HTTPSecureSocket not connecting

Michael_Flynn · June 25, 2016, 7:52pm

I have some code that has been running for a number of years successfully, however, the server side has changed their minimum specification for SSL connections and I can no longer get a Xojo HTTPSecureSocket connection to work.

My basic code is

Dim Vsock as New HttpSecureSocket vsock.Address="www.b2b.nm.XYZ.int" vsock.ConnectionType=SSLSocket.TLSv12 // SSLSocket.TLSv12 dim f as FolderItem f = GetFolderItem("CC002.pem") vsock.CertificateFile =f vsock.CertificatePassword="XYX" url="https://www.b2b.nm.XYZ.int/B2B_OPS/gateway/spec/20.0.0" vsock.SetPostContent( s,"application/xml") Response = vsock.post (URL,5)

The Response is blank. When I look at the TCP/IP traffic, I see that the client closes the connection immediately. If I use what I believe is exactly the same parameters from CURL I get the expected response from the server.

On the failed connection, I see a normal start to the TCP conversation

No. Time Source Destination Protocol Length Info
1 17:43:43.849582 192.168.1.83 193.58.21.20 TCP 78 53663 ? 16443 [SYN] Seq=0 Win=65535 Len=0 MSS=1360 WS=32 TSval=1134664343 TSecr=0 SACK_PERM=1

  2 17:43:43.866305    193.58.21.20          192.168.1.83          TCP      64     16443 ? 53663 [SYN, ACK] Seq=0 Ack=1 Win=1460 Len=0 MSS=1412

  3 17:43:43.866387    192.168.1.83          193.58.21.20          TCP      54     53663 ? 16443 [ACK] Seq=1 Ack=1 Win=65535 Len=0

And then immediately my Xojo client appears to close the connection

No. Time Source Destination Protocol Length Info
4 17:43:43.907250 192.168.1.83 193.58.21.20 TCP 54 53663 ? 16443 [FIN, ACK] Seq=1 Ack=1 Win=65535 Len=0

  5 17:43:43.923265    193.58.21.20          192.168.1.83          TCP      64     16443 ? 53663 [FIN, ACK] Seq=1 Ack=2 Win=14600 Len=0

  6 17:43:43.923314    192.168.1.83          193.58.21.20          TCP      54     53663 ? 16443 [ACK] Seq=2 Ack=2 Win=65535 Len=0

The CURL TCP Conversation is

No. Time Source Destination Protocol Length Info
30 18:56:05.294904 192.168.1.83 193.58.21.20 TCP 78 54655 ? 16443 [SYN] Seq=0 Win=32768 Len=0 MSS=1360 WS=1 TSval=1138988996 TSecr=0 SACK_PERM=1

 31 18:56:05.310931    193.58.21.20          192.168.1.83          TCP      64     16443 ? 54655 [SYN, ACK] Seq=0 Ack=1 Win=1460 Len=0 MSS=1412

 32 18:56:05.311022    192.168.1.83          193.58.21.20          TCP      54     54655 ? 16443 [ACK] Seq=1 Ack=1 Win=34000 Len=0

And then the Curl application pushes the required certificate to the server

No. Time Source Destination Protocol Length Info
33 18:56:05.312058 192.168.1.83 193.58.21.20 TCP 181 54655 ? 16443 [PSH, ACK] Seq=1 Ack=1 Win=34000 Len=127

 34 18:56:05.327425    193.58.21.20          192.168.1.83          TCP      64     16443 ? 54655 [ACK] Seq=1 Ack=128 Win=14600 Len=0

 35 18:56:05.329170    193.58.21.20          192.168.1.83          TCP      1418   16443 ? 54655 [ACK] Seq=1 Ack=128 Win=14600 Len=1360

 36 18:56:05.329675    193.58.21.20          192.168.1.83          TCP      1418   16443 ? 54655 [ACK] Seq=1361 Ack=128 Win=14600 Len=1360

And then completes the TCP connection using TSLv1.2 and AES256-SHA, which then follows on to establish the HTTPS session, execute the POST and retrieve the response.

Clearly something in my Xojo configuration (or possibly in Xojo itself) is causing the connection to be closed after the first TCP handshake. The fact CURL works would indicate that my URL, Certificate, Password, network, and Firewall are all OK.

Any ideas of what the issue may be?

Thanks in advance.

PS - I have excluded any code setting up headers as the connection never progresses beyond the initial TCP handshake and therefore there are no HTTP headers or commands exchanged.

Christian_Schmitz · June 25, 2016, 7:57pm

A few months ago I changed an app for a client to use our CURL Plugin.
Because a client side SSL certificate was not supported for built in socket classes.

Maybe you can try our plugin, too?

Norman_P · June 25, 2016, 8:54pm

What version of Xojo are you using ?
That may be relevant

Michael_Flynn · June 26, 2016, 7:31am

The app was originally build in 2014 v2.1, I have just rebuilt it in 2016 v 1.1 and the same issue occurs.

Christian, I already have a few of your plug ins and am likely to move in that direction if I can’t find a simple solution for the xojo socket.

Greg_O_Lone · June 26, 2016, 1:15pm

[quote=274186:@Michael Flynn]The app was originally build in 2014 v2.1, I have just rebuilt it in 2016 v 1.1 and the same issue occurs.

