How can we connect with a website? Getting SSL error 1409442E

About

Asked 26/2, 2018 at 8:50 Answered 27/2, 2018 at 0:29

Solved delphi openssl indy indy10 delphi-10.2-tokyo

I am using Delphi 10.2 Tokyo, trying to download some information from a web server.

I pass the command URL https://poloniex.com/public?command=returnCurrencies through this function using Indy 10.6.2.5366 (the command works if I paste it in a browser):

function ReadHTTPS(const url: string): string;
var
  IdHTTP: TIdHTTP;
  IdSSL: TIdSSLIOHandlerSocketOpenSSL;
begin
  IdHTTP := TIdHTTP.Create;
  try
    IdSSL := TIdSSLIOHandlerSocketOpenSSL.Create(IdHTTP);
    IdHTTP.IOHandler := IdSSL;
    result := IdHTTP.Get(url);
    if IdHTTP.ResponseText <> '' then
      OutputDebugString(PWideChar('ReadHTTPS: ' + IdHTTP.ResponseText));
  finally
    IdHTTP.Free;
  end;
end{ ReadHTTPS};

That gives the following error:

Error connecting with SSL. error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

I have tried installing the latest DLLs for OpenSSL in the same directory as the exe, but that didn't solve it.

Any ideas?

Francisco answered 26/2, 2018 at 8:50 Comment(10)

Try enabling TLS v1.1 and v1.2 in the SSLIOHandler's SSLOptions.SSLVersions property. By default, only TLS v1.0 is enabled. – Hotshot 26/2, 2018 at 15:44

@Remy, that doesn't help. – Cash 26/2, 2018 at 23:49

@Victoria: Works fine for me when I try it using Indy 10.6.2.5448. Setting IdSSL.SSLOptions.SSLVersions to either [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2] or [sslvTLSv1_2] works, the connection succeeds and I get an HTTP 200 OK response. The trick is sslvTLSv1_2 must be enabled, it won't work with sslvTLSv1 or sslvTLSv1_1, so clearly the server does not allow TLS versions prior to 1.2. – Hotshot 27/2, 2018 at 0:5

@Remy, doesn't for me with Indy 10.6.2.5366 (shipped with Delphi 10.2 without updates) and OpenSSL 0.9.8r-i386-win32-rev2 (yes, 32-bit). I just replaced posted code by IdSSL.SSLOptions.SSLVersions := IdSSL.SSLOptions.SSLVersions + [sslvTLSv1_1, sslvTLSv1_2]; by your advice and got error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'.. Well, one step forward, but still no connection. You were able to connect with which configuration? – Cash 27/2, 2018 at 0:6

@Victoria: you are using a VERY outdated version of OpenSSL (0.9.8r) that is no longer supported by the OpenSSL authors, and doesn't support TLS 1.2 at all, which would explain the error you are seeing, as Indy would fallback to TLS 1.1 (which the server in question apparently doesn't allow). You need to upgrade to a modern OpenSSL version. The latest OpenSSL version that Indy currently supports is 1.0.2n, and that is the version I used to test with. – Hotshot 27/2, 2018 at 0:16

@Remy, I've just followed more current, recommended step for this test (newest 32-bit library from this page. Which may happen to many people. Well, the answer is yours now - update OpenSSL. – Cash 27/2, 2018 at 0:20

@Victoria: That "Indy SSL" page is EXTREMELY old, and isn't even linked to by the main site anymore. But even so, once you went to the Fulgan server, you should have been able to just look at the ZIP filenames and seen that what you were originally using was very old. – Hotshot 27/2, 2018 at 0:26

@Remy, sorry, it's sorted from oldest to newest.. Taking back.. My fault. Yes, it works after update. Just if we're at, do you have a repository where each Indy version has supported OpenSSL precompiled library? I know, it's evil, and should not be asked here, but as a question here it might get deleted. But that would be really useful (even as a linked repository). So as information for other developers.. – Cash 27/2, 2018 at 0:41

@Victoria: there is no repository or documentation linking specific Indy versions to specific OpenSSL versions. – Hotshot 27/2, 2018 at 0:45

@Remy, thank you the info! (of course I was thinking latest supported OpenSSL library a certain version of Indy can support). – Cash 27/2, 2018 at 0:49

Make sure you are using an up-to-date version of the OpenSSL DLLs that support TLS v1.2 (the latest version that Indy currently supports is 1.0.2u), and then you need to enable the sslvTLSv1_2 flag in the SSLIOHandler's SSLOptions.SSLVersions property:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Or:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

Indy enables only TLS v1.0 by default, and apparently https://poloniex.com does not allow TLS versions prior to TLS v1.2.

Hotshot answered 27/2, 2018 at 0:29 Comment(3)

I have same problem even when I used this SSL version 1.0.2u you provided, I still get this Error

First chance exception at $7600AAF2. Exception class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL. error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'. Process Project1.exe (5280)

– Multicolor 5/11, 2020 at 9:7

@Multicolor Which website? Which version of Indy? What does your setup look like? You need to provide specifics. – Hotshot 5/11, 2020 at 15:41

Thank you for your reply @Remy Lebeau, I already asked a question [link] (#64696097), contains all the details. – Multicolor 5/11, 2020 at 16:32

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags