Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 20 21:50

    Fulgan on master

    Embarcadero patch for race cond… (compare)

  • Sep 20 21:50

    Fulgan on Restructure

    Embarcadero patch for race cond… (compare)

  • Sep 10 18:50
    rlebeau closed #268
  • Sep 10 18:50
    rlebeau commented #268
  • Sep 10 18:50

    Fulgan on Restructure

    Fix for TIdResponseHeaderInfo.S… (compare)

  • Sep 10 18:50

    Fulgan on master

    Fix for TIdResponseHeaderInfo.S… (compare)

  • Sep 10 18:49
    rlebeau labeled #268
  • Sep 10 18:49
    rlebeau labeled #268
  • Sep 10 18:49
    rlebeau assigned #268
  • Sep 10 18:49
    rlebeau review_requested #268
  • Sep 09 13:15
    gjdoornink opened #268
  • Aug 28 21:00

    Fulgan on Restructure

    Setting TIdSSLIOHandlerSocketBa… (compare)

  • Aug 28 21:00

    Fulgan on master

    Setting TIdSSLIOHandlerSocketBa… (compare)

  • Aug 28 19:42
    rlebeau milestoned #183
  • Aug 28 19:42
    rlebeau demilestoned #183
  • Aug 28 19:42
    rlebeau assigned #183
  • Aug 14 01:35
    rlebeau labeled #267
  • Aug 14 01:35
    rlebeau labeled #267
  • Aug 14 01:35
    rlebeau assigned #267
  • Aug 14 01:35
    rlebeau opened #267
Kudzu
@czhower
yes... I foudn the issue. .its old source from the IDe install... trying to resolve it now...
removing these should fix it:
image.png
Remy Lebeau
@rlebeau
@czhower I always backup and remove the IDE's shipped copy and then point the IDE to my local copy.
Kudzu
@czhower
afarid to remove the files.. every time I touch files the installer wants to repair.... maybe it will ignore the source dir? Tried modifying global path but something still pullling it in.. normally I use the aliased IntraWeb version of Indy but need normal units this time.
just had to do a clean first after changing paths...
offhand what unit is TIdSSLIOHandlerSocketOpenSSL in if you know?
Kudzu
@czhower
found it
ok its connecting... any easy way to verify its using SSL? the server doesnt seem to show me either in this case.. want to ensure its using SSL.
Kudzu
@czhower
The SSL area of Indy was the one area that I never really touched.... I think I have the basic steps but its failing on connect now.... Are you available for some basic assitance to enable the SSL for FTP?
Ive read your stack overflow posts etc.. I think its some property Im still missing regarding the SSL and the server config.
Kudzu
@czhower
When you have a chance.. if I disable SSL its ok.. but Im trying to make it secure.. .this shows the settings from an FTP client I have that works ok.
image.png
Remy Lebeau
@rlebeau
@czhower that setup looks OK to me, as far as SSL/TLS on the command connection is concerned (though you are leaking the xSSL object on non-ARC systems). The socket error has nothing to do with SSL/TLS though, unless maybe you are getting that error on List() and not on Connect()? Be sure to set xFTP.DataPortProtection := ftpdpsPrivate to use SSL/TLS on the file transfer connections.
Kudzu
@czhower
yes I know its leaking... for this I dont care yet just want it to work and its a util that runs and exits anyway after a short xfer.
let me add that and see where it dies...
Its the connect.. it dies here:
image.png
Kudzu
@czhower
image.png
specifically here...
Remy Lebeau
@rlebeau
@czhower OK, well the exception has more details about the failure, but the first thing to check is whether the FTP server allows TLS 1.0, since that is the only version enabled by default in a plain vanilla TIdSSLIOHandlerSocketOpenSSL object. Try enabling TLS 1.1 and 1.2 in the xSSL.SSLOptions.SSLVersions property
Kudzu
@czhower
thats the property I was digging for now.. let me connect with ftp client and check its log output
image.png
Remy Lebeau
@rlebeau
@czhower try adding this: xSSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
Kudzu
@czhower
yeah trying that now... I put in 1_2
the default in code is 1 it seems?
Remy Lebeau
@rlebeau
@czhower yes, the default is v1 only (IndySockets/Indy#181). If you leave v1 enabled, you have to enable v1_1 in order to use v1_2, you can't have a discontiguous range. Otherwise just enable v1_2 by itself.
Kudzu
@czhower
I added this and now its connecting:
xSSL.SSLOptions.SSLVersions := [sslvTLSv1_2];
I didnt include 1 or 1_1
Remy Lebeau
@rlebeau
@czhower ok
Kudzu
@czhower
So that was the issue. Its too bad we cant detect that and throw a better error, but i understand its probably not something simple. SSL was an area I'm happy to leave to others. :)
Thanks for the help.. stupid little utililty I dont have time to write anyway but need it so....
Remy Lebeau
@rlebeau
@czhower Well, we do kinda detect it. We detect the SSL_connect() failure and check OpenSSL's error code for the reason, and if it reports that the underlying socket errored then we raise a socket exception like EIdSocketError with the socket error code. Which makes sense in this case as that is what really happened. The server did not like the handshake so it just closed the connection outright without sending an SSL/TLS alert first to indicate why it was closing the connection.
Kudzu
@czhower
yes I meant though that we coudl better detect why... not just fail. But I understand that it might not be possible or if so not easy.... ie query the server etc... filezilla queried the server somehow and knew as did my other FTP client.
that screenshot I found TLS1.2 was from Filezilla
Im connected so Im happy.. and I can write easy to code Indy code instead of async node crap.
Its just a simple internal util to sync some stuff in a way that I cant do with any commercial client Ive found as there are many separate things to sync and they can be synced one by one or all at once.
Remy Lebeau
@rlebeau
@czhower well, can't really detect WHY better, that is the only error actually being reported to Indy. I suppose we could raise the EIdSocketError first, catch it, and re-raise it as the InnerExceptionof a higher level OpenSSL exception instead. But that is not really going to report anything better to users, other than OpenSSL failed due to an OS error, the OpenSSL error code is just SSL_ERROR_SYSCALL in this case meaning an OS call failed (because the socket was disconected).
Kudzu
@czhower
yep.. as I said I suspect its not easy.. but there appears to be a way.. but its not something super important and Im sure we have more urgent things on Indy to do.
Remy Lebeau
@rlebeau
@czhower we have a bajillion things to do, like updating OpenSSL support for 1.1.x before the end of the year, and getting the Indy 11 maintainance release finalized (it is the "Restructure Lib" branch in SVN).
Kudzu
@czhower
Yep. Exactly :)
Remy Lebeau
@rlebeau
@czhower :-p
Kudzu
@czhower
Wish I could help.. but still buried here between work, health, legal.. .and SSL was never my area :)
When was the last time anyone heard from JP? Years ago I assume?
he has an FB account and posted in April this year.. will ping him..
Remy Lebeau
@rlebeau
@czhower Indy-wise, it has been a couple of years, yeah.
Kudzu
@czhower
He accepted me so we are chatting now. :)
JP interested in helping on SSL... will PM you details....
sqlitey
@sqlitey
@rlebeau Please leave your contact. i want to request paid consultation in indy idhttpserver ssl handling if you can
Remy Lebeau
@rlebeau