EldoS | Feel safer!

Software components for data protection, secure storage and transfer

HTTPSGet Samples with pfx certificate problem

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#31409
Posted: 11/17/2014 01:51:33
by Lemon Yang (Standard support level)
Joined: 11/24/2009
Posts: 48

I'm trying to add pfx certificate support based on the HTTPSGet sample with TElFileCertStorage class, but it failed with message "Exception happened during HTTP download: Connection lost (error code is 100354)", I checked the error code description, that is "SB_HTTP_ERROR_REQUEST_NOT_COMPLETED 100354 (0x18802) Communication failed for unidentified reason during sending request or retrieving response.".

I just added codes in the initEvents function as below:
1. TElFileCertStorage fileCerts = new TElFileCertStorage();
FileInputStream f = new FileInputStream("C:\\weblogin.pfx");
fileCerts.loadFromStreamPFX(f, "123456", 0);

2. HTTPSClient.setClientCertStorage(fileCerts);

it worked with the same certification in the SimpleSSLDemo sampple.

can you tell me how to solve it? thank you.
#31410
Posted: 11/17/2014 01:56:34
by Eugene Mayevski (EldoS Corp.)

Error 100354 happens when the connection has been established (including successful SSL/TLS handshake) but then it was lost prematurely.

This means that there's something on HTTP level that the server doesn't like. Now we need to figure out, what exactly goes wrong.

Does the sample show the HTTP request headers in the log box?


Sincerely yours
Eugene Mayevski
#31411
Posted: 11/17/2014 02:34:49
by Lemon Yang (Standard support level)
Joined: 11/24/2009
Posts: 48

Hi, the HTTP request headers are displayed as below:

Sending headers:
GET / HTTP/1.1
Host: 192.168.0.36
User-Agent: Mozilla/5.0 (EldoS SecureBlackbox; This is an EVALUATION version that will expire in 75 days)
Accept-Encoding: gzip, deflate
Connection: Close

are there other options required to enable for HTTPS?
#31412
Posted: 11/17/2014 02:42:06
by Eugene Mayevski (EldoS Corp.)

Quote
Lemon Yang wrote:
are there other options required to enable for HTTPS?


The problem is not in HTTPS. The log shows that your server closes connection without sending response. You need to check server log to find out what's wrong with it. I suspect that maybe it doesn't like the IP address in the Host: header (Host: header is used to specify the host name). While the standard says nothing about this situation, I suspect that maybe the server gets confused.

The component lets you alter the headers using OnPreparedHeaders event. You can try modifying the header and change Host header there to contain the empty value.

But then again you need to check the server for possible explanation of why the connection is closed with the error.


Sincerely yours
Eugene Mayevski
#31413
Posted: 11/17/2014 03:20:24
by Lemon Yang (Standard support level)
Joined: 11/24/2009
Posts: 48

we tested the another sample SimpleSSLDemo with the certificate, it works no problem. the header information is like:

GET / HTTP/1.1
Host:192.168.0.36
User-Agent: EldoS SSLBlackbox (Java edition)
Connection: close

I noticed that, there is no "Accept-Encoding: gzip, deflate" for this sample.
which option I can use to disable it from httpsclient?
#31414
Posted: 11/17/2014 03:23:36
by Eugene Mayevski (EldoS Corp.)

Quote
Lemon Yang wrote:
we tested the another sample SimpleSSLDemo with the certificate, it works no problem.


Do I understand it right that you receive HTTP response with that demo?

Quote
Lemon Yang wrote:
I noticed that, there is no "Accept-Encoding: gzip, deflate" for this sample. which option I can use to disable it from httpsclient?


Set UseCompression property to false.


Sincerely yours
Eugene Mayevski
#31415
Posted: 11/17/2014 03:23:56
by Vsevolod Ievgiienko (EldoS Corp.)

As Eugene wrote above,

Quote
the component lets you alter the headers using OnPreparedHeaders event. You can try modifying the header and change Host header there to contain the empty value.
#31416
Posted: 11/17/2014 04:16:06
by Lemon Yang (Standard support level)
Joined: 11/24/2009
Posts: 48

we've found the problem, after adding "setupSSLOption" codes from another example as below, now it works, thanks for your support.



HTTPSClient.setVersions((short)0);

HTTPSClient.setVersions((short) ((byte) HTTPSClient.getVersions() | (byte)SBSSLConstants.sbSSL3));
HTTPSClient.setVersions((short) ((byte) HTTPSClient.getVersions() | (byte)SBSSLConstants.sbTLS1));

for(int i = SBSSLConstants.SB_SUITE_FIRST; i <= SBSSLConstants.SB_SUITE_LAST; i++) {
HTTPSClient.setCipherSuite((short)i, false);
}


for(int i = SBSSLConstants.SB_SUITE_FIRST; i <= SBSSLConstants.SB_SUITE_LAST; i++) {
HTTPSClient.setCipherSuite((short)i, true);
}
#31437
Posted: 11/19/2014 04:32:12
by Lemon Yang (Standard support level)
Joined: 11/24/2009
Posts: 48

thanks for your support. we solved the HTTPS connection problem with pfx file.
and now we're trying to connect to the HTTPS server with TElPKCS11CertStorage.
currently we have several certificates inside the token, and
use TElPKCS11CertStorage for the HTTPS connection, my question is that which certificate is used for HTTPS handshake if there are more than one certificate in the token? and can I specify the certificate for the HTTPS connection with TElPKCS11CertStorage during handshake? thank you very much.
#31438
Posted: 11/19/2014 04:35:58
by Eugene Mayevski (EldoS Corp.)

You need to find the needed certificate(s) in TElPKCS11CertStorage and add them to the instance of TElMemoryCertStorage class using its Add method (don't worry about the keys, SecureBlackbox tracks the origin of such copied certificates).
Then assign the instance of TElMemoryCertStorage to ClientCertStorage property of TElHTTPSClient.

If you use OnCertificateNeededEx event of TElHTTPSClient, then just return the needed certificate(s) via the event handler.


Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 693 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!