Login/Register
Delphi: IdHTTP+SSL does not work. No errors!
Asked Answered
Solved delphisslidhttp
T

2

9

I use TidHTTP + TIdSSLIOHandlerSocketOpenSSL + 2 DLLs: ssleay32.dll and libeay32.dll from http://indy.fulgan.com/SSL.

But I can see all work of my program in HTTP Analyzer! It works as HTTP, not as HTTPS. If I use Opera I cannot see downloading with the same site (https://esta.cbp.dhs.gov/esta).

I did not set any special parameters for TidHTTP and TIdSSLIOHandlerSocketOpenSSL (may be I must but I do not know what exactly).

Must I use TIdSSLVersion(sslvSSLv23) + location of a SSL certificate? Where can I get this certificate? Or only RootCertFile?

How to change a port of idHttp to 443 (must I do it?)?

I use:

procedure TForm1.FormCreate(Sender: TObject);
var mem:tmemorystream;
begin
try
  mem:=TMemoryStream.Create();
  try
    idhttp1.Get('https://esta.cbp.dhs.gov/esta/',Mem);
  except
   on E : Exception do ShowMessage(E.Message);
  end;
finally
  mem.Free;
  idhttp1.Free;
end;
end;

Please see my video: http://liga-installer.realservers.info/ssl.mp4

Screen shots:

enter image description here enter image description here enter image description here

Thanks Thanks Thanks for help!!!

Tuppence answered 14/7, 2011 at 8:3 Comment(5)
-1. If you cannot see downloading with Internet Explorer or Opera, then the problem obviously isn't with your application. You're barking up the wrong tree. Go figure out what's wrong with the server instead.Thermoscope
esta.cbp.dhs.gov/esta works here - so what to you mean by If I use IE, Opera I can not see downloading with the same site? Have you checked your proxy / firewall settings?Albers
I missed that part of the question. I can access the site without any problems.Farmland
Please see my video: liga-installer.realservers.info/ssl.mp4Tuppence
Rob Kennedy, please try to access 10 web sites with HTTPS using Opera (Http analyzer can see IE) ->no traffic will be in HTTP Analyzer. Then try these sites in your program -> a traffic will be.Tuppence
F
16

This simple example works in Delphi XE out of the box, so you don't need to change ports or use a certificate on the client side. It's based on an example from RosettaCode:

Uses
  IdHttp, IdSSLOpenSSL

... 

procedure TForm2.Button1Click(Sender: TObject);
var
  s: string;
  lHTTP: TIdHTTP;
begin
  lHTTP := TIdHTTP.Create(nil);
  try
    lHTTP.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(lHTTP);
    lHTTP.HandleRedirects := True;
    s := lHTTP.Get('https://esta.cbp.dhs.gov/esta/');
    RichEdit1.Text := s;
  finally
    lHTTP.Free;
  end;
end;

The problem is probably the version of the DLLs you need to deploy. Since recent versions fix security issues, I recommend upgrading your version of Indy to the latest and using the most recent OpenSSL libraries from the fulgan site.

Update: Did you mean that you can't see the site using a web browser, or that when you do you can't see the traffic in your HTTP analyser? As Rob mentioned, if the site isn't visible using a regular web browser, then the problem likely isn't your application.

Farmland answered 14/7, 2011 at 13:8 Comment(3)
@maxfax: with Opera or IE, page is loaded without traffic? ;-)Eucalyptus
Exactly: it does not show Opera, IE - yes. I try travelregistration.state.gov/ibrs/uiTuppence
@Bruce McGee. When I connect to that site with Opera there is no traffic in HTTP Analyzer, but the site is loaded in a web browser. When I do the same (idHTTP1.Get) -> I see the traffic -> please see screen shots -> HTTP is used, not HTTPS (Request-line: "GET /esta/ HTTP/1.1"!!!!). I have tried your example -> the same results, does not work. Did you try that code example and e.g. HTTP analyzer? Can you see a traffic if to use your example? P.S. HTTP Analyzer can see IE, FireFox.Tuppence
P
2

you are using the wrong tool to check the communication. Your observation only shows the used protocol - which is HTTP 1.0 or 1.1 even if using SSL/TLS.

Try a tool like SmartSnif or Wireshark to check the real network traffic. You will see that the entire traffic is using port 443 with encrypted data.

The header response of HTTP/1.1 (or 1.0) is absolutely correct for HTTPS traffic, the SSL/TLS encryption does not change the transferred data but is a transport layer on top of HTTP traffic.

Regarding HTTP Analyzer (from their website at http://www.ieinspector.com/httpanalyzer/): "Main Features: Support HTTPS, show you unencrypted data sent over HTTPS / SSL connections as the same level of detail as HTTP."

So as I said it decodes the SSL and shows you the HTTP based, unencrypted traffic.

Regards, Arvid

Piccaninny answered 14/7, 2011 at 15:38 Comment(6)
HTTP Analyzer shows HTTPS... Why does it not show anything if I use Opera, IE...? What about security... Everyone can see what my program transfer. Is it sense of SSL? I did not know that SSL is developed that everybody can see everything. On their web site: "HTTPS is available if the application uses the Microsoft WININET API (ex. ie, outlook) , Mozilla NSS API. (ex. firefox, thunderbird) or OpenSSL." It even shows me nothing if I use IE.Tuppence
A fact is a fact: I use Opera and my program to download from esta.cbp.dhs.gov/esta. HTTP Analyzer does not show Opera, but my program - yes. The site is the same!Tuppence
Sorry maxfax but you don't understand the concept of SSL/TLS. It does not matter if your local client can decode the communication e.g. by hooking the WinInet, NSS or OpenSSL. The whole communication is protected when it is outside of your machine. What you can do to protect your local client is part of User and Application Space restrictions. Creating a known and secured environment is not part of SSL/TLS. Edit: HTTP Analyzer doesn't decode Opera likely because it's unsupported. Every Browser you mentioned will show encoded traffic when looking with something appropriate like Wireshark.Piccaninny
OK, I agree. But: why does HTTP Analyzer not decode Opera, but my program, IE - yes? Lack! Do you want to say that it is normal that SSL can be decoded on a side of a client?Tuppence
Yes, exactly. HTTP Analyzer provides the decoding as a benefit for their users who usually want to analyze the decoded data itself not any encoded garbage. The lack of support for Opera irritates but would be imo easy to add if they like. And again yes: It is absolutely normal that you can hook the used libraries (OpenSSL and others) if you have access to the client itself (and you have the appropriate user rights).Piccaninny
@ Arvid Winkelsdorf, thanks! I think that I need to encrypt a data to prevent this "lack".Tuppence

© 2022 - 2024 — McMap. All rights reserved.