tidhttp:奇怪的SSLv3_READ_BYTES错误(直接设置TLSv1_2连接) [英] tidhttp: weird SSLv3_READ_BYTES error (with directly set up TLSv1_2 connection)
问题描述
简单代码:
procedure TForm1.Button1Click(Sender: TObject);
//var
//h: tIdHTTP;
//SSL: TIdSSLIOHandlerSocketOpenSSL;
begin
h.IOHandler := SSL;
SSL.SSLOptions.Method := sslvTLSv1_2;
SSL.SLLOptions.SSLVersion := [sslvTLSv1_2]; //must be set automatically after SetMethod, but just to be sure
h.Get('https://www.deviantart.com/users/login');
end;
这个简单的代码给了我一个错误:
That simple code gives me an error:
连接SSL时出错。
错误:14094410:SSL例程:ssl3_read_bytes:sslv3警报握手失败
Error connecting with SSL.
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
我使用Delphi XE3和OpenSSL 1.0.2b库。
我无法理解,在查看消息来源时,连接启动中存在禁用未使用版本的字符串:
I use Delphi XE3 and OpenSSL 1.0.2b libs. I can't figure it out, looking into sources, there is strings in connection initiation that disable not used versions:
if not (sslvSSLv2 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv2);
end;
if not (sslvSSLv3 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv3);
end;
if not (sslvTLSv1 in SSLVersions) then begin
SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1);
end;
但是sslv3操作仍然以某种方式进行。看起来不像组件的bug。什么东西库内部,或indy在设置参数时不考虑什么?
But sslv3 operations still getting in somehow. Doesn't look like a component's bug. Something library internal, or indy doesn't consider something when setting up parameters?
或者实际上是我,谁没有注意到重要的东西?
我真的希望我不需要经历一个名为indy components update的地狱。
Or it's actually me, who didn't notice something important? I really hope I don't need to go through a hell named "indy components update".
测试(尝试所有方法,包括TLS1.2) https://www.deviantart.com/users/login
Test on (tried all methods including TLS1.2) https://www.deviantart.com/users/login
Resolving hostname www.deviantart.com.
Connecting to 54.230.96.81.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
fatal Read Alert: handshake failure
Connect Failed: SSLv3 read server hello A
ERROR: Error connecting with SSL.
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
- for SSL3和TLS1 / 1.1 / 1.2结果相同;
- for SSLv23回答SSL23_GET_SERVER_HELLO:sslv3警报握手失败;
- for SSLv2 doesn回答;
在类似资源上测试(仅限TLS1.2) https://files.yande .re / image / da9afa6d9ca43a9f154fad69f76adb85.jpg
Test on similar resource (TLS1.2 ONLY) https://files.yande.re/image/da9afa6d9ca43a9f154fad69f76adb85.jpg
Resolving hostname files.yande.re.
Connecting to 5.39.10.56.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
Connect Loop: SSLv3 read server hello A
Connect Loop: SSLv3 read server certificate A
Connect Loop: SSLv3 read server key exchange A
Connect Loop: SSLv3 read server done A
Connect Loop: SSLv3 write client key exchange A
Connect Loop: SSLv3 write change cipher spec A
Connect Loop: SSLv3 write finished A
Connect Loop: SSLv3 flush data
Connect Loop: SSLv3 read server session ticket A
Connect Loop: SSLv3 read finished A
Handshake Done: SSL negotiation finished successfully
Connect Exit: SSL negotiation finished successfully
我的WireShark测试:
My WireShark tests:
- Indy:
http://imgur.com/BZ84Cl3
(响应是握手失败); - Firefox:
http://imgur.com/pkYJvnO
; - 对Firefox请求的响应:
http://imgur.com/M9ni3TV
;
- Indy:
http://imgur.com/BZ84Cl3
(response is handshake failure); - Firefox:
http://imgur.com/pkYJvnO
; - Response to Firefox request:
http://imgur.com/M9ni3TV
;
推荐答案
今天早上我解决了一个握手问题,比较了google chrome(工作正常)和我的应用程序(握手问题)的wireshark日志。
原来我必须启用signature_algorithms扩展。
I fixed a handshake problem this morning, comparing the wireshark logs of google chrome (which worked fine) and my application (with handshake problems). It turned out I had to enable the "signature_algorithms" extension.
但是,我使用SecureBlackBox(而不是indy和openssl),因为我必须动态加载客户端证书,但也许这可以帮助你(与wireshark进行比较和调试) !)。
However, I use SecureBlackBox (and not indy and openssl) because I had to dynamically load a client certificate, but maybe this can help you (compare and debug it with wireshark!).
这篇关于tidhttp:奇怪的SSLv3_READ_BYTES错误(直接设置TLSv1_2连接)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!