Atozed Forums

Full Version: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I am unable to consume a third party API that is hosted on Amazon, I tried several OpenSSL DLLs but without success. I am attaching a small test project with the error example. I am very grateful if anyone can help me. I am using Delphi XE8
(09-16-2020, 04:11 PM)ronaldobim Wrote: [ -> ]I am unable to consume a third party API that is hosted on Amazon, I tried several OpenSSL DLLs but without success.

Which DLLs exactly did you try?  What does Indy's IdSSLOpenSSL.OpenSSLVersion() function report when the error occurs?

(09-16-2020, 04:11 PM)ronaldobim Wrote: [ -> ]I am attaching a small test project with the error example.

You are not configuring the TIdSSLIOHandlerSocketOpenSSL at all.  In particular, it defaults to TLS 1.0 only, but most servers nowadays require TLS 1.1+, so try setting its SSLOptions.SSLVersions property accordingly, eg:

Code:
FHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
FIdHTTP.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // <-- ADD THIS!
...

Also, you are leaking the TIdSSLIOHandlerSocketOpenSSL object, as you are not Free()'ing it, or assigning an Owner to it.  Assigning the TIdHTTP.IOHandler property will not take ownership for you.  I suggest assigning the TIdHTTP object as the Owner, eg:

Code:
FIdHTTP := TIdHTTP.Create(nil); // <-- DO THIS FIRST!
FHandler := TIdSSLIOHandlerSocketOpenSSL.Create(FIdHTTP);

Also, on a side note, you don't need the TStringStream at all, as TIdHTTP.Get() has an overload that returns a String, eg:

Code:
Memo1.Text := FIdHTTP.Get('https://james-assortment-orders-stg.james.delivery/orders/consume-pre-orders/0583266930008a57838f5141aae0ea5138ec43aebd5465465');
Hello, I'm using the following DLLs:

1.0.2.21

libeay32.dll

ssleay32.dll

1.1.1.7

libcrypto-1_1.dll

libssl-1_1.dll

After changing this code below the error changed to:

Error connecting with SSL.
error:14077410:SSL routines:SSL23_GET_SERVER_HELLOConfusedslv3 alert handshake failure


I made several attempts with the FHandler.SSLOptions.SSLVersions property and all failed.

Code:
FHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
FHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // <-- ADD THIS!
...
(09-17-2020, 12:16 PM)ronaldobim Wrote: [ -> ]1.0.2.21

libeay32.dll

ssleay32.dll

That version of the DLLs should work fine. If you are still getting errors with that version after setting the SSLIOHandler's SSLVersions property, then there is something else going on. You are going to have to dig deeper into the details of the TLS handshake to figure out what is actually failing.

(09-17-2020, 12:16 PM)ronaldobim Wrote: [ -> ]1.1.1.7

libcrypto-1_1.dll

libssl-1_1.dll

TIdSSLIOHandlerSocketOpenSSL does not support OpenSSL 1.1.x. However, there is currently a pull request in Indy's GitHub repo for a new SSLIOHandler that does. You can download that source code and try it, if you want.

(09-17-2020, 12:16 PM)ronaldobim Wrote: [ -> ]After changing this code below the error changed to:

Error connecting with SSL.
error:14077410:SSL routines:SSL23_GET_SERVER_HELLOConfusedslv3 alert handshake failure

That is basically the same error you showed earlier, just being raised from a different area of OpenSSL's code. But without DETAILS, there is really no way to diagnose it for you. "sslv3 alert handshake failure" is a very generic error message, all it means is that the peer sent an alert packet to you, indicating the handshake failed on the peer's end and the peer is going to be closing the connection after the alert. There are MANY things which can cause that to happen.

(09-17-2020, 12:16 PM)ronaldobim Wrote: [ -> ]I made several attempts with the FHandler.SSLOptions.SSLVersions property and all failed.

Then the problem is not related just to the SSLVersions alone. Something else must be going on.