2

I am encountering some problems using some code that worked for ages involving Indy and the download of a web page. I use RAD Studio 10.2 Tokyo.

The web page is as follows:

https://donet.rfi.it/RFIPlatform/showDoc.do?compartimentoHidden=AN&docTypeHidden=CC

The code I am using is part of an application which has the same code since 2011 and it always worked well. The code is as follows:

IDHTTP1.Get('https://donet.rfi.it/RFIPlatform/showDoc.do?compartimentoHidden=AN&docTypeHidden=CC');

I am getting a "Connection Reset by Peer 10054" error since the website went down, some days ago, and when it came up again, the code did not work anymore.

The aforementioned web page can be called from the browser, can even be downloaded with WGET, but Indy is failing.

I tried to play with various options (Cookie Handling, Handle Redirects, HTTPOptions, etc...) and I also updated the SSL libraries to 1.0.2q (Indy cannot use OpenSSL 1.1.0 yet), but the whole thing just doesn't want to work.

Can someone help me figure out what is going on? It has to be for sure something on the website, since the code I use is the same since 2011 and it has always worked. And before that, the same code worked in a similar application since 2008.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
GabryJ84
  • 21
  • 1
  • 2

1 Answers1

4

Indy's TIdSSLIOHandlerSocketOpenSSL component enables only TLS 1.0 by default. The website in question (https://donet.rfi.it) does not accept TLS 1.0 anymore (probably why it went offline, to update its software), it will accept only TLS 1.1+ now.

TIdHTTP is able to successfully establish a TCP/IP connection to donet.rfi.it:443, but as soon as TIdSSLIOHandlerSocketOpenSSL sends a TLS 1.0 handshake request, the server forcibly closes the TCP connection. You are getting the "connection reset by peer" error while TIdSSLIOHandlerSocketOpenSSL is trying to read the server's handshake response.

You need to configure TIdSSLIOHandlerSocketOpenSSL to enable TLS 1.1 and/or 1.2. You can do that via its SSLOptions.SSLVersions property. Then TIdHTTP.Get() will work again (I tested it).

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • 1
    On a side-note, TLS 1.0 has been officially deemed unsafe, and many industries are practically forced to update to at least TLS 1.1 to stay secure. For example, payment processing, in order to be PCI compliant, is no longer permitted to use TLS 1.0 for this reason. By March 2020, TLS 1.0 will basically no longer be supported by all the big players in the web. – Jerry Dodge Dec 04 '18 at 01:15
  • 1
    Yup, and Indy already has [a TODO item](https://github.com/IndySockets/Indy/issues/181) to enable TLS 1.1 and 1.2 by default in the future. – Remy Lebeau Dec 04 '18 at 01:18
  • Reading more into it, it seems TLS 1.1 is also on its deathbed at this point, on that same timeline... – Jerry Dodge Dec 04 '18 at 01:33
  • I had to use as well as IdHTTP.IOHandler:=IdSSLIOHandlerSocketOpenSSL1; Adding a component to the form was not enough... – Vladimír Klaus Aug 15 '20 at 05:59