EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Yet Another Connection Lost Question

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#18199
Posted: 11/15/2011 11:14:48
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

1) When I get the 100354 error the OnError event is not fired. When I get the 75782 error the event is fired and the Remote parameter is true.
2) There is no difference with only TLS1 enabled. But with only SSL3 enabled the OnError is fired once with ErrorCode=75800, Fatal=false, Remote=true. Then I get the 100354 error without the OnError event being fired.

(I get the 100354 and 75800 error codes with the four cipher suites enabled
I get the the 75782 error code when SB_SUITE_RSA_RC4_SHA is not enabled)
#18202
Posted: 11/15/2011 12:02:30
by Ken Ivanov (EldoS Corp.)

Thank you for the details.

Let's proceed with SBB 9.1 for now to minimize the risks of various compatibility issues.

Error 75800 (0x12818) is a CLOSE_NOTIFY error and is actually not an error but a graceful session closure notification. I have no idea why does the server close the connection in this way - it is normally used to close the connection after successful data exchange has been completed.

I've also re-read your last messages and some aspects of the issue are not clear enough for me. Could you please let us know symptoms do you get if TLS1 (or SSL3 + TLS1) connection with four ciphersuites is attempted? Do you get 75800 or 75782 error or...?
#18203
Posted: 11/16/2011 03:24:19
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

Re-reading my posts I can see the lack of clarity. I will try to remedy that.

With this code:
Code
client.Versions = SBConstants.Unit.sbSSL3;
// Disable all encryption ...
for (short i = SBConstants.Unit.SB_SUITE_FIRST; i <= SBConstants.Unit.SB_SUITE_LAST; i++)
{
    client.set_CipherSuites((short)i, false);
}
// Enable a few...
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_RC4_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_DES_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_3DES_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DHE_RSA_3DES_SHA, true);

I get 75800 in the OnError event and then 100354 in the EElHTTPSConnectionShutdownError exception

With this code:
Code
client.Versions = SBConstants.Unit.sbSSL3 | SBConstants.Unit.sbTLS1;
// Disable all encryption ...
for (short i = SBConstants.Unit.SB_SUITE_FIRST; i <= SBConstants.Unit.SB_SUITE_LAST; i++)
{
    client.set_CipherSuites((short)i, false);
}
// Enable a few...
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_RC4_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_DES_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_RSA_3DES_SHA, true);
client.set_CipherSuites(SBConstants.Unit.SB_SUITE_DHE_RSA_3DES_SHA, true);

I only get 100354.

The above is also the case if only the SB_SUITE_RSA_RC4_SHA cipher suite is enabled.

Whenever I do not enable the SB_SUITE_RSA_RC4_SHA cipher suite, but I do enable the other three, or only one of them, I get 75782, both in the OnError event and as a EElSimpleSSLClientError exception.
#18204
Posted: 11/16/2011 04:50:43
by Ken Ivanov (EldoS Corp.)

Right, thank you very much for the clarification.

According to the above, I may conclude that the server only supports SB_SUITE_RSA_RC4_SHA cipher suite from the above set of four. So it makes sense to switch it on and run all the further tests with this cipher suite enabled.

Could you please check which of the following events are fired before the component errors out:
- OnCertificateValidate,
- OnCertificateNeededEx,
- OnRedirection?

Please use the SSL3 + TLS1 configuration with the four cipher suites enabled.
#18205
Posted: 11/16/2011 06:22:00
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

I've added some logging and this is the sequence of the events before erroring out:
Code
13:18:14:464  ---- Start of Call ----
13:18:14:537  OnPreparedHeaders
13:18:14:639  OnCertificateValidate
13:18:14:642  OnCertificateValidate
13:18:14:646  OnCertificateNeededEx
13:18:14:816  OnSendData
13:18:15:067  ----- End of Call -----
#18206
Posted: 11/16/2011 07:40:16
by Ken Ivanov (EldoS Corp.)

Hmm, looks quite interesting. First, as OnSendData does fire, the TLS part of connection appears to be negotiated successfully (as application-layer data is only sent after TLS handshake succeeds).

Next, and what is of bigger interest for me, is that OnCertificateNeededEx is only fired once. This can only happen if the certificate object passed to it back from your code is null. If it isn't, OnCertificateNeededEx will fire repeatedly until it gets null back from the user (so it always fires at least twice if a non-empty certificate object exists on client side). Could you please re-check that the certificate object you are passing back from OnCertificateNeededEx is not null?
#18207
Posted: 11/16/2011 07:58:10
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

Thanks for sticking with it all this time...

There is another instance in which OnCertificateNeededEx only fires once, when the certificate returned is part of a certificate chain. That is the case here: I've created a .pfx file that contains the end-entity certificate and all the other certificates in its certification path. I've confirmed that the certificate object passed is not null and that its Chain property is assigned.


Code
void client_OnCertificateNeededEx(object Sender, ref TElX509Certificate Certificate)
{
    WriteLog("OnCertificateNeededEx");
    SBCustomCertStorage.TElMemoryCertStorage memStore =
       new SBCustomCertStorage.TElMemoryCertStorage();

    byte[] buffer = File.ReadAllBytes(@"\path\to\a\cert.pfx");
    SBX509.TElX509Certificate certificate = new TElX509Certificate();
    memStore.LoadFromBufferPFX(buffer, "*******");
    SBX509.TElX509CertificateChain chain = memStore.BuildChain(0);

    Certificate = chain.get_Certificates(0);
    // at this point Certificate is assigned to the end entity certificate in
    // the chain and its Certificate.Chain property is assigned
}
#18209
Posted: 11/16/2011 08:10:17
by Ken Ivanov (EldoS Corp.)

Great, then everything is OK from this side.

As connection is established and HTTP request is sent, it is likely that the issue has nothing to do with SSL/TLS layer at all. So it might make sense to review HTTP-specific properties, such as HTTP version, and the content being sent on HTTP level. Could you please handle the OnData event and check if it is fired (and its output)?
#18211
Posted: 11/16/2011 08:55:22
by Terence Sambo (Standard support level)
Joined: 02/14/2011
Posts: 16

When doesthe OnData event get fired? I handled it, but it does not show up in the logging, and the break point I set is not hit either.
#18213
Posted: 11/16/2011 09:44:53
by Ken Ivanov (EldoS Corp.)

This means that the server simply closes the connection after receiving a request without providing a reasonable response (so OnData is not fired). As the server does not provide any details of the issue, it is difficult to say what exactly causes it to behave in this way.

It might make sense to check whether the server is confused by the particular request you send, or it is a general reaction to every request it receives. Please try to leave all the TElHTTPSClient's settings set to default values (with the only exception of SSL-related properties), and submit a simple GET request to http://<your-server-address>/. Is OnData fired under this configuration?
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 8693 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!