Indy odd/strang behavior with TLS version









up vote
2
down vote

favorite












I sometimes get TLSv1 even when I set the version explicit to TLSv1.2.



I get this exception:




First chance exception at $75D917D2. Exception class
EIdOSSLConnectError with message 'Error connecting with SSL. EOF was
observed that violates the protocol'.




My Delphi version:
Embarcadero® RAD Studio 10 Seattle Version 23.0.21418.4207



I am on Windows 10:
Microsoft Windows [Version 10.0.17134.345]



My Indy Version: 10.6.2.5311 - That's what's coming with Seattle



This is a trace when it works:
Working trace



This is a trace when it does NOT work:
Not working trace



As you can see it is TLSv1. Why?



I had a look at following questions:
Using Indy 10 IdHTTP with TLS 1.2
EIdOSSLConnectError Error connecting with SSL - EOF was observed



Here is my example code:



procedure TOpenWeatherFr.SetIcon(const IconCode: String);
var
HTTPS: TSSLHTTP;
MS : TMemoryStream;
PNG: TPngImage;
URL: string;
begin
HTTPS := TSSLHTTP.Create(nil);
MS := TMemoryStream.Create;
PNG := TPngImage.Create;
URL := 'https://openweathermap.org/img/w/' + IconCode + '.png';
try
(HTTPS.IOHandler as TIdSSLIOHandlerSocketOpenSSL).SSLOptions.SSLVersions := [sslvTLSv1_2];
HTTPS.Get(URL, MS);
MS.Seek(0, soFromBeginning);
PNG.LoadFromStream(MS);
Image1.Picture.Assign(PNG);
finally
HTTPS.Free;
PNG.Free;
MS.Free;
end;
Image1.Visible := true;
end;


For the sake of completeness here is the code of TSSLHTTP. The purpose is an old Indy version without SNI Support.



unit SSLHTTP;

interface

uses
Classes, IdHTTP, IdSSLOpenSSLHeaders, IdCTypes;

type
TSSLHTTP = class(TIdHTTP)
private
procedure OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
public
constructor Create(AOwner: TComponent);
end;

implementation

uses
IdSSLOpenSSL;

TSSLHTTP

constructor TSSLHTTP.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(self);
(IOHandler as TIdSSLIOHandlerSocketOpenSSL).OnStatusInfoEx := OnStatusInfoEx;
end;

procedure TSSLHTTP.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
SSL_set_tlsext_host_name(AsslSocket, Request.Host);
end;

end.


Where is my mistake? What am I doing wrong? This is the URL of the image I download:
https://openweathermap.org/img/w/04d.png



EDIT: Adding paylod as hex dumb



Working payload - Client Hello:



0000 16 03 01 01 49 01 00 01 45 03 03 8b 3d e5 54 59
0010 f8 59 44 82 f7 14 92 45 50 e1 a3 86 68 3a c2 94
0020 76 be ea 8b 54 98 f3 27 69 50 af 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01


Not working payload - Client hello:



0000 16 03 01 01 49 01 00 01 45 03 03 f6 7b de 81 5d
0010 76 74 a7 31 99 36 8d 17 4c 07 5e 73 5d f7 b8 a1
0020 4f 06 5e 91 e5 f0 4b 37 0d 65 e7 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01









share|improve this question























  • Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
    – Remy Lebeau
    2 days ago











  • You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
    – complete_stranger
    2 days ago






  • 1




    The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
    – Remy Lebeau
    2 days ago











  • Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
    – complete_stranger
    16 hours ago











  • 16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
    – complete_stranger
    16 hours ago















up vote
2
down vote

favorite












I sometimes get TLSv1 even when I set the version explicit to TLSv1.2.



I get this exception:




First chance exception at $75D917D2. Exception class
EIdOSSLConnectError with message 'Error connecting with SSL. EOF was
observed that violates the protocol'.




My Delphi version:
Embarcadero® RAD Studio 10 Seattle Version 23.0.21418.4207



I am on Windows 10:
Microsoft Windows [Version 10.0.17134.345]



My Indy Version: 10.6.2.5311 - That's what's coming with Seattle



This is a trace when it works:
Working trace



This is a trace when it does NOT work:
Not working trace



As you can see it is TLSv1. Why?



