Connecting via mutual SSL fails reading incoming changeCipherSpec

659 views Asked by At

We need to make connect to a server using mutual SSL but for some reason we're getting the following error when trying to make a request:

[...]
readIncomingTls_changeCipherSpec2:
  processTlsRecord:
    processAlert:
      TlsAlert:
        level: fatal
        descrip: handshake failure
      --TlsAlert
    --processAlert
  --processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]

The private key and CSR was raised by us and the cert returned to us by the folks we're connecting to.

Combining the key and the cert into a pem file and adding to the request like so works without issue in other scripts with their respective keys certs and targets:

var Gateway = new ActiveXObject("Chilkat.Http");
    Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
    Gateway.ConnectTimeout = 10;        
    Gateway.ReadTimeout = 10;

However in this instance not only is pemSuccess returning 0 but I notice that changing this or removing the line entirely does not change the error, suggesting it's breaking before this point?

Unfortunately my knowledge at this level of the process is limited and I'm not sure how to address the problem.

Some googling has led to chilkat support pages suggesting updating the DLL and ensuring the .pem is using the correct key and cert but these are both as they should be.

Edit 08/06/2015: Changing the format of the -----BEGIN CERTIFICATE----- header/footer to ——-BEGIN CERTIFICATE——- has allowed SetSslClientCertPem to return true, but otherwise no change to the LastErrorText...

Full LastErrorText:

    SynchronousRequest:
    DllDate: Dec 12 2012
    UnlockPrefix: [redacted]
    Username: [redacted]
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    domain: [redacted]
    port: 9000
    ssl: 1
    RequestData:
      HttpVersion: 1.1
      Verb: POST
      Path: [redacted]
      Charset: utf-8
      SendCharset: 0
      MimeHeader: SOAPAction:
Content-Type: text/xml
    --RequestData
    ReadTimeout: 10
    ConnectTimeout: 10
    httpConnect:
      hostname: [redacted]
      port: 9000
      ssl: 1
      Need to establish connection to the HTTP server...
      ConnectTimeoutMs_1: 10000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      connectingTo: [redacted]
      resolveHostname1:
        dnsCacheLookup: [redacted]
        dnsCacheHit: [redacted]
      --resolveHostname1
      GetHostByNameHB_ipv4: Elapsed time: 0 millisec
      myIP_1: [redacted]
      myPort_1: [redacted]
      connect successful (1)
      clientHelloMajorMinorVersion: 3.1
      buildClientHello:
        majorVersion: 3
        minorVersion: 1
        numRandomBytes: 32
        sessionIdSize: 0
        numCipherSuites: 10
        numCompressionMethods: 1
      --buildClientHello
      readIncomingTls_serverHello:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: ServerHello
            handshakeMessageLen: 0x46
            processHandshakeMessage:
              MessageType: ServerHello
              Processing ServerHello...
              ServerHello:
                MajorVersion: 3
                MinorVersion: 1
                SessionIdLen: 32
                CipherSuite: RSA_WITH_AES_256_CBC_SHA
                CipherSuite: 00,35
                CompressionMethod: 0
                Queueing ServerHello message.
                ServerHello is OK.
              --ServerHello
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_serverHello
      HandshakeQueue:
        MessageType: ServerHello
      --HandshakeQueue
      Dequeued ServerHello message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: Certificate
            handshakeMessageLen: 0xf13
            processHandshakeMessage:
              MessageType: Certificate
              ProcessCertificates:
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                Certificate:
                  [cert info]
                --Certificate
                NumCertificates: 3
                Queueing Certificates message...
              --ProcessCertificates
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued Certificate message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: CertificateRequest
            handshakeMessageLen: 0x6
            processHandshakeMessage:
              MessageType: CertificateRequest
              CertificateRequest:
                NumCertificateTypes: 3
                Certificate Type: RSA Sign
                Certificate Type: DSS Sign
                OtherCertificateType: 64
                totalLen: 0
                NumDistinguishedNames: 0
                CertificateRequest message is OK.
                Queueing CertificateRequest message.
              --CertificateRequest
            --processHandshakeMessage
            handshakeMessageType: ServerHelloDone
            handshakeMessageLen: 0x0
            processHandshakeMessage:
              MessageType: ServerHelloDone
              Queueing HelloDone message.
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued CertificateRequest message.
      DequeuedMessageType: ServerHelloDone
      OK to ServerHelloDone!
      Sending 0-length certificate (this is normal).
      CertificatesMessage:
        numCerts: 0
        CertificateSize: 0x3
      --CertificatesMessage
      Encrypted pre-master secret with server certificate RSA public key is OK.
      Sending ClientKeyExchange...
      Sent ClientKeyExchange message.
      Sending ChangeCipherSpec...
      Sent ChangeCipherSpec message.
      Derived keys.
      Installed new outgoing security params.
      Sending FINISHED message..
      algorithm: aes
      keyLength: 256
      Sent FINISHED message..
      readIncomingTls_changeCipherSpec2:
        processTlsRecord:
          processAlert:
            TlsAlert:
              level: fatal
              descrip: handshake failure
            --TlsAlert
          --processAlert
        --processTlsRecord
      --readIncomingTls_changeCipherSpec2
      Failed to read incoming handshake messages. (3)
      Client handshake failed. (3)
      Failed to connect.
    --httpConnect
    connectTime1: Elapsed time: 47 millisec
    totalTime: Elapsed time: 47 millisec
    Failed.
  --SynchronousRequest
--ChilkatLog
1

There are 1 answers

0
Gavin On BEST ANSWER

So it turns out that despite the sender insisting several times that the certificate was correct, and despite them insisting (when asked) that the email encoding had not stripped any characters, it turns out the certificate was incorrect and the email encoding had stripped some characters from the body text.

Beware lines starting with + characters.