“1408F10B：SSL例程：SSL3_GET_RECORD：错误版本号码呼叫：”在印度 [英] "1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number call:" on Indy

问题描述

我有一个网络应用程序，经常对Google Analytics（分析）API（<25,000-50,000（每天））进行 TIdHTTP 呼叫。经常调用API失败，并且主题行中的错误消息（通常不超过1000次）。我从来没有找到一种模式来实现。并且重试失败的通话通常工作。所以看起来完全是随机的。

I have a web app that makes frequent TIdHTTP calls to the Google Analytics API (around 25,000-50,000 per day). Every so often calls to the API fail with the error message in the subject line (not often - less than 1 out of 1000 times). I have never been able to find a pattern to get it to happen. And retrying the failed call usually works. So it seems entirely random.

我有最新版本的openssl（1.0.2.1 - 03/20/2015）。和最新版本的Indy（源代码文件日期为01/07/2015）。

I have the latest version of openssl (1.0.2.1 - 03/20/2015). And the latest version of Indy (source code files dated 01/07/2015).

以下是进行这些调用的基本源代码。

Below is the basic source code for making these calls.

任何人都有什么想法可能是什么？

Anyone have any ideas what it could be?

对API进行两个同时调用会影响事情（这在多线程Web App中发生）？

Would making two simultaneous calls to the API affect things (this is taking place in a multi-threaded Web App)?

IdSSLIOHandlerSocket1 := TIdSSLIOHandlerSocketOpenSSL.create(nil);
IdSSLIOHandlerSocket1.PassThrough := True;
IdHTTP := TIdHTTP.create(nil);
IdHTTP.reusesocket := rsTrue;
IdSSLIOHandlerSocket1.reusesocket := rsTrue;
idhttp.handleredirects := True;
with IdSSLIOHandlerSocket1 do begin
  SSLOptions.Method := sslvTLSv1_2;
  SSLOptions.SSLVersions := [sslvTLSv1_2];
  SSLOptions.VerifyMode := [];
  SSLOptions.VerifyDepth := 2;
end;
with IdHTTP do begin
  IOHandler := IdSSLIOHandlerSocket1;
  ProxyParams.BasicAuthentication := False;
  Request.UserAgent := 'EmbeddedAnalytics API Interface';
  Request.ContentType := 'text/html';
  request.connection := 'close';
  Request.Accept := 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
  Request.BasicAuthentication := False;
  Request.UserAgent := 'Mozilla/3.0 (compatible; Indy Library)';
  HTTPOptions := [hoForceEncodeParams];
  Request.AcceptEncoding := 'gzip,deflate';
  Request.CustomHeaders.Add('Accept-Language: en-us,en;q=0.5');
  idhttp.Request.CustomHeaders.Add('Authorization: Bearer '+FToken);
end;
idhttp.get(':https://www.googleapis.com/analytics/v3/data/realtime?ids=..........');

更新1 更新一些代码行：

SSLOptions.Method := sslvSSLv3;
SSLOptions.SSLVersions := [sslvSSLv3];

它可以工作。我会监控并查看SSL错误是否消失。

It works. I will monitor and see if SSL errors go away.

解决方案将对sslVSSLv3进行的修改改为固定。我不再收到错误！这有点令人吃惊，看到大多数所有其他服务都采用TLS代替。

Solution Turns out making the changes to sslVSSLv3 fixed it. I no longer get the errors! This is somewhat surprising seeing that most all other services are adopting TLS instead.

推荐答案

挂这个：

Problem solved by hanging this:

SSLOptions.Method := sslvTLSv1_2;
SSLOptions.SSLVersions := [sslvTLSv1_2];

为此：

SSLOptions.Method := sslvSSLv3;
SSLOptions.SSLVersions := [sslvSSLv3];

您可能要尝试使用TLS 1.0，以避免SSLv3。

You might want to try TLS 1.0 instead, to avoid SSLv3.

Google和TLS 1.2有两件事要注意。其中一些可能已经改变了。 （这个讨论是非常具体的，它只适用于Google服务器和TLS 1.2）。

There are two things to be mindful of with Google and TLS 1.2. And some of this may have changed by now. (This discussion is very specific, and it only applies to Google servers and TLS 1.2).

首先，如果使用TLS 1.2和ECDSA，则必须禁用压缩。在 ECDHE的OpenSSL邮件列表讨论中，出现了这个奇怪的事实-ECDSA支持。这是一个相关的支持票据：错误3277： OpenSSL s_client doc缺少选项。

First, you have to disable compression if using TLS 1.2 and ECDSA. This weird factoid showed up in a discussion on the OpenSSL mailing list under ECDHE-ECDSA Support. Here's a related support ticket it generated: Bug 3277: OpenSSL s_client doc missing option.

其次，如果您没有使用ChaCha20 / Poly1305密码，那么您必须注意TLS的回退密码套件1.2。我从来没有想到这一点（特别是因为所有的短暂的DH套件都应该得到支持），但是我知道使用是测试的情况。所以请确保包含以下内容以供回退（这也是运行IIS 8（或更早版本）的Microsoft服务器所需）：

Second, if your are not using the ChaCha20/Poly1305 ciphers, then you have to be mindful of fallback cipher suites for TLS 1.2. I was never able to figure this one out (especially since all the ephemeral DH suites should be supported), but I know it used to be the case from testing. So be sure to include the following for fallback (this is also needed for Microsoft servers running IIS 8 (or maybe 7) and earlier):

• TLS_RSA_WITH_AES_256_CBC_SHA256


• TLS_RSA_WITH_AES_256_CBC_SHA


• TLS_RSA_WITH_AES_128_CBC_SHA256


• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA

这篇关于“1408F10B：SSL例程：SSL3_GET_RECORD：错误版本号码呼叫：”在印度的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！