View Issue Details

IDProjectCategoryView StatusLast Update
0032789FPCPackagespublic2019-08-09 10:13
ReporterBBazAssigned ToMichael Van Canneyt 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Platformamd64OSFedoraOS Version27
Product Version3.0.2Product Build 
Target VersionFixed in Version 
Summary0032789: openssl is outdated leading to error when trying to create a SSL context
DescriptionThe version strings in openssl.pas are outdated.
Latest version supported in linux is '1.1'.
Also even with this new version the code beyound raises an ESSL exception related to the context.
Steps To Reproduceon a linux distribution with openssl 1.1.X setup (verified to fail with a least 1.1.0g) runs this

```
program Project1;
 
uses fphttpclient;
 
procedure test;
var
  cli: TFPHTTPClient = nil;
begin
  cli := TFPHTTPClient.Create(nil);
  try
    cli.AddHeader('User-Agent','Mozilla/5.0 (compatible; fpweb)');
    cli.SimpleGet('https://api.github.com/users/defunkt');
  finally
    cli.free;
  end;
end;
 
begin
  test();
end.
```
TagsNo tags attached.
Fixed in Revision
FPCOldBugId
FPCTarget
Attached Files

Activities

Thaddy de Koning

2017-12-07 09:07

reporter   ~0104553

It also fails with 1.1.0f on debian stretch.
Funny thing is that wget --https-only also fails on that particular link.

BBaz

2017-12-07 09:34

reporter   ~0104556

wget may fail because of the User-Agent required by GH. But CURL as a command line tool works.

So for now i use CURL (fortunately the use case is a simple GH API query) but one thing i forgot to say is that if possible the fix should propose a way for the user to set custom versions and reload the libraries. Why ? Because 2 years can elapse between two FPC points release.

BBaz

2017-12-07 09:37

reporter   ~0104557

There's an error in the test case: replace "SimpleGet" by "Get"

Martok

2017-12-07 12:34

reporter   ~0104560

It would sure be useful if 0032367 hadn't been voted down, huh?

Openssl 1.0 and 1.1 have subtle and not-so-subtle API differences, linking to "whatever" will cause problems such as this here.

BBaz

2019-01-22 08:08

reporter   ~0113561

You need to rethink the API so that the user can overcome the issue (if it happens again). It's critical for a desktop application to get enhanced with web content nowadays. Don't cry if people get on using Elektron.

As a workaround i wonder if loading the module manually would make the requests working (i.e use the dll injection principle). Because if i have to fix it the regular way, then i need to put the whole fcl-web package in my project.

Thaddy de Koning

2019-01-22 09:03

reporter   ~0113563

The issue is not with FPC... It is an issue with old openssl libs that still allow ssl2,3 instead of tls. Modern browsers will not accept those anyway. It also means those servers are not up to date. It also means Curl still supports insecure protocols. I think this can be closed, unless the openssl interface can be adapted to drop insecure protocols. If you want, you can compile openssl yourself with the legacy protocols enabled.(not easy, but doable)

Michael Van Canneyt

2019-01-27 09:36

administrator   ~0113657

I will look at the openssl issue.

Meanwhile, when using trunk you can use GnuTLS support, which has a more sensible and comprehensible API.

Richard S.

2019-06-27 20:30

reporter   ~0116976

I am also experiencing this issue with fphttpclient on Ubuntu 19.04 with fpc and lazarus installed through apt.

> It also means those servers are not up to date.

Interestingly enough I get it with every single major website I've tried: google, amazon, ebay, wikipedia, ddg, github, microsoft, etc.

This issue seems to have been fixed in trunk? I compiled and installed fpc and lazarus both from trunk and it solves the problem with my application that uses fphttpclient and I only needed to add the opensslsockets unit to my uses. It's still very unfortunate for anyone trying Lazarus and FreePascal for the first time on Ubuntu or possibly other distributions only to be hit by this nasty bug if they try to do anything web related.

Thaddy de Koning

2019-08-09 10:13

reporter   ~0117605

Last edited: 2019-08-09 10:13

View 2 revisions

I have no issues with trunk -r42590+
I have 1.1.1c as my openssl version. (which is current and supported)

Issue History

Date Modified Username Field Change
2017-12-06 21:25 BBaz New Issue
2017-12-07 09:07 Thaddy de Koning Note Added: 0104553
2017-12-07 09:34 BBaz Note Added: 0104556
2017-12-07 09:37 BBaz Note Added: 0104557
2017-12-07 12:34 Martok Note Added: 0104560
2019-01-22 08:08 BBaz Note Added: 0113561
2019-01-22 09:03 Thaddy de Koning Note Added: 0113563
2019-01-27 09:33 Michael Van Canneyt Assigned To => Michael Van Canneyt
2019-01-27 09:33 Michael Van Canneyt Status new => assigned
2019-01-27 09:36 Michael Van Canneyt Note Added: 0113657
2019-06-27 20:30 Richard S. Note Added: 0116976
2019-08-09 10:13 Thaddy de Koning Note Added: 0117605
2019-08-09 10:13 Thaddy de Koning Note Edited: 0117605 View Revisions