I had a look at following questions:
Using Indy 10 IdHTTP with TLS 1.2
EIdOSSLConnectError Error connecting with SSL - EOF was observed



Here is my example code:



procedure TOpenWeatherFr.SetIcon(const IconCode: String);
var
HTTPS: TSSLHTTP;
MS : TMemoryStream;
PNG: TPngImage;
URL: string;
begin
HTTPS := TSSLHTTP.Create(nil);
MS := TMemoryStream.Create;
PNG := TPngImage.Create;
URL := 'https://openweathermap.org/img/w/' + IconCode + '.png';
try
(HTTPS.IOHandler as TIdSSLIOHandlerSocketOpenSSL).SSLOptions.SSLVersions := [sslvTLSv1_2];
HTTPS.Get(URL, MS);
MS.Seek(0, soFromBeginning);
PNG.LoadFromStream(MS);
Image1.Picture.Assign(PNG);
finally
HTTPS.Free;
PNG.Free;
MS.Free;
end;
Image1.Visible := true;
end;


For the sake of completeness here is the code of TSSLHTTP. The purpose is an old Indy version without SNI Support.



unit SSLHTTP;

interface

uses
Classes, IdHTTP, IdSSLOpenSSLHeaders, IdCTypes;

type
TSSLHTTP = class(TIdHTTP)
private
procedure OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
public
constructor Create(AOwner: TComponent);
end;

implementation

uses
IdSSLOpenSSL;

TSSLHTTP

constructor TSSLHTTP.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(self);
(IOHandler as TIdSSLIOHandlerSocketOpenSSL).OnStatusInfoEx := OnStatusInfoEx;
end;

procedure TSSLHTTP.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
SSL_set_tlsext_host_name(AsslSocket, Request.Host);
end;

end.


Where is my mistake? What am I doing wrong? This is the URL of the image I download:
https://openweathermap.org/img/w/04d.png



EDIT: Adding paylod as hex dumb



Working payload - Client Hello:



0000 16 03 01 01 49 01 00 01 45 03 03 8b 3d e5 54 59
0010 f8 59 44 82 f7 14 92 45 50 e1 a3 86 68 3a c2 94
0020 76 be ea 8b 54 98 f3 27 69 50 af 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01


Not working payload - Client hello:



0000 16 03 01 01 49 01 00 01 45 03 03 f6 7b de 81 5d
0010 76 74 a7 31 99 36 8d 17 4c 07 5e 73 5d f7 b8 a1
0020 4f 06 5e 91 e5 f0 4b 37 0d 65 e7 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01









share|improve this question























  • Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
    – Remy Lebeau
    2 days ago











  • You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
    – complete_stranger
    2 days ago






  • 1




    The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
    – Remy Lebeau
    2 days ago











  • Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
    – complete_stranger
    16 hours ago











  • 16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
    – complete_stranger
    16 hours ago













up vote
2
down vote

favorite









up vote
2
down vote

favorite











I sometimes get TLSv1 even when I set the version explicit to TLSv1.2.



I get this exception:




First chance exception at $75D917D2. Exception class
EIdOSSLConnectError with message 'Error connecting with SSL. EOF was
observed that violates the protocol'.




My Delphi version:
Embarcadero® RAD Studio 10 Seattle Version 23.0.21418.4207



I am on Windows 10:
Microsoft Windows [Version 10.0.17134.345]



My Indy Version: 10.6.2.5311 - That's what's coming with Seattle



This is a trace when it works:
Working trace



This is a trace when it does NOT work:
Not working trace



As you can see it is TLSv1. Why?



I had a look at following questions:
Using Indy 10 IdHTTP with TLS 1.2
EIdOSSLConnectError Error connecting with SSL - EOF was observed



Here is my example code:



procedure TOpenWeatherFr.SetIcon(const IconCode: String);
var
HTTPS: TSSLHTTP;
MS : TMemoryStream;
PNG: TPngImage;
URL: string;
begin
HTTPS := TSSLHTTP.Create(nil);
MS := TMemoryStream.Create;
PNG := TPngImage.Create;
URL := 'https://openweathermap.org/img/w/' + IconCode + '.png';
try
(HTTPS.IOHandler as TIdSSLIOHandlerSocketOpenSSL).SSLOptions.SSLVersions := [sslvTLSv1_2];
HTTPS.Get(URL, MS);
MS.Seek(0, soFromBeginning);
PNG.LoadFromStream(MS);
Image1.Picture.Assign(PNG);
finally
HTTPS.Free;
PNG.Free;
MS.Free;
end;
Image1.Visible := true;
end;


