ssl v3贵宾犬并与indy一起移至tls [英] ssl v3 poodle and move to tls with indy

问题描述

您知道新的贵宾犬在城里，女巫的皮被 Twitter，Cloudflare 放弃对SSL3的支持。

As you know the new poodle is in town, Witch barks got Twitter, Cloudflare to drop support to SSL3.

Indy（TidHttp）10.6.0.0会恢复此异常：

The Indy(TidHttp) 10.6.0.0 revives this nice exception:

EidOsslUnerlayingCryptoError消息'使用SSL连接时出错。
错误：14094410：SSL例程：SSL3_READ_BYTES：sslv3警报握手
失败'

EidOsslUnerlayingCryptoError message 'Error connecting with SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'

我的问题是什么

更新：
这是抛出异常的代码：完整的工作代码。

update: here is a code that throw the exception: full working code.

var
  parameters:TStringList;
  keySecretBase64:string;
  stream:TStringStream;
  IdEncoderMIME1 : TIdEncoderMIME;
  idHttp1 : TIdHTTP;
  IdSSLIOHandlerSocketOpenSSL1:TIdSSLIOHandlerSocketOpenSSL;//assume on Form
begin
  stream:=TStringStream.create;
  parameters:=TStringList.Create;
  IdEncoderMIME1 := TIdEncoderMIME.Create(nil);
  idHttp1 := TIdHTTP.Create(nil);
  IdSSLIOHandlerSocketOpenSSL1:=TIdSSLIOHandlerSocketOpenSSL.Create(nil);
  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
  IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];
    with IdSSLIOHandlerSocketOpenSSL1 do begin
      SSLOptions.Method := sslvSSLv3;
      SSLOptions.Mode :=  sslmUnassigned;
      SSLOptions.VerifyMode := [];
      SSLOptions.VerifyDepth := 2;
    end;
    with idHttp1 do begin
      IOHandler := IdSSLIOHandlerSocketOpenSSL1;
      ReadTimeout := 0;
      AllowCookies := True;
      ProxyParams.BasicAuthentication := False;
      ProxyParams.ProxyPort := 0;
      Request.ContentLength := -1;
      Request.ContentRangeEnd := 0;
      Request.ContentRangeStart := 0;
      Request.ContentType := 'application/x-www-form-urlencoded';
      Request.Accept := 'text/html, */*';

      Request.BasicAuthentication := False;
      Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
      HTTPOptions := [hoForceEncodeParams];
    end;
    parameters.Clear;
    idHttp1.Request.CustomHeaders.Clear;
    IdEncoderMIME1.FillChar:='=';

  try
    keySecretBase64 := TIdEncoderMIME.EncodeString(key+ ':' + secret, IndyTextEncoding_UTF8);// this is twitter provided key and secret
    parameters.Add('grant_type=client_credentials');
    idHttp1.Request.CustomHeaders.AddValue('Authorization','Basic '+keySecretBase64);
    idHttp1.post(URL,parameters,stream);
  finally
    stream.Free;
    parameters.Free;
    parameters.Free;
    IdSSLIOHandlerSocketOpenSSL1.Free;
  end;
end;

推荐答案

您的代码选择 TLS 1.2 在SSLOptions属性中 Method ：

Your code selects TLS 1.2 in the SSLOptions property Method:

IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];

不过，两行之后，此值被 SSL 3 ：

However, two lines later this value is overwritten with SSL 3:

with IdSSLIOHandlerSocketOpenSSL1 do begin
  SSLOptions.Method := sslvSSLv3;
  ...
end;

因此，客户端将不会使用较新的TLS 1.2协议，而将使用SSL 3进行连接服务器支持。

So the client will not connect with the newer TLS 1.2 protocol but with SSL 3, which is no longer supported by the server.

这说明了错误消息，该错误消息表示SSL 3握手（客户端尝试了）失败：

This explains the error message, which says that the SSL 3 handshake (which the client tried) failed:

SSL。错误：14094410：SSL例程：SSL3_READ_BYTES：sslv3警报握手
故障'

SSL. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure'

如果删除第二个分配，则IdHTTP客户端将使用TLS 1.2进行连接。

If you remove the second assignment, the IdHTTP client will use TLS 1.2 for the connect.

这篇关于ssl v3贵宾犬并与indy一起移至tls的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！