Solved

SSL/TLS INDY on Delphi Seattle - SSL load problem

Posted on 2016-10-20
14
118 Views
Last Modified: 2016-11-01
Dear All

I hope someone can help as I can't fathom this one.

I believe, although have yet to admit it that our Web Store provider has changed something on the access to their API, I suspect they have done what a few people seem to be soing now and that is having a minimum access of TLS1.0 when connecting using HTTPS.

The background behind my reasoning is that about a week ago or so our software which accesses their API suddenly stopped working. I have been away and only noticed this yesterday. Nothing has changed here, I am the developer and no-one else would/could change it. So the only assumption therefore is that they have changed something their end. I am waiting to hear an explanation from them, but nothing forthcoming.

The software is developed in Delphi 2007 and Indy 9 (don't ask - legacy component reasons). I though that Indy 9 supprted TLS1.0. But I get a 'SSL connection' error when I now try to use any part of the API access code. So I suspect they may even be forcing higher 1.1/1.2.

I kind of proved this at home where I have Delphi Berlin/Indy 10 installed - I did manage to do a connect, turning off all SSL versions in the TIdSSLIOHandlerSocketOpenSSL. So my thought was I would just create a little 'request processor' using Delphi Berlin (at home) or Delphi Seattle (at work, which I have in addition to 2007) which I could just call from the main software instead of using the Indy 9 calls.

But I seem to have stumbled across an issue along the line somwhere. It is easier for me to do this at work, so thought I would use Seattle and Indy 10. I created a really basic program, linked the TIdSSLIOHandlerSocketOpenSSL to the HTTP component. And tried a simple 'Get' to the API. But it came back with an error saying it couldn't load the SSL. I then realised I probably needed the 2 OpenSSL DLLs in the program directory. I decided to download the latest versions (1.0.2 of OpenSSL). I wasn't sure if I needed the 32bit libraries as it is a 32 bit programme or the 64bit libraries as it is a 64bit PC. I tried the 32 bit libraries first. No joy, same error. Then the 64 bit libraries - same. So now I am stumped. Other than coding this 'processor' at home which is not really convenient.

So any one have any thoughts on this error I am getting when I try a call?

SSL error message
Hope someone can throw some light on this.

Many thanks,

Trevor
0
Comment
Question by:trevorb
  • 7
  • 3
  • 2
  • +1
14 Comments
 
LVL 37

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 167 total points
ID: 41853350
if you compile 32bit, which you normally do, then you need the 32bit dll's
this is regardless of the machine being 64bit or not

that 4430 looks like a locale it can't find
0
 

Author Comment

by:trevorb
ID: 41853381
Hi Geert

Thanks for the reply and explanation. I suspected I needed the 32bit which is what I tend to use. But you know how you begin to doubt yourself when these things happen. You get bogged down in the problem and then start to doubt if it is something else. So thought I would check.

This problem is so infuriating. The original problem with the SSL connection in INDY 9 to the API is definitely an issue caused by our shop platform supplier. We proved it last night. I kept asking and asking what had changed that day when the software stopped. Eventually they conceeded they had made a change:

"found out that there was a change on our side on October 11th regarding DES cipher algorithms according to a report we got from our customer"

They reenabled the "unsafe cipher" method and I tried and it worked. But they said they could not leave it enabled, turned it off and it failed again. So them turning off that cipher has broken the SSL link from Indy.

I thought I might try a later OpenSSL library in case that would fix it but they either won't load or they load but exhibit the same problem.

It would be better if I could fix this somehow. If not, then I will have to try to go down the route I mentioned, creating a 'processor' program in Seattle/Berlin and Indy 10, if I can get that to load which is proving tricky!
0
 
LVL 37

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 167 total points
ID: 41853394
well this happens when you start doubting:
when they are out to get you, paranoia is just good thinking

i would post a question on the indy project forums
http://www.indyproject.org/Support.EN.aspx

there is experts there with way more knowledge about indy
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:trevorb
ID: 41853483
Thanks Geert. Seems a lot of the forums are closed. But one chat place seemed to have a little activity, so I posted there.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 167 total points
ID: 41854570
SSLEAY32.DLL is component of Windows OpenSSL
Probably file has version tag, and you can replace it in place with official later supported OpenSSL DLL (to support legacy crap^h^h^homponents)
0
 
LVL 26

Assisted Solution

by:Sinisa Vuk
Sinisa Vuk earned 166 total points
ID: 41856778
Your problem is incorrect version of ssl dlls...Take a newer from here... One should be good...
0
 

Author Comment

by:trevorb
ID: 41856813
Gheist/Siniisa, thanks for the suggestion. Yes, I am pretty sure it is an incorrect version of the SSL DLLs. Problem I have is that I have Indy 9 installed in D2007 which is where the web shop software resides. I have tried each version of the SSL libraries in turn and those that load with Indy 9 won't connect after they turned of this particular cipher. I can't use later SSLs as they won't load in Indy 9. I could use Indy 10, yes. But I get the error above anyway. Plus I don't want to have to go back and recode everything in Indy 10, the Indy components I use seemed to have changed. It looked like it was going to involve some recoding when I tried to install and use it before, hence I went back to stick with Indy 9. When I get time, I need to upgrade to Indy 10 and do the convert. But one of the things I need to sort first is why I get the ordinal error in Indy 10 (which I have installed in Seattle). I have some other suggestions people have made too which I might look at. For example, creating a library in Seattle/Indy 10 that I can use in D2007. For now, as there appears no easy solution, I think I will have to use the Synapse libraries to get this working - which don't seem to have any SSL problems.
0
 
LVL 26

Assisted Solution

by:Sinisa Vuk
Sinisa Vuk earned 166 total points
ID: 41856853
Try look in Archive folder (starting with indy_OpenSSL096m.zip). Put both files in .exe folder...
0
 

Author Comment

by:trevorb
ID: 41856918
Thanks Sinisa. Thanks for link. I have already tried the SSL libraries there. I went through each version as far as I could that would load in Indy 9 and the problem is that these will not connect after they removed the cipher. Then I reach versions that won't load in Indy 9, Having said that, I assumed they would load in Indy 10 but I get the ordinal error decribed above.
0
 
LVL 26

Assisted Solution

by:Sinisa Vuk
Sinisa Vuk earned 166 total points
ID: 41856932
I'm fighting with this a long time ago (when our government introduce fiscal receipts...) with no luck (on a long distance). So, I use windows wininet api to accomplished this...(with a transparent use of tls/ssl in behind similar to that example). Note: XP doesn't support > tls 1.0.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 167 total points
ID: 41857255
Note: XP supports TLS 1.0 only with 3DES that is not secure as of today....
0
 

Author Comment

by:trevorb
ID: 41858115
Thanks for the updates. That's fine as the majority of PCs here are Windows 7, the rest are Windows 10. Nothing less.
0
 

Accepted Solution

by:
trevorb earned 0 total points
ID: 41862097
Thanks eveyone for your input on this. In the end, I wrote some librairies using Synapse to replace the Indy code. I couldn't get Indy 9 to connect and Indy 10 just throws the error above. I had to think quickly to resore functionality to our web shop software, so the answer was to sadly abandon Indy in this instance and use the Synapse HTTP functions which would connect without any issues.

So any ECWID (web platform) users out there who need some code to access the ECWID API, I;m happy to share what I have.
0
 

Author Closing Comment

by:trevorb
ID: 41868080
In the end eveyone helped focus my mind, but came up with my own solution when no other solutions came up.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question