How can we connect with a website? Getting SSL error 1409442E

4
votes

I am using Delphi 10.2 Tokyo, trying to download some information from a web server.

I pass the command URL https://poloniex.com/public?command=returnCurrencies through this function using Indy 10.6.2.5366 (the command works if I paste it in a browser):

function ReadHTTPS(const url: string): string;
var
  IdHTTP: TIdHTTP;
  IdSSL: TIdSSLIOHandlerSocketOpenSSL;
begin
  IdHTTP := TIdHTTP.Create;
  try
    IdSSL := TIdSSLIOHandlerSocketOpenSSL.Create(IdHTTP);
    IdHTTP.IOHandler := IdSSL;
    result := IdHTTP.Get(url);
    if IdHTTP.ResponseText <> '' then
      OutputDebugString(PWideChar('ReadHTTPS: ' + IdHTTP.ResponseText));
  finally
    IdHTTP.Free;
  end;
end{ ReadHTTPS};

That gives the following error:

Error connecting with SSL. error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

I have tried installing the latest DLLs for OpenSSL in the same directory as the exe, but that didn't solve it.

Any ideas?

1
delphiopensslindyindy10delphi-10.2-tokyo
Try enabling TLS v1.1 and v1.2 in the SSLIOHandler's SSLOptions.SSLVersions property. By default, only TLS v1.0 is enabled. - Remy Lebeau
@Remy, that doesn't help. - Victoria
@Victoria: Works fine for me when I try it using Indy 10.6.2.5448. Setting IdSSL.SSLOptions.SSLVersions to either [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] or [sslvTLSv1_2] works, the connection succeeds and I get an HTTP 200 OK response. The trick is sslvTLSv1_2 must be enabled, it won't work with sslvTLSv1 or sslvTLSv1_1, so clearly the server does not allow TLS versions prior to 1.2. - Remy Lebeau
@Remy, doesn't for me with Indy 10.6.2.5366 (shipped with Delphi 10.2 without updates) and OpenSSL 0.9.8r-i386-win32-rev2 (yes, 32-bit). I just replaced posted code by IdSSL.SSLOptions.SSLVersions := IdSSL.SSLOptions.SSLVersions + [sslvTLSv1_1, sslvTLSv1_2]; by your advice and got error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'.. Well, one step forward, but still no connection. You were able to connect with which configuration? - Victoria
@Victoria: you are using a VERY outdated version of OpenSSL (0.9.8r) that is no longer supported by the OpenSSL authors, and doesn't support TLS 1.2 at all, which would explain the error you are seeing, as Indy would fallback to TLS 1.1 (which the server in question apparently doesn't allow). You need to upgrade to a modern OpenSSL version. The latest OpenSSL version that Indy currently supports is 1.0.2n, and that is the version I used to test with. - Remy Lebeau

1 Answers

10
votes

Make sure you are using an up-to-date version of the OpenSSL DLLs that support TLS v1.2 (the latest version that Indy currently supports is 1.0.2u), and then you need to enable the sslvTLSv1_2 flag in the SSLIOHandler's SSLOptions.SSLVersions property:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Or:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

Indy enables only TLS v1.0 by default, and apparently https://poloniex.com does not allow TLS versions prior to TLS v1.2.