Using Indy 10 IdHTTP with TLS 1.2

11
votes

Im using Delphi XE2 with Indy 10.5.8.0

Currently i need to change a connection to one of our server to use only TLS 1.2, at the moment we are using TLS 1.0

As handler for IdHTTP , IdSSLIOHandlerSocketOpenSSL is being used.

I tried changing the Method to sslvTLSv1_2 and it does not work as the connection gives the next error: "Error connecting with SSL. error:1409442E:SSL routine:SSL3_READ_BYTES:tlsv 1 alert protocol version"

Im using the Default Cipher list, not sure if i need any specific Cipher (Currently asking to Server provider to know what cipher they use)

this is the configuration of Handler:

SSLIOHandler Config

Im not used to SSL connections as before this it was working with default setting and all was OK.

I tried to check WireShark and in both cases (when method is sslvTLSv1_2 or sslvTLSv1) i get the same error pointing to tls version 1.0.

Method sslvTLSv1:

Method sslvTLSv1

Method sslvTLSv1_2:

enter image description here

Please point me in the right direction if im missing something.

Thank you in advance for all the help provided.

P.S : Just got a response from the server provider and they are using AES_128_GCM as their Cipher, is it in the default Cipher list?

WireShark>Client Hello package:

enter image description here enter image description here

1
delphissldelphi-xe2indy10tls1.2
Your screenshots are showing the fatal TLS alerts, but what do the ClientHello packets look like? The server is rejecting the TLS version that the ClientHello is requesting. As for ciphers, the default cipher list is defined in the SSL_DEFAULT_CIPHER_LIST constant in the IdSSLOpenSSLHeaders unit.Remy Lebeau
In any case, 10.5.8 is an outdated version of Indy. The current version is 10.6.2 (rev 5361 at the time of this writing). You should seriously consider upgrading, especially if you plan on using up-to-date versions of OpenSSL, which 10.5.8 cannot use anymore due to recent OpenSSL API breaking changes that should cause 10.5.8 to fail to load the OpenSSL DLLs. Also, newer versions of Indy have better TLS 1.1 and 1.2 support anyway.Remy Lebeau
@RemyLebeau Thank you for the reply, i have added the client hello package, will consider upgrading indy and see if that help out in any way thanks again for the hint.vexen

1 Answers

11
votes

Just in case some one comes by a similar error, in my case it was the SSL Library (libeay32, ssleay32) that was being used, it was outdated (year 2010). When updated the SSL it worked out correctly without any error.

Thank you @RemyLebeau for pointing that it was an update issue =)