EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Upgrade from SBB version 11

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#32602
Posted: 03/12/2015 12:45:54
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

I just upgrade my SBB installation from version 11 to 12 and my project can not consume a webservice. There are two folders, one with v11 and other with v12 100% of code are the same except for DCU from SBB.

I am receiving 100353 (problems with SSL handshake) and it has happened with myseft (message #24529 from 04/11/2013). The code from that date until now was working GOOD until upgrade.

The webservice is:
https://homologacao.nfe.fazenda.sp.gov.br/ws/nfestatusservico2.asmx

The OnError event does not fire, neither OnSendData.

Of course, if I use the app compiled with v11 everything work fine.
#32606
Posted: 03/13/2015 03:43:04
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Do you get any other exceptions before 100353 error when you run the program under debugger? I was able to connect to the server with TElHTTPSClient.Versions set to [sbSSL3, sbTLS1].
#32607
Posted: 03/13/2015 04:49:48
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Vsevolod Ievgiienko

First of all thanks for prompt answer.

I set the versions like you said and it solves the problem.

Some statements/doubts: Could you answer yes/no just for my understanding ?

1) Every server can connect using one or more ciphers.

2) The real connection happens with just one cipher

3) The SBB use priority to check the ciphers and try 1 then 2 then 3 until server accepts one.

4) Some servers "protect" access trying ciphers (weak ?) and therefore the app should disable some (or all) and set appropriate ciphers

5) In the case of the problem the default versions is [sbTLS1, sbTLS11, sbTLS12] and if I am undertanding right, it tries to connect using sbTLS1 then sbTLS11 and then sbTLS12, but it fails. If I isolate just sbTLS1 it works. What is the logic around this ?

6) How can I know what version should I use and what ciphers should I use/enable ?

Thanks in advance
#32609
Posted: 03/13/2015 05:18:53
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
1) Every server can connect using one or more ciphers.

Each server has a list of supported ciphersuites. A single ciphersuite is a set of key exchange, encryption and hashing algorithms. The client also has a list of supported ciphersuites. During connection both adjust one common ciphersuite for data exchange.

Quote
2) The real connection happens with just one cipher

Yes.

Quote
3) The SBB use priority to check the ciphers and try 1 then 2 then 3 until server accepts one.

Priority is used to tell a server what ciphersuites are preferred by a client. A client sends a list of supported ciphersuites with priorities set to server during handshake.

Quote
4) Some servers "protect" access trying ciphers (weak ?) and therefore the app should disable some (or all) and set appropriate ciphers

Some weak ciphersuites can be disabled on server side. In general you should not disable them on client side explicitly if there exists a set of common ciphersuites in client's and server's supported list, but you can disable them for security reasons to eliminate the case when server will allow such weka ciphersuite.

Quote
5) In the case of the problem the default versions is [sbTLS1, sbTLS11, sbTLS12] and if I am undertanding right, it tries to connect using sbTLS1 then sbTLS11 and then sbTLS12, but it fails. If I isolate just sbTLS1 it works. What is the logic around this ?

It doesn't try them one by one. Both client and server will agree to use the latest common supported version. If it works with [TLS1] and doesn't work with [TLS1, TLS11, TLS12] then most likelly its a buggy server.

Quote
6) How can I know what version should I use and what ciphers should I use/enable ?

In general the client should work without any additional adjustments. If any problem occurs, then you should use trial and error method approach.
#32610
Posted: 03/13/2015 05:20:34
by Vsevolod Ievgiienko (EldoS Corp.)

My collegue just posted an article that describes how to act in your case when connection is not established: https://www.eldos.com/forum/read.php?FID=7&TID=5852
#32612
Posted: 03/13/2015 05:45:40
by Eduardo Helminsky (Standard support level)
Joined: 08/20/2010
Posts: 102

Vsevolod Ievgiienko

Thank you very much for your time to contribute to my knowledge.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 601 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!