In earlier ICS versions, it was difficult to report the reason for SSL
handshake failures, which could lead to frustration for users. 

In the OnSslHandshakeDone event, ErrCode was effectively true or false for
success, and you had to enable the IcsLogger to get any OpenSSL error messages,
even then there were also errors reported that were non-fatal and often the
detailed OpenSSL error message was missing.  

With the latest ICS V8 snapshot, ErrCode still returns 0 for successful
handshake, but now an OpenSSL reason code for a handshaking error (literals in
OverbyteIcsLIBEAY.pas), except 1 means 
connection closed unexpectedly without an OpenSSL error being reported (which
usually happens with clients, where the server reports the real error).  

For better reporting, the new SslHandshakeErr property returns the last full
OpenSSL error which is a DWORD with library, function and reason packed as bits,
new functions Ics_Ssl_ERR_GET_LIB, Ics_Ssl_ERR_GET_FUNC and
Ics_Ssl_ERR_GET_REASON will extract each part.

But most applications should use the new property SslHandshakeRespMsg which
contains either the last error or a successfully connected message including
the ciphers and methods negotiated, both of which can be reported in end user

Example of SslHandshakeRespMsg responses from my public web server include: 

SSL Connected OK with TLSv1, cipher AES128-SHA, key exchange RSA, encryption
AES(128), message authentication SHA1

SSL Connected OK with TLSv1.1, cipher AES128-SHA, key exchange RSA, encryption
AES(128), message authentication SHA1

SSL Connected OK with TLSv1.2, cipher AES128-GCM-SHA256, key exchange RSA,
encryption AESGCM(128), message authentication AEAD

SSL Connected OK with TLSv1, cipher DES-CBC3-SHA, key exchange RSA, encryption
3DES(168), message authentication SHA1

Error, connection closed unexpectedly
Error, HTTP request, no SSL handshake
Error, HTTPS proxy request, no SSL handshake
Error, wrong SSL version
Error, unknown SSL protocol
error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number

The HTTP and HTTPS proxy errors means that a non-SSL request was made to the
SSL server which saw an HTTP command instead of the handshake request,
otherwise the errors appear to be mismatches of SSL versions such as attempted
use of SSLv2 or SSLv3 protocols instead of TLS, or maybe unsupported ciphers.  

Note OpenSSL has hundreds of reason codes and the component only translates the
four most common (as seen on my web server) to simple messages, otherwise the
full OpenSSL error is returned which includes error code, library, function and
reason as mentioned above.  

Also, there is a new property SslCipherDesc with OpenSSL long cipher
description after a handshake, an example being:

AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

The first two arguments are already available in ICS, there are three new
properties SslEncryption, SslKeyExchange and SslMessAuth which are extracted
from SslCipherDesc, and use to create the SSL Connected 
responses shown above. 

The FTP and mail components and the web client and server samples  have been
updated to use SslHandshakeRespMsg. 


To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to