For the sake of completeness here is the code of TSSLHTTP. The purpose is an old Indy version without SNI Support.



unit SSLHTTP;

interface

uses
Classes, IdHTTP, IdSSLOpenSSLHeaders, IdCTypes;

type
TSSLHTTP = class(TIdHTTP)
private
procedure OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
public
constructor Create(AOwner: TComponent);
end;

implementation

uses
IdSSLOpenSSL;

TSSLHTTP

constructor TSSLHTTP.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(self);
(IOHandler as TIdSSLIOHandlerSocketOpenSSL).OnStatusInfoEx := OnStatusInfoEx;
end;

procedure TSSLHTTP.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
SSL_set_tlsext_host_name(AsslSocket, Request.Host);
end;

end.


Where is my mistake? What am I doing wrong? This is the URL of the image I download:
https://openweathermap.org/img/w/04d.png



EDIT: Adding paylod as hex dumb



Working payload - Client Hello:



0000 16 03 01 01 49 01 00 01 45 03 03 8b 3d e5 54 59
0010 f8 59 44 82 f7 14 92 45 50 e1 a3 86 68 3a c2 94
0020 76 be ea 8b 54 98 f3 27 69 50 af 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01


Not working payload - Client hello:



0000 16 03 01 01 49 01 00 01 45 03 03 f6 7b de 81 5d
0010 76 74 a7 31 99 36 8d 17 4c 07 5e 73 5d f7 b8 a1
0020 4f 06 5e 91 e5 f0 4b 37 0d 65 e7 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01









share|improve this question















I sometimes get TLSv1 even when I set the version explicit to TLSv1.2.



I get this exception:




First chance exception at $75D917D2. Exception class
EIdOSSLConnectError with message 'Error connecting with SSL. EOF was
observed that violates the protocol'.




My Delphi version:
Embarcadero® RAD Studio 10 Seattle Version 23.0.21418.4207



I am on Windows 10:
Microsoft Windows [Version 10.0.17134.345]



My Indy Version: 10.6.2.5311 - That's what's coming with Seattle



This is a trace when it works:
Working trace



This is a trace when it does NOT work:
Not working trace



As you can see it is TLSv1. Why?



I had a look at following questions:
Using Indy 10 IdHTTP with TLS 1.2
EIdOSSLConnectError Error connecting with SSL - EOF was observed



Here is my example code:



procedure TOpenWeatherFr.SetIcon(const IconCode: String);
var
HTTPS: TSSLHTTP;
MS : TMemoryStream;
PNG: TPngImage;
URL: string;
begin
HTTPS := TSSLHTTP.Create(nil);
MS := TMemoryStream.Create;
PNG := TPngImage.Create;
URL := 'https://openweathermap.org/img/w/' + IconCode + '.png';
try
(HTTPS.IOHandler as TIdSSLIOHandlerSocketOpenSSL).SSLOptions.SSLVersions := [sslvTLSv1_2];
HTTPS.Get(URL, MS);
MS.Seek(0, soFromBeginning);
PNG.LoadFromStream(MS);
Image1.Picture.Assign(PNG);
finally
HTTPS.Free;
PNG.Free;
MS.Free;
end;
Image1.Visible := true;
end;


For the sake of completeness here is the code of TSSLHTTP. The purpose is an old Indy version without SNI Support.



unit SSLHTTP;

interface

uses
Classes, IdHTTP, IdSSLOpenSSLHeaders, IdCTypes;

type
TSSLHTTP = class(TIdHTTP)
private
procedure OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL; const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
public
constructor Create(AOwner: TComponent);
end;

implementation

uses
IdSSLOpenSSL;

TSSLHTTP

constructor TSSLHTTP.Create(AOwner: TComponent);
begin
inherited Create(AOwner);
IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(self);
(IOHandler as TIdSSLIOHandlerSocketOpenSSL).OnStatusInfoEx := OnStatusInfoEx;
end;

procedure TSSLHTTP.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
SSL_set_tlsext_host_name(AsslSocket, Request.Host);
end;

end.


