Delphi: idHttp+SSL 从服务器获取 403 禁止
Delphi: idHttp+SSL Get 403 Forbidden from Server
一段时间以来,通过 HTTPS 与我们的服务器通信工作正常。
上周供应商改变了一些东西,从现在开始我总是得到 403 错误。
我使用最新的 OpenSSL DLLs V0.9.8
我已将 UserAgent 更改为 "Mozilla/5.0 (Windows NT 10.0)"
SSL 方法是 "sslvSSLv23"
SSL 模式是 "sslmClient"
没有任何帮助。 :(
这是我得到的日志:
SSL Status: "Resolving hostname msselektronik.at."
SSL Status: "Connecting to 85.158.181.20."
SSL StatusInfoEx: Type="Handshake Start", Msg="before/connect initialization"
SSL StatusInfoEx: Type="Connect Loop", Msg="before/connect initialization"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv2/v3 write client hello A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server hello A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server certificate A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server key exchange A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server done A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write client key exchange A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write change cipher spec A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write finished A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 flush data"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read finished A"
SSL StatusInfoEx: Type="Handshake Done", Msg="SSL negotiation finished successfully"
SSL StatusInfoEx: Type="Connect Exit", Msg="SSL negotiation finished successfully"
SSL StatusInfoEx: Type="warning Read Alert", Msg="close notify"
SSL Status: "Disconnected."
ResponseText: HTTP/1.1 403 Forbidden
在 Wireshark 日志中,我在 "Client Key Exchange" 之后看到从服务器到客户端的 "Encripted Alert"。
No. Time Source Destination Protocol Length Info
4 1.563661 192.168.0.30 85.158.181.20 SSLv2 181 Client Hello
6 1.590865 85.158.181.20 192.168.0.30 TLSv1 1514 Server Hello
10 1.605380 85.158.181.20 192.168.0.30 TLSv1 1348 Certificate, Server Key Exchange, Server Hello Done
12 1.638612 192.168.0.30 85.158.181.20 TLSv1 380 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 1.676523 85.158.181.20 192.168.0.30 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message
14 1.679066 192.168.0.30 85.158.181.20 TLSv1 320 Application Data, Application Data
15 1.711226 85.158.181.20 192.168.0.30 TLSv1 587 Application Data
16 1.711227 85.158.181.20 192.168.0.30 TLSv1 91 Encrypted Alert
19 1.713426 192.168.0.30 85.158.181.20 TLSv1 91 Encrypted Alert
我该怎么做才能使通信恢复正常?
我找到了“403 Forbidden”错误的原因。
在 Apache error.log 中我找到了条目 "No hostname was provided via SNI for a name based virtual host"
这让我进入了页面 NameBasedSSLVHostsWithSNI。
那里描述了确切的行为:
Client doesn't support SNI.
If Apache has SNI support, and a request without the SNI hostname is received for a name-based virtual host over SSL, and SSLStrictSNIVHostCheck is on, it will be rejected (403) and this message logged:
[error] No hostname was provided via SNI for a name based virtual host
If SSLStrictSNIVHostCheck is off, then the request will be handled as if the server did not have SNI support.
我们的提供商似乎更改了配置,因此我必须更新我的 Indy 源以支持 SNI 并更新我的派生 类。
感谢您的帮助。
一段时间以来,通过 HTTPS 与我们的服务器通信工作正常。
上周供应商改变了一些东西,从现在开始我总是得到 403 错误。
我使用最新的 OpenSSL DLLs V0.9.8
我已将 UserAgent 更改为 "Mozilla/5.0 (Windows NT 10.0)"
SSL 方法是 "sslvSSLv23"
SSL 模式是 "sslmClient"
没有任何帮助。 :(
这是我得到的日志:
SSL Status: "Resolving hostname msselektronik.at."
SSL Status: "Connecting to 85.158.181.20."
SSL StatusInfoEx: Type="Handshake Start", Msg="before/connect initialization"
SSL StatusInfoEx: Type="Connect Loop", Msg="before/connect initialization"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv2/v3 write client hello A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server hello A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server certificate A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server key exchange A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read server done A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write client key exchange A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write change cipher spec A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 write finished A"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 flush data"
SSL StatusInfoEx: Type="Connect Loop", Msg="SSLv3 read finished A"
SSL StatusInfoEx: Type="Handshake Done", Msg="SSL negotiation finished successfully"
SSL StatusInfoEx: Type="Connect Exit", Msg="SSL negotiation finished successfully"
SSL StatusInfoEx: Type="warning Read Alert", Msg="close notify"
SSL Status: "Disconnected."
ResponseText: HTTP/1.1 403 Forbidden
在 Wireshark 日志中,我在 "Client Key Exchange" 之后看到从服务器到客户端的 "Encripted Alert"。
No. Time Source Destination Protocol Length Info
4 1.563661 192.168.0.30 85.158.181.20 SSLv2 181 Client Hello
6 1.590865 85.158.181.20 192.168.0.30 TLSv1 1514 Server Hello
10 1.605380 85.158.181.20 192.168.0.30 TLSv1 1348 Certificate, Server Key Exchange, Server Hello Done
12 1.638612 192.168.0.30 85.158.181.20 TLSv1 380 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
13 1.676523 85.158.181.20 192.168.0.30 TLSv1 113 Change Cipher Spec, Encrypted Handshake Message
14 1.679066 192.168.0.30 85.158.181.20 TLSv1 320 Application Data, Application Data
15 1.711226 85.158.181.20 192.168.0.30 TLSv1 587 Application Data
16 1.711227 85.158.181.20 192.168.0.30 TLSv1 91 Encrypted Alert
19 1.713426 192.168.0.30 85.158.181.20 TLSv1 91 Encrypted Alert
我该怎么做才能使通信恢复正常?
我找到了“403 Forbidden”错误的原因。
在 Apache error.log 中我找到了条目 "No hostname was provided via SNI for a name based virtual host"
这让我进入了页面 NameBasedSSLVHostsWithSNI。
那里描述了确切的行为:
Client doesn't support SNI.
If Apache has SNI support, and a request without the SNI hostname is received for a name-based virtual host over SSL, and SSLStrictSNIVHostCheck is on, it will be rejected (403) and this message logged:
[error] No hostname was provided via SNI for a name based virtual host
If SSLStrictSNIVHostCheck is off, then the request will be handled as if the server did not have SNI support.
我们的提供商似乎更改了配置,因此我必须更新我的 Indy 源以支持 SNI 并更新我的派生 类。
感谢您的帮助。