How can we connect with a website? Getting SSL error 1409442E

Question

I am using Delphi 10.2 Tokyo, trying to download some information from a web server.

I pass the command URL https://poloniex.com/public?command=returnCurrencies through this function using Indy 10.6.2.5366 (the command works if I paste it in a browser):

function ReadHTTPS(const url: string): string;
var
  IdHTTP: TIdHTTP;
  IdSSL: TIdSSLIOHandlerSocketOpenSSL;
begin
  IdHTTP := TIdHTTP.Create;
  try
    IdSSL := TIdSSLIOHandlerSocketOpenSSL.Create(IdHTTP);
    IdHTTP.IOHandler := IdSSL;
    result := IdHTTP.Get(url);
    if IdHTTP.ResponseText <> '' then
      OutputDebugString(PWideChar('ReadHTTPS: ' + IdHTTP.ResponseText));
  finally
    IdHTTP.Free;
  end;
end{ ReadHTTPS};

That gives the following error:

Error connecting with SSL. error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

I have tried installing the latest DLLs for OpenSSL in the same directory as the exe, but that didn't solve it.

Any ideas?

Try enabling TLS v1.1 and v1.2 in the SSLIOHandler's `SSLOptions.SSLVersions` property. [By default, only TLS v1.0 is enabled](https://github.com/IndySockets/Indy/issues/181). — Remy Lebeau, Feb 26 '18 at 15:44
@Victoria: Works fine for me when I try it using Indy 10.6.2.5448. Setting `IdSSL.SSLOptions.SSLVersions` to either `[sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]` or `[sslvTLSv1_2]` works, the connection succeeds and I get an HTTP `200 OK` response. The trick is `sslvTLSv1_2` must be enabled, it won't work with `sslvTLSv1` or `sslvTLSv1_1`, so clearly the server does not allow TLS versions prior to 1.2. — Remy Lebeau, Feb 27 '18 at 00:05
@Remy, doesn't for me with Indy 10.6.2.5366 (shipped with Delphi 10.2 without updates) and OpenSSL 0.9.8r-i386-win32-rev2 (yes, 32-bit). I just replaced posted code by `IdSSL.SSLOptions.SSLVersions := IdSSL.SSLOptions.SSLVersions + [sslvTLSv1_1, sslvTLSv1_2];` by your advice and got `error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'.`. Well, one _step forward_, but still no connection. You were able to connect with which configuration? — Victoria, Feb 27 '18 at 00:06
@Victoria: you are using a VERY outdated version of OpenSSL (0.9.8r) that is no longer supported by the OpenSSL authors, and [doesn't support TLS 1.2 at all](https://stackoverflow.com/questions/48178052/), which would explain the error you are seeing, as Indy would fallback to TLS 1.1 (which the server in question apparently doesn't allow). You need to upgrade to a modern OpenSSL version. [The latest OpenSSL version that Indy currently supports is 1.0.2n](http://indy.fulgan.com/SSL/openssl-1.0.2n-i386-win32.zip), and that is the version I used to test with. — Remy Lebeau, Feb 27 '18 at 00:16
@Remy, I've just followed [more current, recommended step](http://www.indyproject.org/Sockets/SSL.en.aspx) for this test (newest 32-bit library from [this page](http://indy.fulgan.com/SSL/). Which may happen to many people. Well, the answer is yours now - _update OpenSSL_. — Victoria, Feb 27 '18 at 00:20
@Victoria: That "Indy SSL" page is EXTREMELY old, and isn't even linked to by the main site anymore. But even so, once you went to the Fulgan server, you should have been able to just look at the ZIP filenames and seen that what you were originally using was very old. — Remy Lebeau, Feb 27 '18 at 00:26
@Remy, sorry, it's sorted from oldest to newest.. Taking back.. My fault. Yes, it works after _update_. Just if we're at, do you have a repository where each Indy version has supported OpenSSL precompiled library? I know, it's evil, and should not be asked here, but as a question here it might get deleted. But that would be really useful (even as a linked repository). So as information for other developers.. — Victoria, Feb 27 '18 at 00:41
@Victoria: there is no repository or documentation linking specific Indy versions to specific OpenSSL versions. — Remy Lebeau, Feb 27 '18 at 00:45
@Remy, thank you the info! (of course I was thinking latest supported OpenSSL library a certain version of Indy can support). — Victoria, Feb 27 '18 at 00:49

Remy Lebeau · Accepted Answer · 2020-10-01T07:25:53.767

15

Make sure you are using an up-to-date version of the OpenSSL DLLs that support TLS v1.2 (the latest version that Indy currently supports is 1.0.2u), and then you need to enable the sslvTLSv1_2 flag in the SSLIOHandler's SSLOptions.SSLVersions property:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Or:

IdSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];

Indy enables only TLS v1.0 by default, and apparently https://poloniex.com does not allow TLS versions prior to TLS v1.2.

edited Oct 01 '20 at 07:25

answered Feb 27 '18 at 00:29

Remy Lebeau

555,201
31
458
770

I have same problem even when I used this SSL version **1.0.2u** you provided, I still get this Error `First chance exception at $7600AAF2. Exception class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL. error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version'. Process Project1.exe (5280)` – halocedark Nov 05 '20 at 09:07
@halocedark Which website? Which version of Indy? What does your setup look like? You need to provide specifics. – Remy Lebeau Nov 05 '20 at 15:41
Thank you for your reply @Remy Lebeau, I already asked a question [link] (https://stackoverflow.com/questions/64695597/how-to-download-file-using-tidhttp-indy-component), contains all the details. – halocedark Nov 05 '20 at 16:32

How can we connect with a website? Getting SSL error 1409442E

1 Answers1

Linked

Related