Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fulgan OpenSSL libraries : prohibited access
#1
Hello

I updated my Delphi 2009 from Indy 10.2.5 to Indy 10.6.2.0
I am using OpenSSL libraries version 1.0.2o.
I have tried to access https://indy.fulgan.com/SSL/Archive/ and I get this error:
You don't have permission to access /SSL/Archive/ on this server.
Are rhe dlls available on any other site?

My initial problem:
I have been using these libraries to connect to several servers.
Now I am trying to connect to a new https site who gives me Connection reset by peer on SSL Client hello packet sended.
I forced TLSv1.2 and CipherList only with the Cipher Postman uses, but it still does not work.

Thanks and good health 
Reply
#2
Hello 

Initial problem solved. It was the lack of SNI:  https://security.stackexchange.com/quest...ng-tls-1-2

Solved in this way:

Code:
procedure TForm.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
  const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
    SSL_set_tlsext_host_name(AsslSocket, 'api.server.com');
end;

Code:
TheHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
TheHandler.OnStatusInfoEx := OnStatusInfoEx;

However, I have no acces to https://indy.fulgan.com/SSL/ yet. Any news?

Thanks and good health
Reply
#3
(06-13-2020, 03:11 PM)controlhorus Wrote: Solved in this way:

Code:
procedure TForm.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
  const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
    SSL_set_tlsext_host_name(AsslSocket, 'api.server.com');
end;

Indy calls SSL_set_tlsext_host_name() for you, you do not need to call it manually. Make sure you are using an up-to-date version of Indy.

(06-13-2020, 03:11 PM)controlhorus Wrote: However, I have no acces to https://indy.fulgan.com/SSL/ yet. Any news?

Last time I checked, https://indy.fulgan.com/SSL/ was still working fine. So either this is a temporary outage, or Fulgan has finally taken the mirror off-line for good. I'll ask about it.

Reply
#4
(06-13-2020, 08:12 PM)rlebeau Wrote:
(06-13-2020, 03:11 PM)controlhorus Wrote: Solved in this way:

Code:
procedure TForm.OnStatusInfoEx(ASender: TObject; const AsslSocket: PSSL;
  const AWhere, Aret: TIdC_INT; const AType, AMsg: String);
begin
    SSL_set_tlsext_host_name(AsslSocket, 'api.server.com');
end;

Indy calls SSL_set_tlsext_host_name() for you, you do not need to call it manually.  Make sure you are using an up-to-date version of Indy.

I downloaded from SVN and updated it yesterday trying to solve the problem. It is 10.6.2.0 I think. 
Code:
ShowMessage('Indy version: ' + IdHTTP1.Version);
Shows 10.6.2.0 on run.

Thank you

Hi

I fear I did not see GIT change.

I downloaded SVN and I used tag Indy 10.6.2 - XE8 RTM for update. It has not that line:

Code:
IdSSLOpenSSL.pas

error := SSL_set_tlsext_host_name(fSSL, fHostName);

Tag Indy 10.6.2 - Tokyo RTM had it. Bad luck.

I just downloaded GIT version and used Lib folders to update again. Now it is working without the added lines.

Thank you
Reply
#5
(06-13-2020, 08:25 PM)controlhorus Wrote: I downloaded from SVN

Indy is not hosted on SVN anymore, it is now hosted on GitHub:

https://github.com/IndySockets/Indy/

Indy SVN retiring, long live GitHub

(06-13-2020, 08:25 PM)controlhorus Wrote: and updated it yesterday trying to solve the problem. It is 10.6.2.0 I think. 
Code:
ShowMessage('Indy version: ' + IdHTTP1.Version);
Shows 10.6.2.0 on run.

Indy does not include a build number in its source code by default.  It has always been the case that when Fulgan (or other 3rd parties) pulled Indy snapshots from SVN, a script would have to be run afterwards to inject the latest SVN revision number as the build number before the source code was then compiled (see Indy's StoreRevNum.bat and StoreRevNumHooks.bat files) ).  However, that is no longer the case now that Indy has moved to GitHub:

#292: Actual Build Version is missing in IdVers.inc

This hasn't been fixed yet.

(06-13-2020, 08:25 PM)controlhorus Wrote: I downloaded SVN and I used tag Indy 10.6.2 - XE8 RTM for update.

It has not that line:

Code:
IdSSLOpenSSL.pas

error := SSL_set_tlsext_host_name(fSSL, fHostName);

XE8 was released in April 2015.  The call to SSL_set_tlsext_host_name() was added to Indy in January 2016, so it would not have been included in Delphi's shipped copy of Indy until either 10.1 Berlin (April 2016) or 10.2 Tokyo (March 2017), depending on when Embarcadero actually pulled a new copy of Indy for themselves.

Reply
#6
Hello Remy,

Folders ZIP and LinkLibs at https://indy.fulgan.com are empty for a few days already...
Where can we get updated DDLs?

Thank you!
Reply
#7
Please disregard my message.
Found this:
All of the OpenSSL binaries that were hosted on Indy’s Fulgan mirror @ https://indy.fulgan.com/SSL/ have now been migrated to a new repository on Indy’s GitHub page: https://github.com/IndySockets/OpenSSL-Binaries For the past few days, Indy’s Fulgan mirror has been down, reporting “403 Forbidden” errors, due to connectivity issues on the server side. This outage is being looked […]
Reply
#8
(06-23-2020, 01:37 PM)podoroges Wrote: Please disregard my message.
Found this:
All of the OpenSSL binaries that were hosted on Indy’s Fulgan mirror @ https://indy.fulgan.com/SSL/ have now been migrated to a new repository on Indy’s GitHub page: https://github.com/IndySockets/OpenSSL-Binaries For the past few days, Indy’s Fulgan mirror has been down, reporting “403 Forbidden” errors, due to connectivity issues on the server side.  This outage is being looked […]

For others who had not seen it yet, that quote is from Indy's blog:

OpenSSL binaries moved to GitHub

Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)