tidhttp:奇怪的SSLv3_READ_BYTES错误(直接设置TLSv1_2连接)

Question

简单代码:

procedure TForm1.Button1Click(Sender: TObject);
  //var
  //h: tIdHTTP;
  //SSL: TIdSSLIOHandlerSocketOpenSSL;
begin
  h.IOHandler := SSL;
  SSL.SSLOptions.Method := sslvTLSv1_2;
  SSL.SLLOptions.SSLVersion := [sslvTLSv1_2]; //must be set automatically after SetMethod, but just to be sure
  h.Get('https://www.deviantart.com/users/login');
end;

那个简单的代码给了我一个错误:

连接SSL时出错.
错误:14094410:SSL例程:ssl3_read_bytes:sslv3警报握手失败

我使用Delphi XE3和OpenSSL 1.0.2b库.我无法弄明白,在查看消息来源时,连接启动中存在禁用未使用版本的字符串:

if not (sslvSSLv2 in SSLVersions) then begin
  SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv2);
end;
if not (sslvSSLv3 in SSLVersions) then begin
  SSL_CTX_set_options(fContext, SSL_OP_NO_SSLv3);
end;
if not (sslvTLSv1 in SSLVersions) then begin
  SSL_CTX_set_options(fContext, SSL_OP_NO_TLSv1);
end;

但sslv3的操作仍然以某种方式进行.看起来不像组件的bug.某个库内部,或者indy在设置参数时没有考虑到什么？

或者实际上是我,谁没有注意到重要的事情？我真的希望我不需要经历一个名为"indy components update"的地狱.

测试(尝试所有方法,包括TLS1.2) https://www.deviantart.com/users/login

Resolving hostname www.deviantart.com.
Connecting to 54.230.96.81.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
fatal Read Alert: handshake failure
Connect Failed: SSLv3 read server hello A
ERROR: Error connecting with SSL.
error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

• 对于SSL3和TLS1/1.1/1.2的结果是相同的;
• 对于SSLv23的答案SSL23_GET_SERVER_HELLO:sslv3警报握手失败;
• 对于SSLv2没有回答;

对类似资源进行测试(仅限TLS1.2) https://files.yande.re/image/da9afa6d9ca43a9f154fad69f76adb85.jpg

Resolving hostname files.yande.re.
Connecting to 5.39.10.56.
Handshake Start: before/connect initialization
Connect Loop: before/connect initialization
Connect Loop: SSLv3 write client hello A
Connect Loop: SSLv3 read server hello A
Connect Loop: SSLv3 read server certificate A
Connect Loop: SSLv3 read server key exchange A
Connect Loop: SSLv3 read server done A
Connect Loop: SSLv3 write client key exchange A
Connect Loop: SSLv3 write change cipher spec A
Connect Loop: SSLv3 write finished A
Connect Loop: SSLv3 flush data
Connect Loop: SSLv3 read server session ticket A
Connect Loop: SSLv3 read finished A
Handshake Done: SSL negotiation finished successfully
Connect Exit: SSL negotiation finished successfully

我的WireShark测试:

• Indy :( http://imgur.com/BZ84Cl3响应是握手失败);
• Firefox : http://imgur.com/pkYJvnO;
• 对Firefox请求的响应:http://imgur.com/M9ni3TV;

Answer 1

警报握手失败意味着服务器端的初始握手失败，因此它会在关闭连接之前发送警报以通知您的客户端。您可能没有设置服务器期望的兼容证书或密码套件。或者服务器可能根本不支持 TLS 1.2。请尝试改用 TLS 1.0 或 TLS 1.1。另外，您可以尝试使用 OpenSSL 自己的s_client工具来调试连接问题，直到找出正确的设置，然后根据需要将它们应用到 Indy。或者，使用 Wireshark 查看实际握手并查看在哪个阶段失败。