Indy TIdhttp.Get is not loading proper version of SSL

Question

I am trying to make an interface to FreshDesk API

Here is my source code for the call:

procedure TForm1.Button1Click(Sender: TObject);
var
  IdSSLIOHandlerSocket1: TIdSSLIOHandlerSocketOpenSSL;
  idhttp:  TIdHttp;
begin
  idhttp := TIdHttp.Create(self);
  idhttp.Request.ContentType := 'application/json';
  IdHTTP.Request.BasicAuthentication:= True;
  IdHTTP.Request.Username := 'marks@mytestcompany.com';
  IdHTTP.Request.Password := 'XYZ';
  idhttp.Request.Connection:='keep-alive';
  IdSSLIOHandlerSocket1 := TIdSSLIOHandlerSocketOpenSSL.create(nil);
  with IdSSLIOHandlerSocket1 do begin
    SSLOptions.Method := sslvTLSv1_2;
    SSLOptions.SSLVersions := [sslvTLSv1_2];
    SSLOptions.VerifyMode := [];
    SSLOptions.VerifyDepth := 2;
  end;
  idhttp.IOHandler := IdSSLIOHandlerSocket1;
  idhttp.Request.Accept := '*/*';

  idhttp.HandleRedirects := True;
  if usefiddler.checked then begin
    idhttp.ProxyParams.ProxyServer := '127.0.0.1';
    idhttp.ProxyParams.ProxyPort := 8888 ;
  end;
  showMessage(idhttp.get('https://mytestcompany.freshdesk.com/api/v2/contacts'));
end;

When I run using Fiddler it shows it is using Version: 3.1 (TLS/1.0):

Here is successful curl call (it seems to be using Version: 3.3 (TLS/1.2):

curl -v -u marks@mytestcompnay:XYZ -H "Content-Type: application/json" -X GET "https://mytestcompany.freshdesk.com/api/v2/contacts"

Here is Fiddler results when using curl:

Is my problem that I am using the wrong version of TLS?

Aside from the memory leak of `IdSSLIOHandlerSocket1`, the rest of the code is fine. Make sure that 1) you are using an up-to-date version of Indy that handles TLS1.2 (and in particular, handles the SNI extension), and 2) you are using OpenSSL DLLs that support TLS1.2. If Indy can't load the TLS1.2 DLL functions, it will silently fallback to TLS1.0. The current version of Indy is 10.6.2.5494 and the latest version of OpenSSL supported is 1.0.2q — Remy Lebeau, Feb 18 '19 at 16:17
Thanks... regarding memory leak, thanks.. This is just dev code. Is there a way to get versions of Indy and OpenSSL? via some call? — M Schenkel, Feb 18 '19 at 16:28
To get the Indy version, you can right-click on any Indy component in the Form Designer at designtime, or you can read their public `Version` property at runtime. To get the OpenSSL version, you can call the `OpenSSLVersion()` function in the `IdSSLOpenSSL` unit at runtime. — Remy Lebeau, Feb 18 '19 at 16:35
Thanks... OpenSSL version is 1.0.0q Jan 2015. Downloading latest version of OpenSSL. — M Schenkel, Feb 18 '19 at 16:44
i am getting latest version of OpenSSL. But does Curl use OpenSSL? If curl works does that mean it is not a versioning issue? — M Schenkel, Feb 18 '19 at 16:57
download Win64OpenSSL_Light-1_0_2q.exe and ran the installer... opted to install to the "windows" folder. I will try installing to the openssl folder. — M Schenkel, Feb 18 '19 at 17:03
[TLS 1.2 was added to OpenSSL in 1.0.1](https://stackoverflow.com/questions/48178052/). And yes, CURL *can* use OpenSSL, amongst others, depending on how it is compiled. IIRC, I think it uses the static lib version of OpenSSL though, not the DLL version, but I may be wrong. As for the DLL install location, stay away from the Windows folder, and if you install to a folder other than your app folder, make sure that folder is on the system `PATH`, otherwise you will have to tell Indy at runtime where the DLLs are located via its `IdOpenSSLSetLibPath()` function in the `IdSSLOpenSSLHeaders` unit — Remy Lebeau, Feb 18 '19 at 18:31
libeay32.dll and libssl32.dll are in c:\windows\system32 are dated 11/21/2018.... but I am still showing it has the earlier version... will continue to search where they are... Is there similar call to OpenSSLVersion that displays the location where the files are? — M Schenkel, Feb 18 '19 at 19:15
Not in Indy, no. But, you can use Indy's `GetCryptLibHandle()` function to get Indy's handle to `libeay32.dll` (if you want a handle to `ssleay32.dll`, use the Win32 API `GetModuleHandle()` function for that), and then use the Win32 API `GetModuleFileName()` function to get the DLL's full path. But, like I said, you can use Indy's `IdOpenSSLSetLibPath()` function to tell Indy which folder to load the desired DLLs from. Call it at program startup before doing any OpenSSL related work. — Remy Lebeau, Feb 18 '19 at 19:26
ok - I will use the IdOpenSSLSetLibPath() function.....FYI... I just tried the application on a different machine that has newer version of OpenSSL and it works. As always I thank you for your effort. If you could make an "Answer" saying to update OpenSSL I will accept. — M Schenkel, Feb 18 '19 at 19:31

score 2 · Accepted Answer · answered Feb 19 '19 at 01:09

You are using an outdated version of OpenSSL.

Per comments, you say that you are using OpenSSL 1.0.0q. That version is several years old and does not support TLS v1.2 (which was added to OpenSSL in 1.0.1, which is still an old version). Indy silently falls back to TLS v1.0 when it cannot use TLS v1.1 or v1.2.

You need to update your OpenSSL. The latest version of OpenSSL that Indy currently supports is 1.0.2.

Indy TIdhttp.Get is not loading proper version of SSL

1 Answers1

You are using an outdated version of OpenSSL.