Re: [twsocket] SSL - handshake failure caused by a ssltls_v1 server
> A minor error in overbyteicshttpprot.2581, the logger skips the user > added header lines: Thanks, will look into that. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL - handshake failure caused by a ssltls_v1 server
Hallo Angus,
you are right, with the latest version from svn the negotiation is working.
Thank you.
A minor error in overbyteicshttpprot.2581, the logger skips the user
added header lines:
TriggerBeforeHeaderSend(Method, Headers);
for N := 0 to Headers.Count - 1 do
SendCommand(Headers[N]);
TriggerRequestHeaderEnd;
{$IFNDEF NO_DEBUG_LOG} << this has to be moved
if CheckLogOptions(loProtSpecInfo) then { V1.91 } { replaces
$IFDEF DEBUG_OUTPUT }
DebugLog(loProtSpecInfo, IntToStr(Headers.Count) +
' header lines to send'#13#10 + Headers.Text);
{$ENDIF}
mgoeb
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Re: [twsocket] SSL - handshake failure caused by a ssltls_v1 server
> * Tested with default OverbyteIcsSimpleSslCli1, nothing changed > (ciphers,ssloptions) Please retest with the latest OverbyteIcsHttpsTst sample as I mentioned before, this is kept up to date. If you think there is a problem with the ICS OpenSSL implementation, you are welcome to investigate it further and propose changes. But trying to force an old protocol in a component that is designed to use the best and latest protocols is very low priority for testing. I'd rather add new features instead. The commercial email server I use is written in .NET2 and stuck with old protocols and connects perfectly with ICS: SSL Connected OK with TLSv1, cipher ECDHE-RSA-AES256-SHA, key exchange ECDH, encryption AES(256), message authentication SHA1 Note I need a new SSL certificate, since SHA1 is being killed next month. You can try and connect to it, mail.magsys.co.uk port 995 and you should get TLSv1. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL - handshake failure caused by a ssltls_v1 server
Hello Angus, thank you very much for your answer. To be more precise: * I used * v8.16 * openssl 1.0.2d * Tested with default OverbyteIcsSimpleSslCli1, nothing changed (ciphers,ssloptions) * as server I used the command line tool of openssl "openssl s_server -tls1 -accept 443" to force only tls1 An automatic connection with "sslBestVer" aka "sslv23" could *not* be made. To get it work I have to change settings of ssloptions (with is set to [] by default) to [sslOpt_NO_SSLv2]. I am not a ssl expert (!). But is that the behaviour which has to be expected? Is there an option, which uses sslv2,v3,tls etc. to negotiate a apropriate protocol, so i do not have to negotiate it "manually"? Thank you in advance once more mgoeb >/The introduced version method "sslBestVer" does not support tls (cause />/it means sslv23). Would it be "nice", to support TLS too automatically ? / sslBestVer and sslv23 do support TLS, I use them for all my application. I added sslBestVer in an attempt to break the misconception that it only meant v2 and v3. According to the release notes for changes between 1.0.2 and 1.1.0: "Version negotiation has been rewritten. In particular SSLv23_method(), SSLv23_client_method() and SSLv23_server_method() have been deprecated, and turned into macros which simply call the new preferred function names TLS_method(), TLS_client_method() and TLS_server_method(). All new code should use the new names instead." Note that OpenSSL 1.1.0 has not yet been released, this is a future change, to use TLS_method instead which is documented as: "A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols." >/The destination server accepts only connection with the option "sslTLS_V1" / Maybe your SslOptions includes sslOpt_NO_TLSv1 or your cipher suite does not include an old TLSv1 ciphers (very hard to tell). The latest OverbyteIcsHttpsTst sample includes GUI options for all the diferent methods and options, but does need an OpenSSL reset when you change them to ensure the correct settings are used. Angus -- Martin Goebel - Prisma Computersysteme GmbH -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL - handshake failure caused by a ssltls_v1 server
> The introduced version method "sslBestVer" does not support tls (cause > it means sslv23). Would it be "nice", to support TLS too automatically ? sslBestVer and sslv23 do support TLS, I use them for all my application. I added sslBestVer in an attempt to break the misconception that it only meant v2 and v3. According to the release notes for changes between 1.0.2 and 1.1.0: "Version negotiation has been rewritten. In particular SSLv23_method(), SSLv23_client_method() and SSLv23_server_method() have been deprecated, and turned into macros which simply call the new preferred function names TLS_method(), TLS_client_method() and TLS_server_method(). All new code should use the new names instead." Note that OpenSSL 1.1.0 has not yet been released, this is a future change, to use TLS_method instead which is documented as: "A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols." > The destination server accepts only connection with the option "sslTLS_V1" Maybe your SslOptions includes sslOpt_NO_TLSv1 or your cipher suite does not include an old TLSv1 ciphers (very hard to tell). The latest OverbyteIcsHttpsTst sample includes GUI options for all the diferent methods and options, but does need an OpenSSL reset when you change them to ensure the correct settings are used. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL - handshake failure caused by a ssltls_v1 server
Hello, The connect via SSL produces following Message: Error:10053 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure The destination server accepts only connection with the option "sslTLS_V1" To connect to the same server the openssl command line tool "finds" the right protocol, as well as the components of "Delphi XE" but twsocket works with the default SslVersionMethod=sslV23. The introduced version method "sslBestVer" does not support tls (cause it means sslv23). Would it be "nice", to support TLS too automatically ? sincerely Martin -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
