sslv3 alert handshake failure Delphi Indy

4
votes

I have been using:

  • Delphi XE8

  • Indy version 10.6.2.5263

  • precompiled open SSL dll files (Win 32bit) v1.0.2.l

  • TIdSSLIOHandlerSocketOpenSSL with Method set to sslvSSLv23

to submit a POST request against a server. It worked like a charm for many months.

All of a sudden, a wild error popped up:

14094410 sslv3 alert handshake failure.

A colleague is using SOAP UI to submit requests against the same server by forcing TLS 1.2 and it works. I tried to set the TIdSSLIOHandlerSocketOpenSSL1 Method to sslvTLSv1_2, and changed the Mode to sslmClient, but the result is always the same.

I thought by setting the Method to sslvTLSv1_2, it is impossible to receive an error related to SSLv3.

I have checked these stackoverflow posts:

and some other threads, but I am not able to find the root cause of this issue.

Maybe I am missing something. Could you please give me a hint?

3
delphisslindy
TLS is an extension of SSL 3.0, and OpenSSL uses SSLv3 functionality to implement TLS, that is why the alert says SSLv3. But without specific details about what the alert actually says, especially the alert number, there is no way to know why OpenSSL is failing. Also, your Indy is a little old, the current version is 10.6.2.5432, you should consider upgrading so you have the latest OpenSSL support code. - Remy Lebeau
Hello Remy, the exact error is: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. I will try to get the latest Indy version and try again. - Mr. Ajin
Hi, I have updated the Indy components, but now the displayed version is 10.6.2.0. - Mr. Ajin
did you download directly from SVN, or did you download the nightly zip from Fulgan? The Zip has the correct version number. - Remy Lebeau
Hello Remy, I have downloaded my first Indy upgrade via SVN directly. It showed version 10.6.2.0. After your comment, I have downloaded the latest Fulgran zip (Indy10_5432.zip). De-installed the SVN Indy and did a clean install of the Fulgran zip Indy. The version is also showing 10.6.2.0 and the error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure still remains. - Mr. Ajin

3 Answers

5
votes

Had the same problem and the source code below worked like a charm. I copied this code from this site but I can't find the link to credit the original answer. Note that source code is not mine. 

TCustomIdHTTP = class(TIdHTTP)
  public
    constructor Create(AOwner: TComponent);
  private
    procedure OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
  end;

constructor TCustomIdHTTP.Create(AOwner: TComponent);
begin
  IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
  with IOHandler as TIdSSLIOHandlerSocketOpenSSL do
  begin
    OnStatusInfoEx := Self.OnStatusInfoEx;
    SSLOptions.Method := sslvSSLv23;
    SSLOptions.SSLVersions := [sslvTLSv1_2, sslvTLSv1_1, sslvTLSv1];
  end;
  inherited Create(AOwner);
end;

procedure TCustomIdHTTP.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
  const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
  SSL_set_tlsext_host_name(AsslSocket, Request.Host);
end;
2
votes

Make sure you have the latest libeay32.dll and ssleay32.dll in your application folder

0
votes

I've had this same problem myself with some website. I've worked around it by using the TRESTClient instead of the TIdHTTP and OpenSSL.

  • TRESTClient
  • TRESTRequest
  • TRESTResponse

You can set up the URL, authentication and parameters in the REST Debugger in the Tools menu of the Delphi IDE and copy the components to clipboard to give you a head start.