Delphi: XE 8
Indy ver: 10.6.2
Open SSL Library Produce Ver: 1.0.2q (ssleay32.dll, libeay32.dll)
I'm getting the following error from my Delphi app when trying to make the following Get call:
Error connecting with SSL. error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure.
procedure TfrmPushToCertify.Push;
var
stsJSON : TStringStream;
strmResp : TMemoryStream;
stlResp : TStringList;
RecID : String;
GetURL: String;
PostURL: String;
PutURL: String;
begin
strmResp := TMemoryStream.Create;
BuildRESTHeaders;
IdHTTP_Certify.Get('https://api.certify.com/v1/exprptglds/1?code=15213|N800KS', strmResp);
end;
I can make the same call successfully using Postman (so I know the API call is correct & the server is responding).
The problem seems to be "ETHERNET FRAME CHECK SEQUENCE INCORRECT" but I don't know what that means or how to fix it.
I upgraded to the new DLLs, ver 1.0.2q but no change in result. Still fails w/ same message.
Related
I got this error:
SSL: hello: ssl_handshake.erl:171:Fatal error: internal error - server_has_no_suitable_certificates
when supplying a der-decocded certificate for the callback function in the {sni_fun, CallbackFun} option. The CallbackFun returns [{cacerts, [Cert]}], where Cert is der-encoded. So things comply with Erlang ssl module's documentation.
I tried look into the otp source code. It seems that whatever the callback returns is ignored, thus causing this function clause to be evaluated:
certificate_chain(undefined, _, _) ->
{error, no_cert};
which leads to that error! But I could be wrong as I kind of lost in browsing the code base...
If it helps, I use a self-signed CA to sign CSRs that are generated as a SNI is found during a TLS handshake (via sni_fun option).
please advise! thanks a lot!
Update:
I tried Erlang OTP 20.3 release and get another error:
TLS server: In state hello at tls_connection.erl:739 generated SERVER ALERT: Fatal - Handshake Failure - malformed_handshake_data
Looking at OTP source code, it is result of an exception from this block:
try
Version = ssl_handshake:select_version(tls_record, ClientVersion, Versions),
case ssl_cipher:is_fallback(CipherSuites) of
true ->
Highest = tls_record:highest_protocol_version(Versions),
case tls_record:is_higher(Highest, Version) of
true ->
?ALERT_REC(?FATAL, ?INAPPROPRIATE_FALLBACK);
false ->
handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
end;
false ->
handle_client_hello(Version, Hello, SslOpts, Info, Renegotiation)
end
catch
_:_ ->
?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, malformed_handshake_data)
end.
I am sure the cert is fine, I could view it as well as convert it between DER/PEM formats with openssl with no error. Is there a way to reveal what kind of exception it is in this case?
I solved the problem: the sni_fun must return the list of
[{cert, DerdecodedCert}, {keyfile, PathToTheCsrKeyFile}]
I was returning only
[{cert, DerdecodedCert}]
(which was so instructed by Erlang ssl doc)
Hope this helps anyone who bumps into similar problem as I did!
I am writing a TCP text protocol for a project that I am working on. One of the commands in the protocol is STARTTLS which should upgrade the connection to TLS and continue on. My code to upgrade the connection is similar to the answer in this question. The problem I am having is when I am upgrading the TLS connection, the tlsConn.Handshake will hang and never let go. There are some code samples below. Any help is greatly appreciated.
After the STARTTLS command is received...
// Init a new TLS connection. I need a *tls.Conn type
// so that I can do the Handshake()
s.Logf("++> Upgrading connection to TLS")
tlsConn := tls.Server(s.Conn, s.Server.TLSConfig)
s.Logf("++> Attempting TLS Handshake")
tlsConn.Handshake()
s.Logf("++> TLS Handshake Successful")
// Here is the trick. Since I do not need to access
// any of the TLS functions anymore,
// I can convert tlsConn back in to a net.Conn type
s.Conn = net.Conn(tlsConn)
s.Logf("++> Updating read/write buffers")
s.reader = textproto.NewReader(bufio.NewReader(s.Conn))
s.writer = textproto.NewWriter(bufio.NewWriter(s.Conn))
s.Printf("100 SUCCESS")
The client is currently upgrading the connection right after it sends the STARTTLS command like this...
c.conn = tls.Client(c.conn, clientTLSConfig)
The server *tls.Config looks like this...
// Load the key and certificate - paths are provided in flags.
cert, err := tls.LoadX509KeyPair(flagTLSCert, flagTLSKey)
if err != nil {
log.Fatal(err)
}
// Create the TLS config
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.VerifyClientCertIfGiven,
ServerName: fqdn(),
}
The client *tls.Config looks like this...
clientTLSConfig := &tls.Config{
InsecureSkipVerify: true,
}
Do you call c.conn.Handshake() or do something else to initiate the TLS handshake on the client side?
If the client does not initiate the handshake by sending TLS Client Hello, the server will sit forever waiting for it.