Christian, I already have a few of your plug ins and am likely to move in that direction if I can’t find a simple solution for the xojo socket.[/quote]
Have you tried XOJO.net.HTTPSocket? I’d bet this new one will do exactly what you need.

Michael_Flynn · June 27, 2016, 7:00am

In trying MBSCURL, I am still having a problems,
1 - In my PHP scrip I set

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, True); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, True);
which, I believe is the equivalent of

c.OptionSSLVerifyHost = 1 // verify server c.OptionSSLVerifyPeer = 1 // proofs certificate is authentic
However, the MBSCurl socket fails on an error 60 but the PHP code works fine. If I use 0 and 0 the MBSSocket connects.

The PHP is

$url="https://thehost/spec/20.0.0"; $pass="the password"; curl_setopt($ch, CURLOPT_VERBOSE, true); curl_setopt($ch,CURLOPT_HTTPHEADER,array('Content-Type: application/xml','Pragma: no-cache','Cache-Control: no-cache','Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, True); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, True); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt ($ch, CURLOPT_SSLCERT, $cert); curl_setopt ($ch, CURLOPT_SSLCERTPASSWD, $pass); curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_POST,1); curl_setopt($ch,CURLOPT_POSTFIELDS,$xml); $response= curl_exec($ch);

The Xojo code with MBSSocket which gets the error 60 is

f = GetFolderItem("CC002.pem") c.OptionVerbose=true c.CollectDebugData = True c.CollectOutputData = true // collect data, so we don't need our own subclass with events c.OptionSSLVerifyHost = 1 // verify server c.OptionSSLVerifyPeer = 1 // proofs certificate is authentic c.OptionSSLCert = f.NativePath c.OptionKeyPassword = "the password" c.OptionURL="The host" c.OptionPost=true c.OptionPostFields=xml e =c.Perform

Which I think should be functionally identical.

Any ideas?

Christian_Schmitz · June 27, 2016, 7:36am

does it work with c.OptionSSLVerifyHost = 0 and c.OptionSSLVerifyPeer = 0?

What does debug log say?

Christian_Schmitz · June 27, 2016, 7:37am

or use OptionCAPath and put some cacert.pem file there with root certificates.

Michael_Flynn · June 29, 2016, 7:44pm

Using MBSCURL

With c.OptionSSLVerifyHost = 0 and c.OptionSSLVerifyPeer = 0, It works

with c.OptionSSLVerifyHost = 1 or 2 and c.OptionSSLVerifyPeer = 1, I get an error number 60 and the log is

Trying 193.58.21.82... Connected to www.b2b.nm.eurocontrol.int (193.58.21.82) port 443 (#0) ALPN, offering http/1.1 Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH TLSv1.2 (OUT), TLS header, Certificate Status (22): TLSv1.2 (OUT), TLS handshake, Client hello (1): TLSv1.2 (IN), TLS handshake, Server hello (2): TLSv1.2 (IN), TLS handshake, Certificate (11): TLSv1.2 (OUT), TLS alert, Server hello (2): SSL certificate problem: unable to get local issuer certificate Closing connection 0 TLSv1.2 (OUT), TLS alert, Client hello (1):

However, using CURL in the OS I get

[code]Notice: curl_setopt(): CURLOPT_SSL_VERIFYHOST with value 1 is deprecated and will be removed as of libcurl 7.28.1. It is recommended to use value 2 instead in /Users/mike/Desktop/phptest/NMTest.html on line 18

About to connect() to www.b2b.nm.eurocontrol.int port 443 (#0)
Trying 193.58.21.82… * connected
Connected to www.b2b.nm.eurocontrol.int (193.58.21.82) port 443 (#0)
SSL connection using AES256-SHA
Server certificate:
subject: C=BE; ST=Bruxelles; L=Bruxelles; OU=EUROCONTROL; O=European Organisation for the Safety of Air Navigation; CN=www.b2b.nm.eurocontrol.int
start date: 2016-04-07 11:36:04 GMT
expire date: 2017-04-08 11:36:04 GMT
subjectAltName: www.b2b.nm.eurocontrol.int matched
issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - SHA256 - G2
SSL certificate verify ok.

POST /B2B_OPS/gateway/spec/20.0.0 HTTP/1.1[/code]
Which seems to indicate that the OS use of CURL does correctly access the root certificates, but using the MBSCurl is not correctly accessing the installed root certificates (and likely this is the same problem causing the built in socket to fail).

Michael_Flynn · June 29, 2016, 8:14pm

If I add the CA’s root certificate as a .pem file to the MBSCURL socket using .OptionCAInfo, then MBSSocket works identically to CURL in PHP from the desktop.

This would seem to imply there is an issue in the Xojo environment (or my OS X build) that Xojo and by extension the MBSCurl socket doesn’t have the correct default path for the root certificates (as this certificate is also in my Key chain and is accessed correctly by CURL using the OS X standard PHP environment.

Christian_Schmitz · June 29, 2016, 8:15pm

If you let the plugin check the certificate, please specify a cacert.pem file for the plugin.

e.g. here
https://curl.haxx.se/ca/cacert.pem

Christian_Schmitz · June 29, 2016, 8:18pm

the CURL shipped by Apple uses the OS certificates.

The one I include doesn’t.

Michael_Flynn · June 30, 2016, 8:07pm

Thanks, that explains the difference between the two. All working now. All that is left is to upgrade my MBS license to include this as well !