EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem using TElHTTPSClient with a SNI configured server.

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#29117
Posted: 04/04/2014 03:52:08
by Luc van Donkersgoed (Standard support level)
Joined: 04/04/2014
Posts: 3

Hello,

I've been struggling with the trail version of SecureBlackbox in WindowsPhone 8 for a few days now, regarding communicating with a SNI configured server. It also seems i'm pretty close to the solution.

What i've got so far:

client setup
Code
TElHTTPSClient client = new TElHTTPSClient();
client.OnCertificateValidate += HTTPSClient_OnCertificateValidate;
client.OnError += _HTTPSClient_OnError;


Connecting using TLS1.2
Code
client.Versions = SBSSLConstants.Unit.sbTLS12;
client.Extensions.ServerName.Enabled = true;
int idx = client.Extensions.ServerName.Add();
client.Extensions.ServerName.get_Names(idx).NameType = SBSSLCommon.TSBSSLServerNameType.ntHostName;
client.Extensions.ServerName.get_Names(idx).Name = this.hostname;


This setup gives me the correct certificate.
(Not the fist certificate known to the server, but the one I requested using the ServerName extension.)
And the provided certificate also validates correcty using the ValidateForSSL method.

Code
_certificateValidator.ValidateForSSL(
   X509Certificate,       // Certificate
   this.hostname,         // DomainName
   "",                    // IPAddress
   TSBHostRole.hrServer,  // HostRole
   _certStore,            // AdditionalCertificates
   false,                 // CompleteChainValidation
   false,                 // ResetCertificateCache
   DateTime.Now,          // ValidityMoment
   ref Validity,          // ref Validity
   ref Reason             // ref Reason
   );

// result: Validity == cvOk;


However, the OnError Eventhandler is triggered with the following parameters:
Code
ErrorCode = 75797
Fatal = True
Remote = False


Connecting using SSL3
Code
client.Versions = SBSSLConstants.Unit.sbSSL3


This setup gives me the wrong certificate (the first one known to the server), but if I implement the Validate method as shown below all communications are handled correctly.
Code
private void HTTPSClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref SBUtils.TSBBoolean Validate)
{
   Validate = true;
}


So this setup gives me a working communication channel with the server but the certifcates are not validated. (no OnError event is triggered)

Combining SSL3 and TLS12
Code
client.Versions = SBSSLConstants.Unit.sbTLS12 | SBSSLConstants.Unit.sbSSL3;
client.Extensions.ServerName.Enabled = true;
int idx = client.Extensions.ServerName.Add();
client.Extensions.ServerName.get_Names(idx).NameType = SBSSLCommon.TSBSSLServerNameType.ntHostName;
client.Extensions.ServerName.get_Names(idx).Name = this.hostname;


This setup seems to prefer SSL3 over TLS because the wrong certificate is provided, as it was in the previous (second) setup.


Question
I want to do specific checks on the certificate, and because the server is using SNI I should use TLS to get the correct certificate.
It seems its not possible to get a working connection over TLS, though I can get a working connection using SSL3.


- I think I want a working connection using only TLS, so what am I doing wrong?
- If this is not possible, how can I combine TLS and SSL3 in the correct way?


I have also tried adding several different Cryprography suites to the client, which are supported by the server, but it did not help.
I also tried using all combinations of SLL3, SSL2, TLS12 and TLS11(in combination with TLS1)
#29120
Posted: 04/04/2014 04:32:12
by Eugene Mayevski (EldoS Corp.)

I'll answer your questions in the opposite order.

Quote
codingdutchmen wrote:
- If this is not possible, how can I combine TLS and SSL3 in the correct way?


Many servers won't accept this for security reasons.

Quote
codingdutchmen wrote:
- I think I want a working connection using only TLS, so what am I doing wrong?


You are doing everything correctly yet TLS 1.2 is very fresh version and its support in both clients and servers sometimes has glitches. So we need to find out the reason of the problem and the way to fix it.

1) Did you try the latest build of SecureBlackbox 11 (build 248, now on the site)? If no, please do this now.

2) Did you try the same code on desktop? If not, please do this - we need to ensure that the issue is not caused by WP8 target.

3) Did you try TLS 1.1 only (without any combinations)? What the result was?

If none of the above works, we'll probably need the address of the server from you to test connectivity ourselves.


Sincerely yours
Eugene Mayevski
#29133
Posted: 04/04/2014 09:02:05
by Luc van Donkersgoed (Standard support level)
Joined: 04/04/2014
Posts: 3

Hi Eugene,

I was a little surprised but using only TLS1.1 does indeed work.

Thank you very much for your quick response and solution.
#29138
Posted: 04/04/2014 09:14:08
by Eugene Mayevski (EldoS Corp.)

Still, can you give us the address of the server so that we could test TLS 1.2 with it?


Sincerely yours
Eugene Mayevski
#29180
Posted: 04/08/2014 10:09:09
by Luc van Donkersgoed (Standard support level)
Joined: 04/04/2014
Posts: 3

Hi Eugene,

Sorry for the delayed response.
The address of the server is: https://api.incrowdpro.com
#29181
Posted: 04/08/2014 10:13:48
by Eugene Mayevski (EldoS Corp.)

Thank you, we'll do the tests and let you know the outcome.


Sincerely yours
Eugene Mayevski
#29185
Posted: 04/09/2014 05:08:13
by Ken Ivanov (EldoS Corp.)

Hello Luc,

I am sorry for making you wait. The problem is caused by a minor glitch in SecureBlackbox cryptographic provider on WP8 platform (seems that we'd over-optimized the things during recent performance improvements). Please add the following line to your code and ensure it's called before connecting to the remote HTTPS resource:

Code
if (SBCryptoProvManager.Unit.DefaultCryptoProviderManager().BuiltInCryptoProvider != null)
{
    ((SBCryptoProvBuiltIn.TElBuiltInCryptoProviderOptions)SBCryptoProvManager.Unit.DefaultCryptoProviderManager().BuiltInCryptoProvider.Options).UsePlatformKeyGeneration = false;
}


The problem has no relation to the SNI extension; it is a purely algorithmic issue caused by a wider cipher suite set on TLS 1.2 (comparing to SSL 3.0).

We'll also implement the appropriate fix in the SBB code so you do not have to adjust cryptoprovider settings with the above line. The fix will be available in the next minor product update.

Ken
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1661 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!