We need to make connect to a server using mutual SSL but for some reason we're getting the following error when trying to make a request:
[...]
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
[...]
The private key and CSR was raised by us and the cert returned to us by the folks we're connecting to.
Combining the key and the cert into a pem file and adding to the request like so works without issue in other scripts with their respective keys certs and targets:
var Gateway = new ActiveXObject("Chilkat.Http");
Gateway.UnlockComponent("redacted");
var pemSuccess = Gateway.SetSslClientCertPem(Server.MapPath(certPath), "");
Gateway.ConnectTimeout = 10;
Gateway.ReadTimeout = 10;
However in this instance not only is pemSuccess returning 0 but I notice that changing this or removing the line entirely does not change the error, suggesting it's breaking before this point?
Unfortunately my knowledge at this level of the process is limited and I'm not sure how to address the problem.
Some googling has led to chilkat support pages suggesting updating the DLL and ensuring the .pem is using the correct key and cert but these are both as they should be.
Edit 08/06/2015: Changing the format of the -----BEGIN CERTIFICATE----- header/footer to ——-BEGIN CERTIFICATE——- has allowed SetSslClientCertPem to return true, but otherwise no change to the LastErrorText...
Full LastErrorText:
SynchronousRequest:
DllDate: Dec 12 2012
UnlockPrefix: [redacted]
Username: [redacted]
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
domain: [redacted]
port: 9000
ssl: 1
RequestData:
HttpVersion: 1.1
Verb: POST
Path: [redacted]
Charset: utf-8
SendCharset: 0
MimeHeader: SOAPAction:
Content-Type: text/xml
--RequestData
ReadTimeout: 10
ConnectTimeout: 10
httpConnect:
hostname: [redacted]
port: 9000
ssl: 1
Need to establish connection to the HTTP server...
ConnectTimeoutMs_1: 10000
calling ConnectSocket2
IPV6 enabled connect with NO heartbeat.
connectingTo: [redacted]
resolveHostname1:
dnsCacheLookup: [redacted]
dnsCacheHit: [redacted]
--resolveHostname1
GetHostByNameHB_ipv4: Elapsed time: 0 millisec
myIP_1: [redacted]
myPort_1: [redacted]
connect successful (1)
clientHelloMajorMinorVersion: 3.1
buildClientHello:
majorVersion: 3
minorVersion: 1
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 10
numCompressionMethods: 1
--buildClientHello
readIncomingTls_serverHello:
processTlsRecord:
processHandshake:
handshakeMessageType: ServerHello
handshakeMessageLen: 0x46
processHandshakeMessage:
MessageType: ServerHello
Processing ServerHello...
ServerHello:
MajorVersion: 3
MinorVersion: 1
SessionIdLen: 32
CipherSuite: RSA_WITH_AES_256_CBC_SHA
CipherSuite: 00,35
CompressionMethod: 0
Queueing ServerHello message.
ServerHello is OK.
--ServerHello
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_serverHello
HandshakeQueue:
MessageType: ServerHello
--HandshakeQueue
Dequeued ServerHello message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: Certificate
handshakeMessageLen: 0xf13
processHandshakeMessage:
MessageType: Certificate
ProcessCertificates:
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
Certificate:
[cert info]
--Certificate
NumCertificates: 3
Queueing Certificates message...
--ProcessCertificates
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued Certificate message.
readIncomingTls_6:
processTlsRecord:
processHandshake:
handshakeMessageType: CertificateRequest
handshakeMessageLen: 0x6
processHandshakeMessage:
MessageType: CertificateRequest
CertificateRequest:
NumCertificateTypes: 3
Certificate Type: RSA Sign
Certificate Type: DSS Sign
OtherCertificateType: 64
totalLen: 0
NumDistinguishedNames: 0
CertificateRequest message is OK.
Queueing CertificateRequest message.
--CertificateRequest
--processHandshakeMessage
handshakeMessageType: ServerHelloDone
handshakeMessageLen: 0x0
processHandshakeMessage:
MessageType: ServerHelloDone
Queueing HelloDone message.
--processHandshakeMessage
--processHandshake
--processTlsRecord
--readIncomingTls_6
Dequeued CertificateRequest message.
DequeuedMessageType: ServerHelloDone
OK to ServerHelloDone!
Sending 0-length certificate (this is normal).
CertificatesMessage:
numCerts: 0
CertificateSize: 0x3
--CertificatesMessage
Encrypted pre-master secret with server certificate RSA public key is OK.
Sending ClientKeyExchange...
Sent ClientKeyExchange message.
Sending ChangeCipherSpec...
Sent ChangeCipherSpec message.
Derived keys.
Installed new outgoing security params.
Sending FINISHED message..
algorithm: aes
keyLength: 256
Sent FINISHED message..
readIncomingTls_changeCipherSpec2:
processTlsRecord:
processAlert:
TlsAlert:
level: fatal
descrip: handshake failure
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingTls_changeCipherSpec2
Failed to read incoming handshake messages. (3)
Client handshake failed. (3)
Failed to connect.
--httpConnect
connectTime1: Elapsed time: 47 millisec
totalTime: Elapsed time: 47 millisec
Failed.
--SynchronousRequest
--ChilkatLog
So it turns out that despite the sender insisting several times that the certificate was correct, and despite them insisting (when asked) that the email encoding had not stripped any characters, it turns out the certificate was incorrect and the email encoding had stripped some characters from the body text.
Beware lines starting with + characters.