1

I'm attempting to connect to an online API using Indy HTTP client. The error I'm getting is "Authorisation failed (that's our message) EIdOSSLUnderlyingcryptoerror Error connecting with SSL, error:14094410: ssl ROUTINES:SSL3_READ_BYTES:SSLV3 alert handshake failure."

The idSSLIOHandler is set with the mode as sslmClient.

`procedure TOnLineSettingsForm.Button5Click(Sender : TObject);
var
S: TStringStream;
R : TStringStream;
sTest : String;
sResponse : String;
sAuthCode : AnsiString;
begin
//S := TStringList.Create;
R := TStringStream.Create;
if Length(edCert.Text) <> 0 then
begin
   try
     try
        sAuthCode := 'AUTHORISATION:' + edCert.Text;
        S := TStringStream.Create('AUTHORISATION:' + edCert.Text,   TEncoding.UTF8);
        S.Position := 0;
        with IdHTTP1 do
        begin
           IOHandler := IdSSLIOHandlerSocketOpenSSL1;
           Post('https://api.cloudwaitress.com/V1/...', S); //  sAuthCode);
           sResponse := ResponseText;
        end;
        sTest := R.DataString;
     except
        on e:exception do
        begin
           Showmessage('Authorisation failed....' + e.ClassName + ' ' + e.Message);
           sTest := R.DataString;
        end;
     end;
  finally
     s.Free;
     R.Free;
  end;
end else
begin
   Beep;
  Beep;
  ShowMessage('Please enter the id code.');
end;
end;`

The documentation says the folowing is required for authentication

curl https://api.cloudwaitress.com/v1/... -H "Authorization: YOUR_API_KEY"

I was concerned that the "..." at the end of the url would be invalid, so I left it out. Got the error so put it back. Same error. So, I suspect, the problem is with something else. I note the authorisation doesn't include anything about content type. Although other requests for this API do and require "application/json".

Is it possible a handshake failure simply means the API connection isan't valid?

Sorry - should have said - the Indy version is 10.6.1.5182. I note that the same error can be triggered if TLS is required on the server. And that Indy 10.6.2 fixed that problem. Could it be I nned to get a more recent version of Indy?

Thanks

Alan

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
Alan Jeffery
  • 19
  • 4

1 Answers1

0

The error I'm getting is "Authorisation failed (that's our message) EIdOSSLUnderlyingcryptoerror Error connecting with SSL, error:14094410: ssl ROUTINES:SSL3_READ_BYTES:SSLV3 alert handshake failure."

EIdOSSLUnderlyingCryptoError has nothing to do with HTTP itself, it is an encryption library error. In this case, it is saying the SSL/TLS handshake is failing, before the HTTP request can be sent over the connection. For instance, that could happen if the API requires TLS v1.1+, as TIdSSLIOHandlerSocketOpenSSL defaults to TLS v1.0 only, but you can manually enable TLS v1.1 and v1.2 in the SSLIOHandler's SSLOptions.SSLVersions property.

Also, the post stream is the wrong place to send an HTTP Authorization header.

Try this:

procedure TOnLineSettingsForm.Button5Click(Sender : TObject);
var
  S: TStringStream;
  sResponse : String;
begin
  if edCert.GetTextLen > 0 then
  begin
    try
      S := TStringStream.Create('...', TEncoding.UTF8);
      try
        IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
        IdHTTP1.IOHandler := IdSSLIOHandlerSocketOpenSSL1;
        IdHTTP1.Request.CustomHeaders.Values['Authorization'] := edCert.Text;
        sResponse := IdHTTP1.Post('https://api.cloudwaitress.com/V1/...', S);
      finally
        S.Free;
      end;
    except
      on E: Exception do
      begin
        ShowMessage('Error.... ' + e.ClassName + ' ' + e.Message);
      end;
    end;
  end else
  begin
    Beep;
    Beep;
    ShowMessage('Please enter the id code.');
  end;
end;

the Indy version is 10.6.1.5182... Indy 10.6.2 fixed that problem. Could it be I need to get a more recent version of Indy?

Whether it fixes the problem or not, 10.6.1 is very old, so you should upgrade anyway. At the time of this writing, the current version is 10.6.2.5518.

Remy Lebeau
  • 555,201
  • 31
  • 458
  • 770
  • Remy - thanks for that. I looked up what is involved in updating Indy on XE7. Unfortunately, and as you said on another thread - it breacks the Live Tile components. Which, unfortunately, I had had to used for a couple of crucial forms. I have XE10.2 and will be migrating everything to that in the next while. I tried your code. I now get a similar error - only it now reads "SSL23_GET_SERVER_HELLO" – Alan Jeffery Oct 01 '19 at 01:44
  • I checked the SSL status using this https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=api.cloudwaitress.com. For some reason all attempts timed out. Even though pinging the URL results in replies. However the responses indicated that TSL1.1 and 1.2 were enabled – Alan Jeffery Oct 01 '19 at 02:40
  • I've noticed the IOHandler.SSLOptions.Method keeps defaulting to sslvSSLv23. Should I override that? – Alan Jeffery Oct 01 '19 at 02:47
  • @AlanJeffery "*I've noticed the IOHandler.SSLOptions.Method keeps defaulting to sslvSSLv23. Should I override that?*" - no, that is expected behavior. SSLv23 is a wildcard that enables dynamic negotiation of multiple SSL/TLS versions – Remy Lebeau Oct 01 '19 at 02:54
  • Remy. Any idea why that error would occur? It appears to be attempting to negotiate a connection. But failing. – Alan Jeffery Oct 01 '19 at 04:12
  • @AlanJeffery not without seeing the complete error message – Remy Lebeau Oct 01 '19 at 04:26
  • Remy. The full error message is in the first post. The only difference is the SSL23_GET_SERVER_HELLO – Alan Jeffery Oct 02 '19 at 06:36
  • Remy. Sorry. The error has changed. It is now "EIDOSSUnderlyingcryptoerror with message "Error with SSL error>14077410:SSL23_GET_SERVER_HELLO:sslv3 alert handshale failure" I see the reference to sslv3. Does that mean we need to use that? – Alan Jeffery Oct 03 '19 at 02:10
  • I tried to use sslv3 - no different. I've tried to contact the developer of the website in question. But I'm getting no answers. – Alan Jeffery Oct 03 '19 at 03:23