EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Error after updaten certificate

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
Posted: 01/12/2016 03:09:36
by  kuo kuo
We recently renewed a client certificate that we use to for an sll connection. I installed this certificate in the personal store (the old one was/is still in the root) of local computer. I changed the settings in the biztalk receive location to use the personal store instead of the root. This all works correctly as evidenced by the detailed log that still shows one client certificate loaded (have played around with this by copying certificate, removeing, etc, just to make sure). Since then however I get the error

"Error: Control channel transfer error (error code is 10053)" apparently based on the ssl error
"EldoS FTPS Adapter: SSL protocol error: 75782, remote: True
[1/12/2016 8:57 AM] EldoS FTPS Adapter: Call stack: at BizCrypto.BizTalk.Adapters.FTPS.FTPSCommon.client_OnSSLError(Object Sender, Int32 ErrorCode, Boolean Fatal, Boolean Remote)
at SBSimpleFTPS.TElSimpleFTPSClient.HandleSecureClientError(Object Sender, Int32 ErrorCode, Boolean Fatal, Boolean Remote)
at SBClient.TElSecureClient.DoError(Int32 ErrorCode, Boolean Fatal, Boolean Remote)
at SBClient.TElSecureClient.TLS1ParseOnAlertLayer(Byte[] Buffer)
at SBClient.TElSecureClient.TLS1ParseOnRecordLayer(Byte[] Buffer, Int32 Size, TSSL3ContentType ContentType, Int32 DTLSEpoch, Int64 DTLSSeqNum)
at SBClient.TElSecureClient.AnalyzeBuffer()
at SBClient.TElSecureClient.DataAvailable()
at SBSimpleFTPS.TElSimpleFTPSClient.EstablishSSLSession()
at SBSimpleFTPS.TElSimpleFTPSClient.Login()
at BizCrypto.BizTalk.Adapters.FTPS.FTPSCommon.DoFTPSOperation(IBaseMessage message, AdapterProperties props, Boolean upload, ArrayList fileList)
at BizCrypto.BizTalk.Adapters.FTPS.FTPSReceiverEndpoint.PickupFilesAndSubmit()
at BizCrypto.BizTalk.Adapters.FTPS.FTPSReceiverEndpoint.EndpointTask()
at BizCrypto.BizTalk.Adapters.FTPS.FTPSReceiverEndpoint.ControlledEndpointTask(Object val)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean ignoreSyncCtx)
at System.Threading._TimerCallback.PerformTimerCallback(Object state)

[1/12/2016 8:57 AM] EldoS FTPS Adapter: Error: Error occured while enabling SSL/TLS on command channel"
Posted: 01/12/2016 04:31:02
by Ken Ivanov (EldoS Corp.)

Thank you for getting in touch with us.

As per the trace, the connection is closed due to error 75782 (0x12806, ERROR_SSL_HANDSHAKE_FAILURE) originating from the server. In particular, this error indeed may have something to do with the certificate you've updated.

Let's try to narrow down the issue:

1. Are you able to connect to the server with your new certificate with some other software? It would be useful to have some form of arbitration here.

2. Do you have your certificate in a PFX file? If you do it makes sense to try to reference it from file instead of the Personal store and check if it changes anything.

3. Did the connectivity issue immediately follow the change of the certificate? I.e. could it be that something else has changed on the server around the same time that prospectively could cause the issue?

Posted: 01/12/2016 07:16:02
by  kuo kuo
Yes, the certificate is also used in a call to a webservice from another goverment agency, via a .net proxy client, and that connection works.

I've tried it as a file and it makes no difference.

Yes the problem occurred immediately after implementing the certifcate. After changing the configuration back to look for the old certificate in the root, the problem disappears (wel until yesterday, since the certificate has since expired).

I also tried different ciphers and different ssl/tls versions, as was suggested by the description of the 75782 error code description, but this has not helped.
Posted: 01/12/2016 09:19:49
by Ken Ivanov (EldoS Corp.)

Thank you for checking that. Your findings confirm that the problem is specific to the new certificate.

The most likely reason is that the service requires connecting clients to provide the whole chain of certificates and not solely their signing certificates. Could you please try to put the whole chain (your end user certificate, any intermediate CA certificates, and the root certificate) to a PFX file and then assign a path to that file to the Certificate Path property?




Topic viewed 2498 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!