delphi – tidhttp：奇怪的SSLv3_READ_BYTES错误(直接设置TLSv1_

发布时间：2020-12-15 09:45:44 所属栏目：大数据来源：网络整理

导读：简单代码： procedure TForm1.Button1Click(Sender: TObject); //var //h: tIdHTTP; //SSL: TIdSSLIOHandlerSocketOpenSSL;begin h.IOHandler := SSL; SSL.SSLOptions.Method := sslvTLSv1_2; SSL.SLLOptions.SSLVersion := [sslvTLSv1_2]; //must be set au

简单代码：

procedure TForm1.Button1Click(Sender: TObject);
  //var
  //h: tIdHTTP;
  //SSL: TIdSSLIOHandlerSocketOpenSSL;
begin
  h.IOHandler := SSL;
  SSL.SSLOptions.Method := sslvTLSv1_2;
  SSL.SLLOptions.SSLVersion := [sslvTLSv1_2]; //must be set automatically after SetMethod,but just to be sure
  h.Get('https://www.deviantart.com/users/login');
end;

那个简单的代码给了我一个错误：

Error connecting with SSL.
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

我使用Delphi XE3和OpenSSL 1.0.2b库.
我无法弄明白,在查看消息来源时,连接启动中存在禁用未使用版本的字符串：

if not (sslvSSLv2 in SSLVersions) then begin
  SSL_CTX_set_options(fContext,SSL_OP_NO_SSLv2);
end;
if not (sslvSSLv3 in SSLVersions) then begin
  SSL_CTX_set_options(fContext,SSL_OP_NO_SSLv3);
end;
if not (sslvTLSv1 in SSLVersions) then begin
  SSL_CTX_set_options(fContext,SSL_OP_NO_TLSv1);
end;

但sslv3的操作仍然以某种方式进行.看起来不像组件的bug.某个库内部,或者indy在设置参数时没有考虑到什么？

或者实际上是我,谁没有注意到重要的事情？
我真的希望我不需要经历一个名为“indy components update”的地狱.

测试(尝试所有方法,包括TLS1.2)https://www.deviantart.com/users/login

Resolving hostname www.deviantart.com.
Connecting to 54.230.96.81.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
fatal Read Alert: handshake failure
Connect Failed: SSLv3 read server hello A
ERROR: Error connecting with SSL.
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

>对于SSL3和TLS1 / 1.1 / 1.2结果相同;
>对于SSLv23,回答SSL23_GET_SERVER_HELLO：sslv3警报握手失败;
>对于SSLv2没有回答;

对类似资源进行测试(仅限TLS1.2)https://files.yande.re/image/da9afa6d9ca43a9f154fad69f76adb85.jpg

Resolving hostname files.yande.re.
Connecting to 5.39.10.56.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
Connect Loop: SSLv3 read server hello A
Connect Loop: SSLv3 read server certificate A
Connect Loop: SSLv3 read server key exchange A
Connect Loop: SSLv3 read server done A
Connect Loop: SSLv3 write client key exchange A
Connect Loop: SSLv3 write change cipher spec A
Connect Loop: SSLv3 write finished A
Connect Loop: SSLv3 flush data
Connect Loop: SSLv3 read server session ticket A
Connect Loop: SSLv3 read finished A
Handshake Done: SSL negotiation finished successfully
Connect Exit: SSL negotiation finished successfully

我的WireShark测试：

> Indy：http：//imgur.com/BZ84Cl3(响应是握手失败);
> Firefox：http：//imgur.com/pkYJvnO;
>对Firefox请求的响应：http：//imgur.com/M9ni3TV;

解决方法

警报握手失败意味着初始握手在服务器端失败,因此它会在关闭连接之前发送警报通知您的客户端.您可能没有设置服务器期望的兼容证书或密码套件.或者服务器可能根本不支持TLS 1.2.请尝试使用TLS 1.0或TLS 1.1.此外,您可以尝试使用OpenSSL自己的s_client工具来调试连接问题,直到找出正确的设置,然后根据需要将它们应用于Indy.或者,使用Wireshark查看实际握手并查看它在哪个阶段失败.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!