Where is my mistake? What am I doing wrong? This is the URL of the image I download:
https://openweathermap.org/img/w/04d.png



EDIT: Adding paylod as hex dumb



Working payload - Client Hello:



0000 16 03 01 01 49 01 00 01 45 03 03 8b 3d e5 54 59
0010 f8 59 44 82 f7 14 92 45 50 e1 a3 86 68 3a c2 94
0020 76 be ea 8b 54 98 f3 27 69 50 af 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01


Not working payload - Client hello:



0000 16 03 01 01 49 01 00 01 45 03 03 f6 7b de 81 5d
0010 76 74 a7 31 99 36 8d 17 4c 07 5e 73 5d f7 b8 a1
0020 4f 06 5e 91 e5 f0 4b 37 0d 65 e7 00 00 94 c0 30
0030 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 c0 32 c0 2e c0 2a c0 26 c0 0f
0050 c0 05 00 9d 00 3d 00 35 00 88 00 87 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13 c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 c0 31 c0 2d c0 29 c0 25 c0 0e
0080 c0 04 00 9c 00 3c 00 2f 00 9a 00 99 00 45 00 44
0090 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05
00a0 00 04 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a
00b0 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03
00c0 00 ff 01 00 00 88 00 00 00 17 00 15 00 00 12 6f
00d0 70 65 6e 77 65 61 74 68 65 72 6d 61 70 2e 6f 72
00e0 67 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00
00f0 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00
0100 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00
0110 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00
0120 11 00 23 00 00 00 0d 00 20 00 1e 06 01 06 02 06
0130 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03
0140 02 03 03 02 01 02 02 02 03 00 0f 00 01 01






delphi indy






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 16 hours ago

























asked 2 days ago









complete_stranger

16210




16210











  • Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
    – Remy Lebeau
    2 days ago











  • You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
    – complete_stranger
    2 days ago






  • 1




    The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
    – Remy Lebeau
    2 days ago











  • Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
    – complete_stranger
    16 hours ago











  • 16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
    – complete_stranger
    16 hours ago

















  • Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
    – Remy Lebeau
    2 days ago











  • You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
    – complete_stranger
    2 days ago






  • 1




    The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
    – Remy Lebeau
    2 days ago











  • Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
    – complete_stranger
    16 hours ago











  • 16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
    – complete_stranger
    16 hours ago
















Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
– Remy Lebeau
2 days ago





Look again more closely, both screenshots you provided show TLS v1.2 client requests, not TLS v1.0 (look at the Version inside the Handshake Protocol, not in the Record Layer). And you should upgrade to the latest Indy 10 version (currently 10.6.2.5485), it supports SNI on the client side (and has for almost 3 years now), so you don't need your TSSLHTTP class anymore
– Remy Lebeau
2 days ago













You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
– complete_stranger
2 days ago




You are right. If an upgrade would be that simple in our selfmade framework. Back to topic: Why do I get the exception in 2 or 3 out of 10 of the requests?
– complete_stranger
2 days ago




1




1




The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
– Remy Lebeau
2 days ago





The code you showed is fine. You will just have to analyze the TLS client hellos more deeply (your screenshots don't expand everything) for differences between working and non-working cases. "EOF was observed" means the server closed the connection on its end before the TLS handshake was finished, which means the server most likely didn't like something in the hellos, and chose not to send a TLS alert explaining why before closing the connection. If you can't find any differences, then there is likely a problem on the server side that you won't be able to do anything about on your client side.
– Remy Lebeau
2 days ago













Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
– complete_stranger
16 hours ago





Thank you for confirming my code is fine. I can not find any non-obvious changes at all except the 32 random bytes. I am curious as to why wireshark misinterprets the protocol. If wiresharks shows TLSv1 I have the issue. I added the payload to my question.
– complete_stranger
16 hours ago













16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
– complete_stranger
16 hours ago





16 03 01 01 49 01 00 01 45 03 03 || > 16 = Dont know > 03 01 = TLS v1.0 > 01 49 = Length = 329 > 00 = Dont know > 01 45 = Length = 325 > 03 03 = TLS v1.2 || It's the same on both as you can see on the screenshots
– complete_stranger
16 hours ago


















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53225315%2findy-odd-strang-behavior-with-tls-version%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53225315%2findy-odd-strang-behavior-with-tls-version%23new-answer', 'question_page');

);

Post as a guest














































































Popular posts from this blog

Use pre created SQLite database for Android project in kotlin

Darth Vader #20

Ondo