This is my best guess as you did not provide much of the client side code. Also checking with tcpdump would help to narrow the problem down (to server or client side).
I use the built-in standard SSL socket client library (net + crypto/tls) like this:
conn, err := net.Dial("tcp", "exploit.im:5222")
//...
config := tls.Config{InsecureSkipVerify: true}
tls_conn := tls.Client(conn, &config)
fmt.Println(tls_conn.Handshake())
And am getting the message:
conn, err := net.Dial("tcp", "exploit.im:5222")
I managed to find out it is somehow related to the default maximum packet size (16384 + 2048 set in common.go:31). Is there any standard work around (without patching this value & rebuilding the lib)?
You get this kind of messages if you try to do a SSL handshake with a peer which does not reply with SSL. In this case it is probably some XMPP server and with XMPP you first have some clear text handshake before you start with SSL. Trying to start directly with SSL will result in interpreting the servers clear text response as an SSL frame which can result in strange error messages like this.
I have written following code in PL/SQL for calling 3rd party APIs from Oracle 11g.
Begin
-- preparing Request...
l_http_request := UTL_HTTP.begin_request ('https://www..........'
, 'GET'
, 'HTTP/1.1');
-- set header's attributes...
UTL_HTTP.set_header(l_http_request, 'Content-Type', 'application/json');
UTL_HTTP.set_header(l_http_request, 'Content-Length', LENGTH(t_request_body));
UTL_HTTP.set_header(l_http_request, 'Api-Key','..............');
-- get Response and obtain received value
l_http_response := UTL_HTTP.get_response(l_http_request);
UTL_HTTP.read_text(l_http_response, l_response_text);
end;
When I run this code I'm getting following error
Error report:
ORA-29273: HTTP request failed
ORA-06512: at "SYS.UTL_HTTP", line 1130
ORA-29024: Certificate validation failure
ORA-06512: at line 13
29273. 00000 - "HTTP request failed"
*Cause: The UTL_HTTP package failed to execute the HTTP request.
*Action: Use get_detailed_sqlerrm to check the detailed error message.
Fix the error and retry the HTTP request.
I figured out that this is caused by 'https' protocole. So I downloaded all relevant certificates and then handed over to our DB team. Though they have configured Oracle wallet with these certificates, still we are getting the same error report.
Any thoughts?
UPDATE:
I've added following code as the very first lines in begin block...
UTL_HTTP.SET_DETAILED_EXCP_SUPPORT(TRUE);
UTL_HTTP.SET_WALLET('file:/../wallet','pwd.....' );
But now it gives following exception "Certificate is invalid" though the certificate sender confirms its validity. Also the validity could be confirmed by looking at this external ssl checker too: https://www.sslshopper.com.
Error report:
ORA-29024: Certificate validation failure
ORA-06512: at "SYS.UTL_HTTP", line 1128
ORA-06512: at line 16
29024. 00000 - "Certificate validation failure"
*Cause: The certificate sent by the other side could not be validated. This may occur if
the certificate has expired, has been revoked, or is invalid for another reason.
*Action: Check the certificate to determine whether it is valid. Obtain a new certificate,
alert the sender that there certificate has failed, or resend.
Please note that I've tired all formats of certificate files (Base-64 encoded / PKCS#7 etc.) as explained in http://oracle-base.com/articles/misc/utl_http-and-ssl.php
Any thoughts?
Personally, I find it a pain to load the certificates of each and every website you want to access in an Oracle Wallet (which is probably why you're getting the error--you need to install the certificates and chains of the website you're trying to access into the Wallet).
The easiest thing to do is install stunnel https://www.stunnel.org/index.html
Configure stunnel to listen for incoming connections on a local port such as 8800 and then make an outbound connection to somesite.com:443.
Something like this:
1. oracle issues a get as: http://localhost:8080/index.html
2. stunnel intercepts the request and gets https://somesite.com/index.html
3. stunnel gives results to oracle
This allows Oracle to communicate via http to stunnel, then stunnel communicates to https://somesite.com and delivers the data back to oracle on port 80.
This completely bypasses the Oracle Wallet.
As this is not a direct answer to your question, it surely solves the many, many issues with Oracle Wallet and in my opinion is the best solution.
I'm getting 500 error when running SignalR on secure websocket when running on IIS Express.
Site is running on localhost:44300 with default cert.
It works just fine with longPolling.
When changing to webSockets, I'm getting following error:
WebSocket connection to
'wss://localhost:44300/signalr/connect?transport=webSockets&connectionToken='
failed: Unexpected response code: 500
If the error is due to self-signed cert, how do I disable it with SignalR and websockets?
Or could it be caused by something else?
I tried solving this issue with initializing EventMachine, by inserting the following code in an initializer config/initializers/eventmachine.rb:
Thread.new { EventMachine.run } unless EventMachine.reactor_running? && EventMachine.reactor_thread.alive?
and it worked for me!
Maybe check this out:
http://websocketstest.com/
BTW: Internal Error (500)