EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Error 75784 using httpsclient

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#14498
Posted: 09/20/2010 05:16:21
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

I use the ElHTTPSClient component to access a ssl secured Server.
When I work on our developmentsystem with a selfcreated Certificate al works fine.
But on our testsystem with an official Certificate I allways get the Error 75784 and 75797 and the connection fails.

This is my Delphi6-sourcecode to connect to the Server :

Code
  nachricht:=aMessage.Text;
  url:=server_path;
  dummy:='ssl';
  if  sslconnect then
  begin
    url:=server_path;
    form1.HttpsClient.SSLEnabled:=true;
    form1.HttpsClient.UseHTTPProxy:=false;
    form1.httpsclient.RequestParameters.Username:=user;
    form1.HttpsClient.RequestParameters.Password:=passwort;
    post_requestdata:='';
    try
      try
       form1.HttpsClient.Post(url, aMEssage.Text);
       dummy:=dummy;
      finally
          on E : Exception do
          begin
            logging(e.message);
          end;
        dummy:=post_requestdata;
        if dummy='' then Dummy:='<ErrorDescription>Es konnte keine Verbindung zum Server aufgenommen werden. M&#246;glicherweise ist auf dem Server kein SSL konfiguriert!</ErrorDescription>';
        form1.HttpsClient.Close(true);
        logging2(dummy,'antwort.xml');
        result:=dummy;  
      end;
    except
      on E : Exception do
      begin
        logging(dummy);
      end;
    end;
  end;


An other application works very fine on the Server, so I think the certificate (and the whole chain) will be OK.

Best Regards
Joachim Wehmöller
#14500
Posted: 09/20/2010 06:23:57
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Could you please clarify some aspects of your application to us:

1) Does your server require client authentication?
2) What is the value of the Remote parameter passed to the TElHTTPSClient.OnError event?
3) How do you implement OnCertificateValidate event handler?
#14517
Posted: 09/21/2010 00:41:55
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Quote
Innokentiy Ivanov wrote:
Thank you for contacting us.

Could you please clarify some aspects of your application to us:

1) Does your server require client authentication?

We Use a domain authentication to login to our Application. The server itself needs no client Authentication.
Quote

2) What is the value of the Remote parameter passed to the TElHTTPSClient.OnError event?

Remote is false and Fatal is true
Quote

3) How do you implement OnCertificateValidate event handler?

Code
procedure TForm1.HttpsClientCertificateValidate(Sender: TObject;
  Certificate: TElX509Certificate; var Validate: Boolean);
var
  Validity : TSBCertificateValidity;
  Reason: TSBCertificateValidityReason;
  i:integer;
begin
  I:=Certificate.Chain.Count;
  if (Certificate.Chain = nil) or Certificate.Chain.Certificates[1].Equals(Certificate) then
  begin
    CertificateValidator.ValidateForSSL(Certificate, HTTPSClient.RemoteHost, HTTPSClient.RemoteIP, hrServer, nil, true, false, Now, Validity, Reason);
    Validate := Validity = cvOk;
  end
  else
    Validate := true;
end;
#14519
Posted: 09/21/2010 05:34:39
by Ken Ivanov (EldoS Corp.)

Thank you for the details.

First, what is the sense of the following checkup?
Quote
if (Certificate.Chain = nil) or Certificate.Chain.Certificates[1].Equals(Certificate) then

The second sub-condition makes the code validate only the second certificate in chain, if the chain is provided by the server.

Second, the main problem is caused by the fact that the CertificateValidator component fails to validate the certificate received from the server. There are many possible reasons for this. Could you please check the values of Validity and Reason variables after the ValidateForSSL() method returns?
#14523
Posted: 09/22/2010 00:15:09
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Quote
Innokentiy Ivanov wrote:
Thank you for the details.

First, what is the sense of the following checkup?
Quote
if (Certificate.Chain = nil) or Certificate.Chain.Certificates[1].Equals(Certificate) then

The second sub-condition makes the code validate only the second certificate in chain, if the chain is provided by the server.

It was a test-Value. The normal Value is '0' so the first certificate will validate.
Quote


Second, the main problem is caused by the fact that the CertificateValidator component fails to validate the certificate received from the server. There are many possible reasons for this. Could you please check the values of Validity and Reason variables after the ValidateForSSL() method returns?


Validity is cvChainUnvalidated
Reason is [vrCRLNotVerified]
#14525
Posted: 09/22/2010 02:08:29
by Ken Ivanov (EldoS Corp.)

This means that the component was unable to perform strict validation of server certificate due to impossibility to obtain revocation information. You can resolve (not to say bypass) the issue by setting CheckCRL and CheckOCSP properties of the CertificateValidator to false. However, please note that this is a workaround rather than a solution, as it introduces a potential security hole. I suggest you to always have these properties turned on in your application and allow the user to optionally switch them off if connection to a particular server fails due to validation error.
#14549
Posted: 09/22/2010 23:57:48
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Quote
Innokentiy Ivanov wrote:
This means that the component was unable to perform strict validation of server certificate due to impossibility to obtain revocation information. You can resolve (not to say bypass) the issue by setting CheckCRL and CheckOCSP properties of the CertificateValidator to false. However, please note that this is a workaround rather than a solution, as it introduces a potential security hole. I suggest you to always have these properties turned on in your application and allow the user to optionally switch them off if connection to a particular server fails due to validation error.


With this workaround the connection to the server works good.
What information does the component try to optain and fails ?
Does it mean the 'CRL Distribution Points' ?
#14550
Posted: 09/23/2010 00:09:04
by Ken Ivanov (EldoS Corp.)

The component tries to get a CRL (certificate revocation list) from the location specified in the CRL Distribution Points certificate extension, and fails to do it for some reason (probably the server is inaccessible or the specified URI is wrong).
#14551
Posted: 09/23/2010 00:18:23
by Joachim Wehmöller (Standard support level)
Joined: 09/16/2010
Posts: 12

Quote
Innokentiy Ivanov wrote:
The component tries to get a CRL (certificate revocation list) from the location specified in the CRL Distribution Points certificate extension, and fails to do it for some reason (probably the server is inaccessible or the specified URI is wrong).


When I enter the URL specified in the CRL Distribution points in Internet Explorer the Browser offers me a file to download. So I think the URl is right and the Server is accessable.

In this case the entry in CRL Distribution Points is as follows :

Quote

[1]Sperrlisten-Verteilungspunkt
Name des Verteilungspunktes:
Vollst. Name:
URL=http://crl.serverpass.telesec.de/rl/Deutsche_Telekom_CA_5.crl
[2]Sperrlisten-Verteilungspunkt
Name des Verteilungspunktes:
Vollst. Name:
URL=ldap://ldap.serverpass.telesec.de/cn=Deutsche%20Telekom%20CA%205,ou=Trust%20Center%20Deutsche%20Telekom,o=T-Systems%20Enterprise%20Services%20GmbH,c=de?certificateRevocationlist?base?certificateRevocationlist=*


I try the first one.
#14552
Posted: 09/23/2010 00:54:55
by Ken Ivanov (EldoS Corp.)

Hmm, and is the server itself accessible from the Internet? If yes, could you please give us its address (you can do this privately via Helpdesk) so that we could test the component with it?
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 5145 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!