delphisslindy

TIdSSLIOHandlerSocketOpenSSL and TLS protocol

I have a Windows desktop application developed in XE2 that pulls data from a remote server in JSON format. I use Indy 10 to manage this.

The application was working fine until I received an email from the server provider people:

"...the only protocol for securing the communication will be TLS 1.2. Older versions (TLS.1.0, TLS.1.1 or SSLv3) will no longer work." They advise using TLS 1.2 or superior.

Since then I have the following runtime error

First chance exception at $7518845D. Exception class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL. Error connecting with SSL. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'.

I found out the error is triggered when I call FidHTTP.Post (FidHTTP is an instance of TidHTTP).

I have amended the method that creates the classes in the following way:

constructor TMyClass.Create;

begin
  FidHTTP := TidHTTP.Create(nil);
  FidHTTP.HTTPOptions := FidHTTP.HTTPOptions - [hoForceEncodeParams];
  FidHTTP.Intercept := TIdLogFile.Create(FidHTTP);

  TIdLogFile(FidHTTP.Intercept).Filename := 'c:\'+s+'.log';
  TIdLogFile(FidHTTP.Intercept).Active := true;
  {$IFDEF VER230}
  FIdSSL := TIdSSLIOHandlerSocketOpenSSL.Create;
  FIdSSL.SSLOptions.Method:=sslvTLSv1; // I have added this line
  {$ENDIF}
end;

but now I have another error:

First chance exception at $7518845D. Exception class EIdSocketError with message 'Socket Error # 10054 Connection reset by peer.'.

I have googled this but I have found information regarding FTP only, which is not my case.

What am I doing wrong? Is it because I have an old version of Indy without sslvTLSv1_2 option or?

Solution

  • sslvTLSv1 is for TLS v1.0 only. To use TLS v1.2, you need to use sslvTLSv1_2 instead:

    FIdSSL.SSLOptions.Method := sslvTLSv1_2;

    Or:

    FIdSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

    If your version of Indy does not have sslvTLSv1_2 then you will have to upgrade. The current version of Indy is v10.6.2.5494.

    Also, make sure you are using at least OpenSSL v1.0.1, which is the version that first added support for TLS v1.2. The latest version of OpenSSL that Indy 10 supports is v1.0.2.

    Also, you need to remove the {$IFDEF VER230} from your code. That is limiting your code to creating the TIdSSLIOHandlerSocketOpenSSL only when compiling for XE2 specifically. By default, TIdSSLIOHandlerSocketOpenSSL enables TLS v1.0 only, so you will have to change the code to always create the TIdSSLIOHandlerSocketOpenSSL unconditionally in order to enable TLS v1.2 regardless of the compiler version used (at least until this ticket is implemented).