In earlier ICS versions, it was difficult to report the reason for SSL handshake failures, which could lead to frustration for users.
In the OnSslHandshakeDone event, ErrCode was effectively true or false for success, and you had to enable the IcsLogger to get any OpenSSL error messages, even then there were also errors reported that were non-fatal and often the detailed OpenSSL error message was missing. With the latest ICS V8 snapshot, ErrCode still returns 0 for successful handshake, but now an OpenSSL reason code for a handshaking error (literals in OverbyteIcsLIBEAY.pas), except 1 means connection closed unexpectedly without an OpenSSL error being reported (which usually happens with clients, where the server reports the real error). For better reporting, the new SslHandshakeErr property returns the last full OpenSSL error which is a DWORD with library, function and reason packed as bits, new functions Ics_Ssl_ERR_GET_LIB, Ics_Ssl_ERR_GET_FUNC and Ics_Ssl_ERR_GET_REASON will extract each part. But most applications should use the new property SslHandshakeRespMsg which contains either the last error or a successfully connected message including the ciphers and methods negotiated, both of which can be reported in end user applications. Example of SslHandshakeRespMsg responses from my public web server include: SSL Connected OK with TLSv1, cipher AES128-SHA, key exchange RSA, encryption AES(128), message authentication SHA1 SSL Connected OK with TLSv1.1, cipher AES128-SHA, key exchange RSA, encryption AES(128), message authentication SHA1 SSL Connected OK with TLSv1.2, cipher AES128-GCM-SHA256, key exchange RSA, encryption AESGCM(128), message authentication AEAD SSL Connected OK with TLSv1, cipher DES-CBC3-SHA, key exchange RSA, encryption 3DES(168), message authentication SHA1 Error, connection closed unexpectedly Error, HTTP request, no SSL handshake Error, HTTPS proxy request, no SSL handshake Error, wrong SSL version Error, unknown SSL protocol error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number The HTTP and HTTPS proxy errors means that a non-SSL request was made to the SSL server which saw an HTTP command instead of the handshake request, otherwise the errors appear to be mismatches of SSL versions such as attempted use of SSLv2 or SSLv3 protocols instead of TLS, or maybe unsupported ciphers. Note OpenSSL has hundreds of reason codes and the component only translates the four most common (as seen on my web server) to simple messages, otherwise the full OpenSSL error is returned which includes error code, library, function and reason as mentioned above. Also, there is a new property SslCipherDesc with OpenSSL long cipher description after a handshake, an example being: AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD The first two arguments are already available in ICS, there are three new properties SslEncryption, SslKeyExchange and SslMessAuth which are extracted from SslCipherDesc, and use to create the SSL Connected responses shown above. The FTP and mail components and the web client and server samples have been updated to use SslHandshakeRespMsg. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
