Deplhi with Indy and TLS, problems with https://testesmoleculares.com.br/ (Cloudflare)

Question

I'm not have expertise with Delphi and TLS using Indy. Maybe it's not a problem, just config, I need examples. I tried some questions on Stackoverflow too, all unsuccessfully.

Page: https://testesmoleculares.com.br/

Errors:

---------------------------
Debugger Exception Notification
---------------------------
Project IntegradorApoiado.exe raised exception
 class EIdOSSLUnderlyingCryptoError with message 'Error connecting with SSL.
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure'.
---------------------------
Break   Continue   Help   
---------------------------

Actual config:

LHandler.SSLOptions.Method := sslvSSLv2;
LHandler.SSLOptions.Mode := sslmClient;
LHandler.SSLOptions.SSLVersions := [sslvSSLv2];

Tried:

IdSSLIOHandlerSocketOpenSSL1.SSLOptions.Method := sslvTLSv1_2;
IdSSLIOHandlerSocketOpenSSL1.SSLOptions.SSLVersions := [sslvTLSv1_2];

Someone can help? Maybe providing an example of POST? I'm using Delphi XE4

Thanks!

Github issue: https://github.com/IndySockets/Indy/issues/317

Tried:

• https://stackoverflow.com/a/49061252
• ssl v3 poodle and move to tls with indy
• Using Indy 10 IdHTTP with TLS 1.2
• https://indy.fulgan.com/SSL/?C=M;O=A
• Others

Answer 1

Without seeing the actual handshake data, it is difficult to say for sure why it is failing.

However, I will mention that sslvSSLv2 is for SSL v2.0, which nobody uses anymore, as it is no longer secure. Same with sslvSSLv3 (SSL v3.0). So, never use sslvSSLv2 and sslvSSLv3 (unless you HAVE to, for legacy purposes).

sslvTLSv1_2 is for TLS v1.2. A lot of servers are now migrating to this. But many servers haven't fully migrated yet. So, you should enable TLS v1.0 and v1.1 as well for wider acceptance, eg (do not use SSLOptions.Method at all, just use SSLOptions.SSLVersions):

LHandler.SSLOptions.Mode := sslmClient;
LHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

By specifying multiple TLS versions, that will allow OpenSSL to negotiate an available version that both peers support.

Also, make sure you are using an up-to-date version of Indy (if you are not already) so that you have all of its fixes for TLS support, such as use of SNI (which many servers now require TLS clients to use).

I can connect to https://testesmoleculares.com.br/ in a web browser using TLS 1.2, so it should be possible to connect to it using TLS 1.2 in Indy as well.

---

UPDATE: based on additional comments you have posted for this same issue in Indy's issue tracker (#317: TLS - Problems with https://testesmoleculares.com.br/ on Cloudflare), you are using an outdated version of Indy (10.6.0.4975), which does not fully handle TLS 1.2. You need to upgrade to the latest version (10.6.2) in order to use TLS 1.2 properly.