TidHttp ssl3_read_bytes : tlsv1 alert internal error

[luccburopro]

Hi, I'm using Indy on delphi xe7 to make a tIdHttp request (TLS 1.2) at the bank of canada API to get rates (https://www.banqueducanada.ca/valet/observations/group/FX_RATES_DAILY/json)

This has worked for many years and since last week i'm getting this error instead: 14094438:SSL routine:ssl3_read_bytes: tlsv1 alert internal error EidOSSLUnderlyingCryptoError.

I tried using postman to make the request and it's working, I'm getting a json result as expected. From there I would guess that it's some kind of problem with SSL certificate even though I'm using the latest (1.0.2u).

Do you have some suggestion about what I can do from there?

[EvgenyLevitskiy]

i got json answer from the bank without any error's.

Content-Type: application/json; charset=utf-8
content-disposition: attachment; filename=FX_RATES_DAILY.json
x-valet-mode: l
x-generated: 2023-07-03 15:40:02
Access-Control-Allow-Origin: *
x-content-digest: enb8c8f40f2cd833ba348262901bd60a918b409ab431694e8334676f92b0a704a1
Content-Encoding: gzip
X-C60BE: ci2748-k
RP: k1
Cache-Control: public, max-age=0
Expires: Mon, 03 Jul 2023 20:33:47 GMT
Date: Mon, 03 Jul 2023 20:33:47 GMT
Content-Length: 148872
Connection: keep-alive
Vary: Accept-Encoding
Server: BoC

[rlebeau]

What does your actual code look like? How are you configuring TIdHTTP and TIdSSLIOHandlerSocketOpenSSL?

Note that XE7 was released almost a decade ago. If you are using the version of Indy that shipped with XE7, then that is a very old version and I suggest you upgrade to the latest version of Indy and see if the problem still occurs or not.

If it does, then you might also consider contacting the server admin to see if perhaps something changed on their side last week that could start causing this problem. Maybe they can debug your connections to see what is going wrong on their side. Perhaps they have changed their configuration, or updated their requirements, who knows.

[luccburopro]

Thank you so much for the quick reply. I will upgrade Indy, I didn't know that I could upgrade it without upgrading Delphi XE7. Seeing as how it worked for you I would think that this would be the problem.

I was indeed using TIdHTTP and TIdSSLIOHandlerSocketOpenSSL as follow:

LHandler := TIdSSLIOHandlerSocketOpenSSL.create(nil);
LHandler.ssloptions.sslversions := [sslvTLSv1_2];
vIdHttp.IOHandler := LHandler;

And then I set the content type:

vIdHttp.Request.ContentType := 'text/html; charset=UTF-8';
vIdHttp.Request.ContentEncoding := 'gzip';
vIdHttp.Request.ContentType := 'application/json'

[EvgenyLevitskiy]

Thank you so much for the quick reply. I will upgrade Indy, I didn't know that I could upgrade it without upgrading Delphi XE7. Seeing as how it worked for you I would think that this would be the problem.

I was indeed using TIdHTTP and TIdSSLIOHandlerSocketOpenSSLas follow: LHandler := TIdSSLIOHandlerSocketOpenSSL.create(nil); LHandler.ssloptions.sslversions := [sslvTLSv1_2]; vIdHttp.IOHandler := LHandler;

And then I set the content type: vIdHttp.Request.ContentType := 'text/html; charset=UTF-8'; vIdHttp.Request.ContentEncoding := 'gzip'; vIdHttp.Request.ContentType := 'application/json'

here is working code :

    idHttpC := TIdHTTP.Create(nil);
    idHttpC.ConnectTimeout := 80000;
    idHttpC.ReadTimeout := 80000;
    idHttpC.AllowCookies := true;

// config Redirect's
    idHttpC.RedirectMaximum := 35;
    idHttpC.HandleRedirects := true;
    idHttpC.HTTPOptions := [hoTreat302Like303, hoKeepOrigProtocol];
    idHttpC.OnRedirect := IdHTTP1Redirect;

// create Cookie's
    idCookieC := TIdCookieManager.Create(IdHttpC);
    idHttpC.CookieManager := idCookieC;

// create gzip Compressor
    idHttpC.Compressor := TIdCompressorZLib.Create(idHttpC);

// create OpenSSL
    lIOHandlerC := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
    lIOHandlerC.SSLOptions.Mode := sslmClient;
    lIOHandlerC.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
    idHttpC.IOHandler := lIOHandlerC;

// config Request Header
    idHttpC.Request.Accept := 'text/html, application/xhtml+xml, */*';
    idHttpC.Request.AcceptLanguage := 'de-DE';
    idHttpC.Request.UserAgent := 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';
    idHttpC.Request.Connection := 'keep-alive';
    idHttpC.Request.CustomHeaders.Values['DNT'] := '1';

[EvgenyLevitskiy]

Thank you so much for the quick reply. I will upgrade Indy, I didn't know that I could upgrade it without upgrading Delphi XE7. Seeing as how it worked for you I would think that this would be the problem.

I was indeed using TIdHTTP and TIdSSLIOHandlerSocketOpenSSLas follow: LHandler := TIdSSLIOHandlerSocketOpenSSL.create(nil); LHandler.ssloptions.sslversions := [sslvTLSv1_2]; vIdHttp.IOHandler := LHandler;

And then I set the content type: vIdHttp.Request.ContentType := 'text/html; charset=UTF-8'; vIdHttp.Request.ContentEncoding := 'gzip'; vIdHttp.Request.ContentType := 'application/json'

don't set ContentEncoding := 'gzip', indy will handle it for you. did you use Compressor in your code?

[luccburopro]

I did not use Compressor, I have tried the code sample you gave me and the error is sightly different, ssl3_read_bytes is not replaced by SSL23_GET_SERVER_HELLO

I have tried to upgrade my Indy version as suggested but it seems that I have failed even though I have followed the instructions. I have installed the Indy210 project (delphi XE7) but I have TidFtp saying that connecttimeout property does not exist at run time. I would have tought that TLS 1.3 would have been there since it's a more recent version but maybe it's normal.

[luccburopro]

I have tried again installing the upgrade and good news, I don't have the TIdFtp error anymore and the connection to the bank is working fine with either my code or the new one you sent me. Still have not the TLS 1.3 in my options but this is not important as TLS 1.2 is still used today.

Thank you very much for the help provided by the both of you, very fast and precise and so greatly appreciated.

[rlebeau]

Still have not the TLS 1.3 in my options but this is not important as TLS 1.2 is still used today.

Support for TLS 1.3 is still work-in-progress via a new set of SSLIOHandler components.