Delphi: idHttp+SSL Get 403 Forbidden from Server

0
votes

For some time the comunication with our server over HTTPS works just fine.

Last week the provider changed something and from now on I get always the 403 Error.

I use the latest OpenSSL DLLs V0.9.8
I have changed the UserAgent to "Mozilla/5.0 (Windows NT 10.0)"
The SSL Method is "sslvSSLv23"
The SSL Mode is "sslmClient"

Nothing helps. :(

This is the log I get:

    SSL Status: "Resolving hostname msselektronik.at."
    SSL Status: "Connecting to 85.158.181.20."
    SSL StatusInfoEx: Type="Handshake Start", Msg="before/connect initialization"
    SSL StatusInfoEx: Type="Connect Loop", Msg="before/connect initialization"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv2/v3 write client hello A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server hello A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server certificate A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server key exchange A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server done A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write client key exchange A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write change cipher spec A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write finished A"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 flush data"
    SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read finished A"
    SSL StatusInfoEx: Type="Handshake Done", Msg="SSL negotiation finished successfully"
    SSL StatusInfoEx: Type="Connect Exit", Msg="SSL negotiation finished successfully"
    SSL StatusInfoEx: Type="warning Read Alert", Msg="close notify"
    SSL Status: "Disconnected."
    ResponseText: HTTP/1.1 403 Forbidden

In the Wireshark log I see after the "Client Key Exchange" the "Encripted Alert" from the Server to the Client.

    No.  Time      Source         Destination    Protocol Length Info
      4  1.563661  192.168.0.30   85.158.181.20  SSLv2       181 Client Hello
      6  1.590865  85.158.181.20  192.168.0.30   TLSv1      1514 Server Hello
     10  1.605380  85.158.181.20  192.168.0.30   TLSv1      1348 Certificate, Server Key Exchange, Server Hello Done
     12  1.638612  192.168.0.30   85.158.181.20  TLSv1       380 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
     13  1.676523  85.158.181.20  192.168.0.30   TLSv1       113 Change Cipher Spec, Encrypted Handshake Message
     14  1.679066  192.168.0.30   85.158.181.20  TLSv1       320 Application Data, Application Data
     15  1.711226  85.158.181.20  192.168.0.30   TLSv1       587 Application Data
     16  1.711227  85.158.181.20  192.168.0.30   TLSv1        91 Encrypted Alert
     19  1.713426  192.168.0.30   85.158.181.20  TLSv1        91 Encrypted Alert

What can I do to get the comunication going again?

1
delphisslhttpsindy10idhttp
This problem has nothing to do with SSL. The fact that you are even getting an HTTP error at all means the SSL is working fine, and that is proven in the log trace you have shown. The SSL handshake is successful, then HTTP data is exchanged back and forth. So something else is wrong with your HTTP requests that is not related to SSL. You need to talk to the Provider about what they changed and have them help you troubleshoot your HTTP requests on their end.Remy Lebeau
And BTW, 0.9.8 is not even remotely close to being the latest version of OpenSSL. The latest version of OpenSSL that Indy 10 supports is 1.0.2n. You need to update your OpenSSL DLLs, and possibly also your Indy install to support them.Remy Lebeau

1 Answers

0
votes

I found the reason for the "403 Forbidden" error.

In the Apache error.log I found the entry "No hostname was provided via SNI for a name based virtual host"

Which led me to the page NameBasedSSLVHostsWithSNI.

There the exact behavior is described:

Client doesn't support SNI.

If Apache has SNI support, and a request without the SNI hostname is received for a name-based virtual host over SSL, and SSLStrictSNIVHostCheck is on, it will be rejected (403) and this message logged:

[error] No hostname was provided via SNI for a name based virtual host

If SSLStrictSNIVHostCheck is off, then the request will be handled as if the server did not have SNI support.

As its seems our provider has changed the configuration so I have to update my Indy Sources to suport SNI and update my derived classes.

Thanks for the help.