mezen / indy Goto Github PK

In certain situations, my web server has encountered socket error # 5. I tracked down the cause to this line in TIdOpenSSLIOHandlerClientBase.CheckForError:

  Result := FTLSSocket.GetErrorCode(ALastResult);
  case Result of
    SSL_ERROR_SYSCALL:
      inherited CheckForError(ALastResult);

The result of CheckForError needs to be assigned to Result:

  Result := FTLSSocket.GetErrorCode(ALastResult);
  case Result of
    SSL_ERROR_SYSCALL:
      Result := inherited CheckForError(ALastResult);

I'am useing your new OpenSSL IOHandler with a TidHTTP instance.
The TIdHTTP Object ist created inside unit initialization including IOHandler and destroyed in finalization.
After the use of TidHTTP and wait some time I get an EIdOpenSSLShutdownError durring appliction shutdown / finalization.
So I think it has todo with keep alive handling? and the connection ist silently dropped by the server - but if the code don't use the TidHTTP component again until shutdown it crashes?

After debugging I found the following callstack:

TIdCustomHTTP.Destroy()
-> TIdTCPConnection.Destroy()
-> LIOHandler.Close()
-> TIdOpenSSLIOHandlerClientBase.Close()
-> TIdOpenSSLSocket.Close()
SSL_shutdown() --> -1
SSL_get_error() --> 5
-> raise EIdOpenSSLShutdownError.Create(...)

my current workaround is to call IoHandler.DiscardAll(); before destruction - that solves the problem, but is this the right way?

Any ideas?

A few years ago, a zip file with updates was attached to a comment on the open PR in Indy's repo:

https://github.com/IndySockets/Indy/files/5029069/OpenSSL.zip

That code doesn't appear to have been merged into this repo, and so doesn't appear in the code for the open PR.

For example, IdOpenSSLConsts.pas has much more code in it than what is in the repo right now. A user posted at https://en.delphipraxis.net/topic/9118-delphi-113-indy-openssl-31/ making some changes to the zip code, not this repo code, so I just want to make sure this repo is up-to-date.

I am using "IOpenSslLoader" and "OpenSslPath" to specify the path to the OpenSSL libraries (dll or so). When the libraries are located in the same folder as the application and I want to set a relative path (OpenSslPath := ''), it is not working. Because of "IncludeTrailingPathDelimiter" adds a delimiter in "SetOpenSSLPath". I changed the code and now it seems to work correct.

procedure TOpenSSLLoader.SetOpenSSLPath(const Value: string);
begin
if Value = '' then Exit; // <- new
FOpenSSLPath := IncludeTrailingPathDelimiter(Value);
end;

This issue applies to branch NewOpenSSL_PR

Line 164 is:
NCONF_dump_bio: function(const conf: PCONf; out: PBIO): TIdC_INT cdecl = nil;

FPC complains about the ':' after the reserved word "out". Either the ':' is wrong (this is an "out" argument) or "out" needs to changed to a non-reserved word.

In the original .h file, the declaration is

int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out);

Hence it looks "out" was simply copied as the argument name from the 'C' header file. It is proposed to fix the compile time issue by changing line 164 to

NCONF_dump_bio: function(const conf: PCONf; out_: PBIO): TIdC_INT cdecl = nil;

I am testing OpenSSL with a simple TIdHTTPServer. It delivers only the index.htm and the favicon.ico. I am running two servers in the internet (windows and linux), without special firewalls. So there are a lot of attacks every day. Windows works fine, but sometimes linux crashses with an EIdOpenSSLShutdownError (Failed to shutdown the TLS connection.error:0A000197:SSL routines::shutdown while in init). Maybe because of an attack. This happens in "TIdOpenSSLSocket.Close". I changed the code. Now it seems to run without problems. Is this the correct way?

{ TIdOpenSSLSocket }

procedure TIdOpenSSLSocket.Close;
var
LReturnCode: TIdC_INT;
LSSLErrorCode: TIdC_INT;
begin
if not FDoNotCallShutdown then
begin
LReturnCode := SSL_shutdown(FSSL);
if LReturnCode < 0 then
begin
LSSLErrorCode := SSL_get_error(FSSL, LReturnCode);
if LSSLErrorCode <> SSL_ERROR_ZERO_RETURN then
SSL_set_shutdown(FSSL, SSL_SENT_SHUTDOWN or SSL_RECEIVED_SHUTDOWN); // <- new
// raise EIdOpenSSLShutdownError.Create(FSSL, LReturnCode, RIdOpenSSLShutdownError); // <- old
end;
end
else
SSL_set_shutdown(FSSL, SSL_SENT_SHUTDOWN or SSL_RECEIVED_SHUTDOWN);
end;