Am trying to connect to one of those Internet of Things cloud companies with an HTTPS socket but I cant get a connection event.
Its not just that the encryption type that they demand is different than our default. Ive walked through the entire list of xojo supported SSLSocket.ConnectionTypes from 0 to 5 and the behavior is the same. What happens exactly is that I never get a connected event but I do get a 102 error connection closed.
If I loop after the call to socket.get( myURL) and poll the socket I can see that isConnected becomes true almost immediately meaning that the underlying socket has connected. Then SSLConnecting becomes true and stays true for a little while. SSLConnected never becomes true and then the 102 error happens.
Im assuming that it doesnt like something about my TLS or SSL settings or something but Ill be darned if I can figure out why. Since the connected event never fires Its got nothing to do with any of the other authentication or headers or cookies that I am trying to include, because it never even gets that far.
Is there a way to figure out just what the conversation is between my socket and the server and to understand why its rejecting my connection? Is there a newer encryption version that it might be requiring that Xojo doesnt support yet? How would I even see any of that info about the connection?
Couple of thoughts: You could use a packet sniffer (tcpdump, wireshark) to inspect the actual TCP traffic, but with an SSL connection that will be somewhat useless.
How about sharing your socket setup code with us? Perhaps seeing what you are doing will help narrow down the issue.
Also, in what context are you trying this? From a desktop app? iOS? Web project?
Did a trace output from the CURL command which works and I see this:
== Info: Trying 64.233.169.121…
== Info: Connected to dashboard.myplantlink.com (64.233.169.121) port 443 (#0)
== Info: TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
== Info: Server certificate: *.myplantlink.com
== Info: Server certificate: COMODO RSA Domain Validation Secure Server CA
== Info: Server certificate: COMODO RSA Certification Authority
== Info: Server certificate: AddTrust External CA Root
=> Send header, 270 bytes (0x10e)
0000: 47 45 54 20 2f 61 70 69 2f 76 31 2f 70 6c 61 6e GET /api/v1/plan
…
So it appears that CURL is able to connect to it using TLS1.2 which we also support, but setting the connectionType to 5 or me.TLSv12 doesnt work… AH, http1.0 could be the problem. I will experiment first with the new xojo.net.httpSocket. This is a regular Mac desktop app.
But… I never get to the point of sending it the first line of data. I dont get a connected event, so I dont think its disconencting me at that point. The HTTP version isnt specified until the first GET line is sent is it? That doesnt affect the SSL negotiation at all does it?
this same socket code works perfectly fine with google and amazon and my own self signed certificates as Ive experimented with that and those work fine. But something about this site doesnt like me.
Actually… because the old HTTPSecureSocket doesn’t do certificate validation, you can use a program like Proxy to simulate a proxy server and sniff the requests/responses that way.
[quote=242218:@James Sentman]But… I never get to the point of sending it the first line of data. I dont get a connected event, so I dont think its disconencting me at that point. The HTTP version isnt specified until the first GET line is sent is it? That doesnt affect the SSL negotiation at all does it?
this same socket code works perfectly fine with google and amazon and my own self signed certificates as Ive experimented with that and those work fine. But something about this site doesnt like me.[/quote]
Please try it anyway. I’ll bet you get better results.
Have converted the object to a xojo.net.HTTPSocket and it still errors, but the error has more info, it says this:
-1200: An SSL error has occurred and a secure connection to the server cannot be made.
That MIGHT be from Apples new security hotness where they just refuse connections from servers using old and now hacked SSL methods? Though when I hit it from Curl it did say that the site was using TLS1.2 which is the most recent I think.
I feel like I should be able to get to the SSLSettings and see if I can set it to a different or a specific security type to test, but I cant seem to access the SSLSettings object. How do I get access to that from an HTTPSocket? the documentation says that there is an SSLSettings property of the TCPSocket object, but I cant get it to admit to that fact when compiling. There is no autocorrect for SSLSettings and if I just type it myself its an object has no member named SSLSettings error?
Recently I had an issue where a website would fail on Safari but work on IE due to an arcane fault with the Comodo Server certs. Turned out the website cert was not issuing the full cert chain, and failing the SSL as a result.
Thanks Tony, I checked the site and all the checkboxes are green except for the organization details are not listed and No connection upgrade to 128-bit for old browsers and No extended validation on company details Im not entirely sure what that means as far as connecting to them but apart from the organization details not listed the other 2 are the same as googles so that seems OK. They are a Comodo server cert though, and it expires on Monday So perhaps when they update it things will be better.
Christian, I started doing just that this morning already because I cannot figure out how to make the Xojo socket connect to this server which means there will likely be others that it will refuse too.
So perhaps when they update it things will be better.