Skip to content

TFPHTTPClient with GnuTLS fails on some TLS websites

Summary

Objective: do a GET request over HTTPS.
Using TFPHTTPClient with GnuTLS gives positive results in some cases, but leads to exceptions in other cases. The successes/failures are consistent for a chosen web address. It may have to do with the settings or certificate of these websites, but gnutls-cli has no problem connecting to them and it concerns very common websites, like Google and Microsoft.

System Information

  • Operating system: Linux, both Ubuntu 22.10 and Arch
  • Processor architecture: x86-64
  • Compiler version: 3.2.2
  • Device: Laptop

Steps to reproduce

Pascal program to reproduce:

program project1;

{$mode objfpc}{$H+}

uses SysUtils, fphttpclient, gnutls, gnutlssockets;

const URLS: array[0..7] of string = (
  'https://www.belastingdienst.nl',
  'https://www.overheid.nl',
  'https://fancyssl.hboeck.de/',
  'https://www.badssl.com',
  'https://www.freepascal.org',
  'https://www.ubuntu.com',
  'https://www.google.com',
  'https://www.microsoft.com'
);

procedure TryURLs;
var
  URL: string;
begin
  for URL in URLS do
    try
      with TFPHTTPClient.Create(nil) do
        try
          AllowRedirect := True;
          Get(URL);
        finally
          Free;
        end;
      WriteLn(URL, ' succeeded.');
    except
      on E: Exception do
        WriteLn(Format('%s failed! (%s)', [URL, E.Message]));
    end;
end;

begin
  TryURLs;
end.

Result of running this program:

$ ./project1 
https://www.belastingdienst.nl succeeded.
https://www.overheid.nl succeeded.
https://fancyssl.hboeck.de/ succeeded.
https://www.badssl.com succeeded.
https://www.freepascal.org failed! (Error reading data from socket)
https://www.ubuntu.com failed! (Error reading data from socket)
https://www.google.com failed! (Error reading data from socket)
https://www.microsoft.com failed! (Error reading data from socket)

Result of using gnutls-cli for the same web addresses:

$ for url in www.belastingdienst.nl www.overheid.nl fancyssl.hboeck.de badssl.com www.freepascal.org www.ubuntu.com www.google.com www.microsoft.com; do echo $url; echo "^C" | gnutls-cli $url | grep -E "Status|Handshake"; done
www.belastingdienst.nl
- Status: The certificate is trusted. 
- Handshake was completed
www.overheid.nl
- Status: The certificate is trusted. 
- Handshake was completed
fancyssl.hboeck.de
- Status: The certificate is trusted. 
- Handshake was completed
badssl.com
- Status: The certificate is trusted. 
- Handshake was completed
www.freepascal.org
- Status: The certificate is trusted. 
- Handshake was completed
www.ubuntu.com
- Status: The certificate is trusted. 
- Handshake was completed
www.google.com
- Status: The certificate is trusted. 
- Handshake was completed
www.microsoft.com
- Status: The certificate is trusted. 
- Handshake was completed

What is the current bug behavior?

For some web addresses, an exception is raised (Error reading data from socket). For other web addresses, the GET request succeeds flawlessly.

What is the expected (correct) behavior?

The GET request should succeed for all web addresses (at least those having a valid certificate).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information