EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Yet Another Connection Lost Question

Posted: 11/15/2011 07:37:19
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 17

Hello to all,

First of, thank you for such a high quality product as SecureBlackBox!

We have been using SecureBlackBox for some time now to our great satifaction in communicating with webservices hosted by several companies that use client certificate authentication. But now we have encountered an issue with a particular webservice where the communication is aborted with a 'connection lost' message. This is somewhat of a legacy application so it is not using the most up to date version of stuff. The webservice is accessible via SoapUI so I know that communication is possible.
We are using SBB 7.0 .NET in Visual Studio 2005. The webservice we are trying to communicate with is being hosted on an IBM HTTP server (some form of a Java server I guess). I cannot provide the URL we are trying to post to here and client certificates need to be specially authorized. But I am hoping that the stack trace will give an indication of what the problem might be.
I am using a TElHTTPSClient instance for the communication. The instance is initialized as follows:
        client.RequestParameters.ContentType = @"text/xml;charset=UTF-8";
        client.HTTPVersion = SBHTTPSConstants.TSBHTTPVersion.hvHTTP11;
        client.PreferKeepAlive = false;
        client.Versions = SBConstants.Unit.sbSSL3 | SBConstants.Unit.sbTLS1;
        client.SSLEnabled = true;

        // Enable all encryption except anonymous ...
        for (short i = SBConstants.Unit.SB_SUITE_FIRST; i <= SBConstants.Unit.SB_SUITE_LAST; i++)
            client.set_CipherSuites((short)i, true);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_3DES_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_AES128_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_AES256_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_DES_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_DES_SHA_EXPORT, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5_EXPORT, false);

The client certificate chain is built and the end-entity certificate is assigned to the Certificate argument in the OnCertificateNeededEx event handler.
When a request is posted to the service the following error is thrown:
Connection Lost at SBSimpleSSL.TElCustomSimpleSSLClient.DoSend(Object Sender, Byte[] Buffer)
   at SBClient.TElSecureClient.DoSend(Byte[] Buffer)
   at SBClient.TElSecureClient.TLS1SendOnRecordLayer(TSSL3ContentType ContentType, Byte[] Buffer, Int32 Epoch)
   at SBClient.TElSecureClient.TLS1SendEncrypted(TSSL3ContentType ContentType, Int32 Len, Int32 Epoch)
   at SBClient.TElSecureClient.TLS1SendAlert(TSBAlertLevel AlertLevel, TSBAlertDescription AlertDescription)
   at SBClient.TElSecureClient.TLS1SendClientKeyExchange()
   at SBClient.TElSecureClient.TLS1ParseServerHelloDone()
   at SBClient.TElSecureClient.TLS1ParseOnHandshakeLayer(Byte[] Buffer)
   at SBClient.TElSecureClient.TLS1ParseOnRecordLayer(Byte[] Buffer, Int32 Size, TSSL3ContentType ContentType, Int32 DTLSEpoch, Int64 DTLSSeqNum)
   at SBClient.TElSecureClient.AnalyzeBuffer()
   at SBClient.TElSecureClient.DataAvailable()
   at SBSimpleSSL.TElCustomSimpleSSLClient.DataAvailable()
   at SBSimpleSSL.TElCustomSimpleSSLClient.IntMessageLoop(Boolean NoPeek)
   at SBSimpleSSL.TElCustomSimpleSSLClient.DoMessageLoop(Boolean NoPeek)
   at SBSimpleSSL.TElCustomSimpleSSLClient.Open()
   at SBHTTPSClient.TElHTTPSClient.PerformRequest(Int32 Method, String URL)
   at SBHTTPSClient.TElHTTPSClient.Post(String URL, Byte[] Content)
   at HttpClient.PostSoapMessage(String url, String soapAction, String message, Stream responseStream) in [my code from here on]

Does this give an idea what the issue might be?

Terence S.
Posted: 11/15/2011 08:36:24
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Try to catch EElSSLClientConnectionLostError exception and post its ErrorCode property value here. This will give more details about the problem.
Posted: 11/15/2011 09:12:58
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 17

Right, I forgot to add that info: The ErrorCode value is 0.
Posted: 11/15/2011 09:34:09
by Vsevolod Ievgiienko (Team)

Its very similar to this report: http://www.eldos.com/forum/read.php?FID=7&TID=2676 It is recommended to upgrade to the latest SBB 7 build and check if this solves the problem.
Posted: 11/15/2011 09:40:09
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 17

I tried the same with an evaluation version of SBB 9.1 and the error then is:

Connection lost (error code is 100354)

(Hadn't seen your last post. I'll update and report back. But I don't have high hopes, since with the SBB 9.1 evaluation version the issue persists)
Posted: 11/15/2011 09:47:33
by Vsevolod Ievgiienko (Team)

JFYI: error code 100354 means "Communication failed for unidentified reason during sending request or retrieving response".
Posted: 11/15/2011 09:56:08
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 17

I tried with SB 7.2 I'm still getting a connection lost error but with a difference. The stack trace is now:
   at SBHTTPSClient.TElHTTPSClient.PerformRequest(Int32 Method, String URL)
   at SBHTTPSClient.TElHTTPSClient.Post(String URL, Byte[] Content)

And the exception is now a ElHTTPSConnectionShutdownError.

Thanks for the meaning of the error code. Doesn't really give much additional information though. It seems I'll have to see if I can get some support from the webservice developer...
Posted: 11/15/2011 09:58:52
by Ken Ivanov (Team)

Some SSL servers crash when they encounter too many ciphersuites in the client's handshake request, and Java-based servers have the leading positions here. What I suggest you to try is to disable *all* ciphersuites, and then enable the following ones:

Posted: 11/15/2011 10:18:11
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 17

Thank you for the suggestion. I tried it and I am getting Connection failed (error code is 75782) now.

I also tried each ciphersuite individually, same result.

(I'm conducting my tests with the evaluation version of SBB 9.1 because the 7.2 version always gives an error code of 0.)
Posted: 11/15/2011 10:30:35
by Ken Ivanov (Team)

1) What is the value of the Remote parameter passed to the OnError event handler?
2) Do you get the same error with *only* TLS1 or SSL3 turned on?



Topic viewed 9424 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!