EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SSL Error, possibly due to proxy?

Posted: 08/08/2014 08:15:20
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

I have a problem with my SBB-based client and server communication. For one particular user the TElHTTPSClient won't connect with the TElHTTPSServer, while for all others there are no problems.

The difference is that this user is very serious about his internet security and uses a proxy (although other users with other proxy's have no problem).

First the TElHTTPSServer raises an error 75792 and then closes the connection with exit code 2 (SB_CLOSE_CONNECTION_NEGOTIATION_FAILED?)
On the cient the error code is 100353.

The server closes the connection after the client certificate has been validated (OnCertificateValidate is triggered with result = True).

Can the proxy be the cause of this problem or can you think of any other reason why this happens?
Posted: 08/08/2014 10:25:24
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

Please check the latest 12.0.257 build as there were some SSL handshake related improvements done to the code.
Posted: 08/08/2014 12:12:57
by Eugene Mayevski (Team)

However it's not likely that the fixes of build 257 are the solution.

It's important to find out, what type of proxy the customer uses and how he configures the use of that proxy by your application (and our component) if your application allows this.

Sincerely yours
Eugene Mayevski
Posted: 08/18/2014 04:36:19
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

The user informed me about the proxy: it is a Blue coath SGOS 6.2 that is connected to Zscaler (cloud based security). Sadly I don't have more info (large customer, outsourced IT-stuff, difficult to get the right answers...)

The client I made uses the WebTunneling settings instead of the proxy settings, according to https://eldos.com/forum/read.php?FID=7&TID=4427

FHTTPSClient.WebTunnelAddress := FProxyHost;
FHTTPSClient.WebTunnelPort := FProxyPort;
FHTTPSClient.WebTunnelUserId := FProxyUser;
FHTTPSClient.WebTunnelPassword := FProxyPassword;
FHTTPSClient.UseWebTunneling := True;

Must I change this back to proxy with the newer SBB editions?
Posted: 08/18/2014 06:31:46
by Vsevolod Ievgiienko (Team)

Its possible that their proxy requires another type of authentication. According to your code Basic auth. is used, but we also support Digest and NTLM mechanisms.
Posted: 08/20/2014 07:30:42
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

Username and password are used in the code, but this client doesn't require authentication for the proxy.

I'll make a version for this client based on the latest SBB version to see if this changes anything. I won't change the proxy code so a webtunnel will still be used.
Posted: 09/16/2014 08:04:15
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

I'm still having issues with this problem. I have done some further investigation and now I think that the problem is not in the use of proxy or webtunnel. I updated client and server source to latest SBB version.

When I run the client service under my user account (this account: username + password) everything goes OK. When I run the service under 'local system account' I get the problems mentioned above. The only change I make is the 'log on as' setting!

The client certificate is installed for the service and verified to correctly loaded.

Are there other differences in how user accounts and local system account handle certificates that can cause this behaviour?
Posted: 09/16/2014 08:48:25
by Ken Ivanov (Team)

Hi Birger,

Could you please put a breakpoint to the TElHTTPSServer.OnSSLError event handler and capture the error code and the call stack for us?

Thanks in advance.

Posted: 09/16/2014 09:24:56
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

Hi Ken,

I further investigated the problem and it seems that there was a problem with how the certificate was installed into the personal store of the service.

What I did first was COPY the client, ca and root certificates (with the certificate snap-in for the management console) from my user store to the service store. That does not work.

I needed to IMPORT the client certificate into the service personal store and then MOVE the CA and ROOT into the trusted root store.

Microsoft makes no mention about the difference between moving and importing a certificate (http://technet.microsoft.com/en-us/library/cc771103.aspx) but it seems there is!

Strange, but I'm glad it works now!
Posted: 09/16/2014 14:12:54
by Ken Ivanov (Team)

Hi Birger,

Great, thank you for sharing your experience with us and other users. Both the reason and the solution are really non-trivial, so it might be really helpful for someone experiencing a similar issue. Thanks.




Topic viewed 1306 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!