What exactly means Indy underlying error 14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown

Question

What exactly happens in Indy when a simple HTTPS request from a browser causes the debugger to break with this error:

Project PMS_COM.exe raised exception class EIdOSSLUnderlyingCryptoError with message 'Error accepting connection with SSL.

error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown'.

Some on the Internet say that this is a client certificate error, but there is no client certificate! There is only the server-side certificate.

But if I understood wrong and it is a client-side error, then why does it cause an exception on the server side?

Additionally I don't understand how to intercept such kind of errors. EIdOSSLUnderlyingCryptoError seems to happen somewhere in Indy with no chance to catch it in my code.

Answer 1

EIdOSSLUnderlyingCryptoError is an Indy exception wrapping an OpenSSL error message.

Per SSLv3 alert certificate unknown (4279556):

The SSL library sends an alert back to the system telling the certificate chain was invalid.

The message section that says "sslv3 alert certificate unknown" usually refers to the intermediate certificate in a chain of certificates. That certificate is expired, invalid or not trusted by one or more systems involved in the SSL/TLS communication.

In this case, the client (browser) is sending an alert to your server to abort the TLS handshake because your server certificate is invalid. That alert is triggering the EIdOSSLUnderlyingCryptoError exception within the server's code. The server will handle the error for you, by closing its end of the TCP connection that failed the handshake, and terminate/recycle the worker thread which owns that TCP socket.

If you want to catch the error, you can use the server's OnException event, which is triggered in the same thread that owns the TCP connection that failed the TLS handshake.