EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Connection failed due to error (75784). Why?

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#18562
Posted: 12/22/2011 11:22:53
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

If I set CertificateValidator.MandatoryCRLCheck to 'false' and I add SBLDAPCRL unit in MainForm uses section, the results are:

Validity= cvChainUnvalidated
Reason= vrOCSPNotVerified
#18563
Posted: 12/22/2011 11:41:37
by Eugene Mayevski (EldoS Corp.)

You can set MandatoryOCSPCheck to false as well. In general, it's probably some certificate which is not built correctly (eg. it contains revocation information which is not valid anymore) or responder for which is down at the moment. In such situation the validator will complain, and this is correct.


Sincerely yours
Eugene Mayevski
#18608
Posted: 01/04/2012 10:34:10
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

Hi,

I have now a new valid Certificate, but executing yours TinySigner demo, I get always same error code: 75784.

...and now why?
#18609
Posted: 01/04/2012 10:52:47
by Ken Ivanov (EldoS Corp.)

In fact, the problem is not with *your* signing certificate, but with SSL certificate of the timestamping server. The easiest (though not the best from the point of view of security) kind of solution here is to disable revocation checking entirely. This can be done by turning TElX509CertificateValidator.MandatoryRevocationCheck property off. Having disabled revocation checking, you are likely to succeed with the signing. Still, as I said above, this solution is not the safest one. To find the correct solution you will need to find the exact reason for the validation failure in your environment. It is likely that some certificates from one or more chains constructed during validation is missing from your PC. You might wish to handle the OnBeforeCertificateValidation and OnAfterCertificateValidation events of TElX509CertificateValidator object and use them to log validation information somewhere (e.g. to a file).
#18610
Posted: 01/04/2012 11:00:58
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

can I have a simple example about this?
#18611
Posted: 01/04/2012 11:14:08
by Ken Ivanov (EldoS Corp.)

You can create a trace of the validation process in the following way:
Code
  // 1. Assign handlers right after creating the validator
  CertValidator.OnBeforeCertificateValidation := HandleCertValidatorBeforeCertValidation;
  CertValidator.OnAfterCertificateValidation := HandleCertValidatorAfterCertValidation;

// 2. Implement handlers in the following way:
procedure TfrmMain.HandleCertValidatorBeforeCertValidation(Sender : TObject;
  Certificate : TElX509Certificate);
begin
  Log('Validating certificate: ' + Certificate.SubjectName.CommonName);
end;

procedure TfrmMain.HandleCertValidatorAfterCertValidation(Sender : TObject;
  Certificate : TElX509Certificate; CACertificate : TElX509Certificate;
  var Validity : TSBCertificateValidity; var Reason: TSBCertificateValidityReason;
  var DoContinue : boolean);
begin
  Log('Validation done for ' + Certificate.SubjectName.CommonName + ': validity: ' +
    CertValidityToStr(Validity) + ', reason: ' + CertValidityReasonToStr(Reason));
end;

// 3. Auxiliary functions
function CertValidityToStr(V : TSBCertificateValidity): string;
begin
  case V of
    cvOk : Result := 'OK';
    cvSelfSigned : Result := 'Self-signed';
    cvInvalid : Result := 'Invalid';
    cvStorageError : Result := 'Storage error';
    cvChainUnvalidated : Result := 'Chain unvalidated';
  else
    Result := 'Unknown';
  end;
end;

function CertValidityReasonToStr(R : TSBCertificateValidityReason): string;
begin
  Result := '';
  if vrBadData in R then Result := Result + 'Bad data, ';
  if vrRevoked in R then Result := Result + 'Revoked, ';
  if vrNotYetValid in R then Result := Result + 'Not yet valid, ';
  if vrExpired in R then Result := Result + 'Expired, ';
  if vrInvalidSignature in R then Result := Result + 'Invalid signature, ';
  if vrUnknownCA in R then Result := Result + 'Unknown CA, ';
  if vrCAUnauthorized in R then Result := Result + 'CA Unauthorized, ';
  if vrCRLNotVerified in R then Result := Result + 'CRL not verified, ';
  if vrOCSPNotVerified in R then Result := Result + 'OCSP not verified, ';
  if vrIdentityMismatch in R then Result := Result + 'Identity mismatch, ';
  if vrNoKeyUsage in R then Result := Result + 'No key usage, ';
  if vrBlocked in R then Result := Result + 'Blocked, ';
  if Length(Result) > 0 then Result := Copy(Result, 1, Length(Result) - 2);
end;

procedure Log(const S : string);
begin
  // writing trace to TMemo control
  memoLog.Lines.Add(S);
end;


BTW, did switching MandatoryRevocationCheck off helped to overcome the 75784 issue?
#18613
Posted: 01/04/2012 11:22:47
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

with the switching of MandatoryRevocationCheck to off, the results are:

Validity= cvChainUnvalidated
Reason= vrOCSPNotVerified
#18614
Posted: 01/04/2012 11:31:55
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

Using your example code, the Log produces these results:

Validating certificate: servizi.arubapec.it
Validation done for servizi.arubapec.it: validity: OK, reason:
Validating certificate: GeoTrust DV SSL CA
Validating certificate: GeoTrust Global OCSP Responder 2
Validation done for GeoTrust Global OCSP Responder 2: validity: OK, reason:
Validating certificate: GeoTrust Global CA
Validation done for GeoTrust Global CA: validity: Self-signed, reason:
Validation done for GeoTrust DV SSL CA: validity: Invalid, reason: OCSP not verified
#18615
Posted: 01/04/2012 11:34:44
by Ken Ivanov (EldoS Corp.)

Please try to switch CheckCRL and CheckOCSP off as well, the issue should definitely go after that.

Regarding tracing the reason for the validation failure under "normal" configuration, please ensure that you use the following settings:
CheckOCSP := true;
CheckCRL := true;
MandatoryOCSPCheck := false;
MandatoryCRLCheck := false;
MandatoryRevocationCheck := true;
<all other properties left assigned with their default values>
#18624
Posted: 01/05/2012 09:47:18
by Stefano Monterisi (Standard support level)
Joined: 10/05/2011
Posts: 18

Quote
Innokentiy Ivanov wrote:
Please try to switch CheckCRL and CheckOCSP off as well, the issue should definitely go after that.


Unfortunately it doesn't work! :-(
always same error:
¬ęConnection failed due to error (75784). (Error code is 75784)¬Ľ

I just installed a software to Sign and Timestamp: inputting same parameters (URL, Usr, pw) and same pdf file, it works properly.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 10079 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!