Indy10 with Delphi-7 can't download some SSL pages, even with May 2019 DLLs

4
votes

I'm working on an old Delphi 7 app that uses Indy 10 to download websites. I'm having difficulty with some, not all, SSL pages.

Version data:

Indy 10

"libeay32.dll": 1.0.2.19 @ 31-May-19

"ssleay32.dll": 1.0.2.19 @ 31-May-19

When trying to download some pages using SSL (e.g. "https://davisashura.com/"), in the IdSSLOpenSSLHeaders unit, which is Rev. 1.8, the following procedure raises the indicated error:

class procedure EIdOpenSSLAPISSLError.RaiseExceptionCode(const AErrCode, ARetCode: TIdC_INT; const AMsg: String); enter image description here

Initialization code:

  HTTP := TIdHTTP.Create;

  with HTTP do begin
    Request.UserAgent := 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)';
    HandleRedirects := True;
    RedirectMaximum := 5;
    ReadTimeout := 20400;
  //Request.AcceptEncoding := 'text/html, deflate, gzip';  // some websites don't download with this set
    Compressor := TIdCompressorZLib.Create;
    IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    HTTPOptions := HTTPOptions + [hoForceEncodeParams, hoInProcessAuth];
  end;

Does anyone know how to resolve this?

1
delphiopenssldelphi-7indyindy10
Off the top of my head (i.e. a wild guess) - Which version of SSL does the site support/require? Is that/those version/versions enabled by default in Indy's OpenSSL implementation?HeartWare
I have no idea on either. Since Indy's DLL is May this year, I assume it's up-to-date.IamIC

1 Answers

3
votes

The EOF error simply means the server is closing its end of the socket connection during the TLS handshake, without sending back a TLS alert first. Which means the server doesn't like something in the handshake and is bailing out. The most likely culprit is the TLS version.

By default, TIdSSLIOHandlerSocketOpenSSL enables only TLS 1.0, but many sites nowadays require TLS 1.1 or 1.2 instead. You can use the TIdSSLIOHandlerSocketOpenSSL.SSLOptions.SSLVersions property to enable TLS 1.1 and 1.2.

HTTP := TIdHTTP.Create;
HTTP.Request.UserAgent := 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)';
HTTP.HandleRedirects := True;
HTTP.RedirectMaximum := 5;
HTTP.ReadTimeout := 20400;
//HTTP.Request.AcceptEncoding := 'text/html, deflate, gzip'; // some websites don't download with this set
HTTP.Compressor := TIdCompressorZLib.Create(HTTP);
HTTP.HTTPOptions := HTTP.HTTPOptions + [hoForceEncodeParams, hoInProcessAuth];

SSL := TIdSSLIOHandlerSocketOpenSSL.Create(HTTP);
SSL SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // <-- ADD THIS!
HTTP.IOHandler := SSL;

There is a TODO item in Indy's issue tracker about this issue:

#181: Update TIdSSLIOHandlerSocketOpenSSL to enable TLS 1.1 and 1.2 by default