例程:SSL3_GET_RECORD:错误的版本号调用:"在印地 [英] "1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number call:" on Indy

问题描述

我有一个网络应用程序，它对 Google Analytics API 进行频繁的TIdHTTP 调用(每天大约 25,000-50,000 次).每隔一段时间调用 API 就会失败并在主题行中显示错误消息(不经常 - 少于 1000 次中的 1 次).我一直无法找到一种模式来让它发生.重试失败的呼叫通常有效.所以看起来完全是随机的.

I have a web app that makes frequent TIdHTTP calls to the Google Analytics API (around 25,000-50,000 per day). Every so often calls to the API fail with the error message in the subject line (not often - less than 1 out of 1000 times). I have never been able to find a pattern to get it to happen. And retrying the failed call usually works. So it seems entirely random.

我有最新版本的 openssl (1.0.2.1 - 03/20/2015).以及最新版本的 Indy(源代码文件日期为 01/07/2015).

I have the latest version of openssl (1.0.2.1 - 03/20/2015). And the latest version of Indy (source code files dated 01/07/2015).

以下是进行这些调用的基本源代码.

Below is the basic source code for making these calls.

有人知道它可能是什么吗?

Anyone have any ideas what it could be?

同时对 API 进行两次调用会影响事情吗(这是在多线程 Web 应用程序中发生的)?

Would making two simultaneous calls to the API affect things (this is taking place in a multi-threaded Web App)?

IdSSLIOHandlerSocket1 := TIdSSLIOHandlerSocketOpenSSL.create(nil);
IdSSLIOHandlerSocket1.PassThrough := True;
IdHTTP := TIdHTTP.create(nil);
IdHTTP.reusesocket := rsTrue;
IdSSLIOHandlerSocket1.reusesocket := rsTrue;
idhttp.handleredirects := True;
with IdSSLIOHandlerSocket1 do begin
  SSLOptions.Method := sslvTLSv1_2;
  SSLOptions.SSLVersions := [sslvTLSv1_2];
  SSLOptions.VerifyMode := [];
  SSLOptions.VerifyDepth := 2;
end;
with IdHTTP do begin
  IOHandler := IdSSLIOHandlerSocket1;
  ProxyParams.BasicAuthentication := False;
  Request.UserAgent := 'EmbeddedAnalytics API Interface';
  Request.ContentType := 'text/html';
  request.connection := 'close';
  Request.Accept := 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
  Request.BasicAuthentication := False;
  Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
  HTTPOptions := [hoForceEncodeParams];
  Request.AcceptEncoding := 'gzip,deflate';
  Request.CustomHeaders.Add('Accept-Language: en-us,en;q=0.5');
  idhttp.Request.CustomHeaders.Add('Authorization: Bearer '+FToken);
end;
idhttp.get(':https://www.googleapis.com/analytics/v3/data/realtime?ids=..........');

更新 1 将一些代码行更新为:

Update 1 update some lines of code to:

SSLOptions.Method := sslvSSLv3;
SSLOptions.SSLVersions := [sslvSSLv3];

它有效.我会监控并查看 SSL 错误是否消失.

It works. I will monitor and see if SSL errors go away.

解决方案 原来对 sslVSSLv3 进行更改修复了它.我不再得到错误！看到大多数其他服务都采用 TLS，这有点令人惊讶.

Solution Turns out making the changes to sslVSSLv3 fixed it. I no longer get the errors! This is somewhat surprising seeing that most all other services are adopting TLS instead.

推荐答案

通过更改此解决的问题:

Problem solved by changing this:

SSLOptions.Method := sslvTLSv1_2;
SSLOptions.SSLVersions := [sslvTLSv1_2];

为此:

SSLOptions.Method := sslvSSLv3;
SSLOptions.SSLVersions := [sslvSSLv3];

您可能想尝试使用 TLS 1.0，以避免 SSLv3.

You might want to try TLS 1.0 instead, to avoid SSLv3.

使用 Google 和 TLS 1.2 时需要注意两件事.其中一些可能已经改变了.(此讨论非常具体，仅适用于 Google 服务器和 TLS 1.2).

There are two things to be mindful of with Google and TLS 1.2. And some of this may have changed by now. (This discussion is very specific, and it only applies to Google servers and TLS 1.2).

首先，如果使用 TLS 1.2 和 ECDSA，您必须禁用压缩.这个奇怪的事实出现在关于 OpenSSL 邮件列表的讨论中 ECDHE-ECDSA 支持.这是它生成的相关支持票:Bug 3277: OpenSSL s_client 文档缺少选项.

First, you have to disable compression if using TLS 1.2 and ECDSA. This weird factoid showed up in a discussion on the OpenSSL mailing list under ECDHE-ECDSA Support. Here's a related support ticket it generated: Bug 3277: OpenSSL s_client doc missing option.

第二，如果您没有使用 ChaCha20/Poly1305 密码，那么您必须注意 TLS 1.2 的后备密码套件.我一直无法弄清楚这一点(特别是因为应该支持所有临时 DH 套件)，但我知道它使用就是测试中的情况.因此，请务必包含以下用于回退的内容(这对于运行 IIS 8(或 7)及更早版本的 Microsoft 服务器也是必需的):

Second, if your are not using the ChaCha20/Poly1305 ciphers, then you have to be mindful of fallback cipher suites for TLS 1.2. I was never able to figure this one out (especially since all the ephemeral DH suites should be supported), but I know it used to be the case from testing. So be sure to include the following for fallback (this is also needed for Microsoft servers running IIS 8 (or maybe 7) and earlier):

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA

这篇关于“1408F10B:SSL 例程:SSL3_GET_RECORD:错误的版本号调用:"在印地的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！