EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Yet Another Connection Lost Question

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#18188
Posted: 11/15/2011 07:37:19
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

Hello to all,

First of, thank you for such a high quality product as SecureBlackBox!

We have been using SecureBlackBox for some time now to our great satifaction in communicating with webservices hosted by several companies that use client certificate authentication. But now we have encountered an issue with a particular webservice where the communication is aborted with a 'connection lost' message. This is somewhat of a legacy application so it is not using the most up to date version of stuff. The webservice is accessible via SoapUI so I know that communication is possible.
We are using SBB 7.0 .NET in Visual Studio 2005. The webservice we are trying to communicate with is being hosted on an IBM HTTP server (some form of a Java server I guess). I cannot provide the URL we are trying to post to here and client certificates need to be specially authorized. But I am hoping that the stack trace will give an indication of what the problem might be.
I am using a TElHTTPSClient instance for the communication. The instance is initialized as follows:
Code
        client.RequestParameters.ContentType = @"text/xml;charset=UTF-8";
        client.HTTPVersion = SBHTTPSConstants.TSBHTTPVersion.hvHTTP11;
        client.PreferKeepAlive = false;
        client.Versions = SBConstants.Unit.sbSSL3 | SBConstants.Unit.sbTLS1;
        client.SSLEnabled = true;

        // Enable all encryption except anonymous ...
        for (short i = SBConstants.Unit.SB_SUITE_FIRST; i <= SBConstants.Unit.SB_SUITE_LAST; i++)
        {
            client.set_CipherSuites((short)i, true);
        }
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_3DES_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_AES128_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_AES256_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_DES_SHA, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_DES_SHA_EXPORT, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5, false);
        client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DH_ANON_RC4_MD5_EXPORT, false);

The client certificate chain is built and the end-entity certificate is assigned to the Certificate argument in the OnCertificateNeededEx event handler.
When a request is posted to the service the following error is thrown:
Code
Connection Lost at SBSimpleSSL.TElCustomSimpleSSLClient.DoSend(Object Sender, Byte[] Buffer)
   at SBClient.TElSecureClient.DoSend(Byte[] Buffer)
   at SBClient.TElSecureClient.TLS1SendOnRecordLayer(TSSL3ContentType ContentType, Byte[] Buffer, Int32 Epoch)
   at SBClient.TElSecureClient.TLS1SendEncrypted(TSSL3ContentType ContentType, Int32 Len, Int32 Epoch)
   at SBClient.TElSecureClient.TLS1SendAlert(TSBAlertLevel AlertLevel, TSBAlertDescription AlertDescription)
   at SBClient.TElSecureClient.TLS1SendClientKeyExchange()
   at SBClient.TElSecureClient.TLS1ParseServerHelloDone()
   at SBClient.TElSecureClient.TLS1ParseOnHandshakeLayer(Byte[] Buffer)
   at SBClient.TElSecureClient.TLS1ParseOnRecordLayer(Byte[] Buffer, Int32 Size, TSSL3ContentType ContentType, Int32 DTLSEpoch, Int64 DTLSSeqNum)
   at SBClient.TElSecureClient.AnalyzeBuffer()
   at SBClient.TElSecureClient.DataAvailable()
   at SBSimpleSSL.TElCustomSimpleSSLClient.DataAvailable()
   at SBSimpleSSL.TElCustomSimpleSSLClient.IntMessageLoop(Boolean NoPeek)
   at SBSimpleSSL.TElCustomSimpleSSLClient.DoMessageLoop(Boolean NoPeek)
   at SBSimpleSSL.TElCustomSimpleSSLClient.Open()
   at SBHTTPSClient.TElHTTPSClient.PerformRequest(Int32 Method, String URL)
   at SBHTTPSClient.TElHTTPSClient.Post(String URL, Byte[] Content)
   at HttpClient.PostSoapMessage(String url, String soapAction, String message, Stream responseStream) in [my code from here on]

Does this give an idea what the issue might be?

Thanks,
Terence S.
#18189
Posted: 11/15/2011 08:36:24
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Try to catch EElSSLClientConnectionLostError exception and post its ErrorCode property value here. This will give more details about the problem.
#18190
Posted: 11/15/2011 09:12:58
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

Right, I forgot to add that info: The ErrorCode value is 0.
#18192
Posted: 11/15/2011 09:34:09
by Vsevolod Ievgiienko (EldoS Corp.)

Its very similar to this report: http://www.eldos.com/forum/read.php?FID=7&TID=2676 It is recommended to upgrade to the latest SBB 7 build and check if this solves the problem.
#18193
Posted: 11/15/2011 09:40:09
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

I tried the same with an evaluation version of SBB 9.1 and the error then is:

Connection lost (error code is 100354)

(Hadn't seen your last post. I'll update and report back. But I don't have high hopes, since with the SBB 9.1 evaluation version the issue persists)
#18194
Posted: 11/15/2011 09:47:33
by Vsevolod Ievgiienko (EldoS Corp.)

JFYI: error code 100354 means "Communication failed for unidentified reason during sending request or retrieving response".
#18195
Posted: 11/15/2011 09:56:08
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

I tried with SB 7.2 I'm still getting a connection lost error but with a difference. The stack trace is now:
Code
   at SBHTTPSClient.TElHTTPSClient.PerformRequest(Int32 Method, String URL)
   at SBHTTPSClient.TElHTTPSClient.Post(String URL, Byte[] Content)


And the exception is now a ElHTTPSConnectionShutdownError.

Thanks for the meaning of the error code. Doesn't really give much additional information though. It seems I'll have to see if I can get some support from the webservice developer...
#18196
Posted: 11/15/2011 09:58:52
by Ken Ivanov (EldoS Corp.)

Some SSL servers crash when they encounter too many ciphersuites in the client's handshake request, and Java-based servers have the leading positions here. What I suggest you to try is to disable *all* ciphersuites, and then enable the following ones:

SB_SUITE_RSA_RC4_SHA
SB_SUITE_RSA_DES_SHA
SB_SUITE_RSA_3DES_SHA
SB_SUITE_DHE_RSA_3DES_SHA
#18197
Posted: 11/15/2011 10:18:11
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

Thank you for the suggestion. I tried it and I am getting Connection failed (error code is 75782) now.

I also tried each ciphersuite individually, same result.

(I'm conducting my tests with the evaluation version of SBB 9.1 because the 7.2 version always gives an error code of 0.)
#18198
Posted: 11/15/2011 10:30:35
by Ken Ivanov (EldoS Corp.)

1) What is the value of the Remote parameter passed to the OnError event handler?
2) Do you get the same error with *only* TLS1 or SSL3 turned on?
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 8730 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!