For some time the comunication with our server over HTTPS works just fine.
Last week the provider changed something and from now on I get always the 403 Error.
I use the latest OpenSSL DLLs V0.9.8
I have changed the UserAgent to "Mozilla/5.0 (Windows NT 10.0)"
The SSL Method is "sslvSSLv23"
The SSL Mode is "sslmClient"
Nothing helps. :(
This is the log I get:
SSL Status: "Resolving hostname" SSL Status: "Connecting to" SSL StatusInfoEx: Type="Handshake Start", Msg="before/connect initialization" SSL StatusInfoEx: Type="Connect Loop", Msg="before/connect initialization" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv2/v3 write client hello A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server hello A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server certificate A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server key exchange A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server done A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write client key exchange A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write change cipher spec A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write finished A" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 flush data" SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read finished A" SSL StatusInfoEx: Type="Handshake Done", Msg="SSL negotiation finished successfully" SSL StatusInfoEx: Type="Connect Exit", Msg="SSL negotiation finished successfully" SSL StatusInfoEx: Type="warning Read Alert", Msg="close notify" SSL Status: "Disconnected." ResponseText: HTTP/1.1 403 Forbidden
In the Wireshark log I see after the "Client Key Exchange" the "Encripted Alert" from the Server to the Client.
No. Time Source Destination Protocol Length Info 4 1.563661 SSLv2 181 Client Hello 6 1.590865 TLSv1 1514 Server Hello 10 1.605380 TLSv1 1348 Certificate, Server Key Exchange, Server Hello Done 12 1.638612 TLSv1 380 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 13 1.676523 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message 14 1.679066 TLSv1 320 Application Data, Application Data 15 1.711226 TLSv1 587 Application Data 16 1.711227 TLSv1 91 Encrypted Alert 19 1.713426 TLSv1 91 Encrypted Alert
What can I do to get the comunication going again?
I found the reason for the "403 Forbidden" error.
In the Apache error.log I found the entry "No hostname was provided via SNI for a name based virtual host"
Which led me to the page NameBasedSSLVHostsWithSNI.
There the exact behavior is described:
Client doesn't support SNI.
If Apache has SNI support, and a request without the SNI hostname is received for a name-based virtual host over SSL, and SSLStrictSNIVHostCheck is on, it will be rejected (403) and this message logged:
[error] No hostname was provided via SNI for a name based virtual host
If SSLStrictSNIVHostCheck is off, then the request will be handled as if the server did not have SNI support.
As its seems our provider has changed the configuration so I have to update my Indy Sources to suport SNI and update my derived classes.
Thanks for the help.