Delphi: IdHTTP+SSL does not work. No errors!

Question

I use TidHTTP + TIdSSLIOHandlerSocketOpenSSL + 2 DLLs: ssleay32.dll and libeay32.dll from http://indy.fulgan.com/SSL.

But I can see all work of my program in HTTP Analyzer! It works as HTTP, not as HTTPS. If I use Opera I cannot see downloading with the same site (https://esta.cbp.dhs.gov/esta).

I did not set any special parameters for TidHTTP and TIdSSLIOHandlerSocketOpenSSL (may be I must but I do not know what exactly).

Must I use TIdSSLVersion(sslvSSLv23) + location of a SSL certificate? Where can I get this certificate? Or only RootCertFile?

How to change a port of idHttp to 443 (must I do it?)?

I use:

procedure TForm1.FormCreate(Sender: TObject);
var mem:tmemorystream;
begin
try
  mem:=TMemoryStream.Create();
  try
    idhttp1.Get('https://esta.cbp.dhs.gov/esta/',Mem);
  except
   on E : Exception do ShowMessage(E.Message);
  end;
finally
  mem.Free;
  idhttp1.Free;
end;
end;

Please see my video: http://liga-installer.realservers.info/ssl.mp4

Screen shots:

Thanks Thanks Thanks for help!!!

Answer 1

This simple example works in Delphi XE out of the box, so you don't need to change ports or use a certificate on the client side. It's based on an example from RosettaCode:

Uses
  IdHttp, IdSSLOpenSSL

...

procedure TForm2.Button1Click(Sender: TObject);
var
  s: string;
  lHTTP: TIdHTTP;
begin
  lHTTP := TIdHTTP.Create(nil);
  try
    lHTTP.IOHandler := TIdSSLIOHandlerSocketOpenSSL.Create(lHTTP);
    lHTTP.HandleRedirects := True;
    s := lHTTP.Get('https://esta.cbp.dhs.gov/esta/');
    RichEdit1.Text := s;
  finally
    lHTTP.Free;
  end;
end;

The problem is probably the version of the DLLs you need to deploy. Since recent versions fix security issues, I recommend upgrading your version of Indy to the latest and using the most recent OpenSSL libraries from the fulgan site.

Update: Did you mean that you can't see the site using a web browser, or that when you do you can't see the traffic in your HTTP analyser? As Rob mentioned, if the site isn't visible using a regular web browser, then the problem likely isn't your application.

Answer 2

you are using the wrong tool to check the communication. Your observation only shows the used protocol - which is HTTP 1.0 or 1.1 even if using SSL/TLS.

Try a tool like SmartSnif or Wireshark to check the real network traffic. You will see that the entire traffic is using port 443 with encrypted data.

The header response of HTTP/1.1 (or 1.0) is absolutely correct for HTTPS traffic, the SSL/TLS encryption does not change the transferred data but is a transport layer on top of HTTP traffic.

Regarding HTTP Analyzer (from their website at http://www.ieinspector.com/httpanalyzer/): "Main Features: Support HTTPS, show you unencrypted data sent over HTTPS / SSL connections as the same level of detail as HTTP."

So as I said it decodes the SSL and shows you the HTTP based, unencrypted traffic.

Regards, Arvid