| Dart Home | PowerTCP Sockets for .NET | Custom Development | Reply | PowerTCP Sockets for .NET (Secure and Standard) Topics | Forums |
| Author | Forum: PowerTCP Sockets for .NET (Secure and Standard) Topic: Getting a little more info to debug? |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 2, 2004 7:35 PM Here's the issue: I'm trying to connect to a remote machine. I have all tracing blown wide open. What I see is that once the connection is made, I get some spew (see via raw trace) from them that appears to be a certificate. Then the "Certificate Requested" event fires, as the remote is asking for our client cert. Then I see my cert going over to them (via raw trace). Afterwards, the "connection changed" event fires telling me I'm not connected. Finally, "EndConnect" fires with an exception telling me, "Connection terminated by server during SSL handshake." 1. Shouldn't I get a "Certificate Received" event at some point? 2. What can I take away from this? That the remote is hanging up on me? If so, is there any way I can figure out why? Must I presume that they're not liking my client cert for some reason? 3. What's really frustrating is that this works fine with OpenSSL, and I can't figure out what's different using Dart. Any suggestions? |
Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted February 2, 2004 7:59 PM Yes, it sounds like the remote host is hanging up for some reason. What that reason is I would not be able to tell. Hopefully you can provide us the address of a machine on the Internet that has this problem. If you don't want to post it here, send it to support@dart.com |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 2, 2004 8:00 PM I'll get the okay and email it to you tomorrow morning. What you're saying, though, is that the order that I'm seeing the events is correct? I won't see a Certificate Received first? |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted February 2, 2004 8:03 PM I would think you would. I don't have the source code in front of me now so I can't say for sure. That's why I want the address of your server. So I can check into it further. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 3, 2004 3:15 PM Tony, it'll be tomorrow. I'm pushing the envelope to get to my home machine here and tell you that today's a sick day for me :-) Ouch. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 9, 2004 4:03 PM I'm still trying to get permission to allow an outside connection to the machine (it's firewalled such that only specific IP blocks can connect). Paranoia at its finest. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 16, 2004 7:56 PM Paranoia wins. Can't get you a connection. So I'm putting the burden on them to explain why they're hanging up on me. Stay tuned, this should be good. |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted February 16, 2004 10:54 PM If you feel like having a little fun, tell them never mind, you gave the guy from Dart the IP and he hacked his way in in two minutes. :>) |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 17, 2004 12:07 PM Oh, I respect a man who thinks like me :-) |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 17, 2004 1:54 PM Okay, here's their reply. I have the Verisign Root Certificate that they're talking about. When they request our client cert, they get it, as I set it in the CertificateRequested() event method. It sounds like they're saying that I need to be sending TWO certs?! When I look in the certificate MMC snap-in, I check the "Certification Path" tab, and I see the Verisign Root Certificate as the parent to my client cert (those are the only 2 certs in the path). Is that being automatically sent by Dart, or is there something else I need to do? This is frustrating, since we can connect to this site using OpenSSL. And it's doubly-frustrating, as we connect to other hosts using this very same client cert with no problem. It's just this one host that's causing us problems. Here's their reply: We have verified that you are using a Versign RSA X.509 Server Certificate which you have also confirmed. I have attached the appropriate Verisign Root Certificate that the .NET library must also send in the certificate chain. Please confirm if it is also being passed. |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted February 17, 2004 2:53 PM Chris, I found another issue (#1881) that sounds a lot like this one. It was never resolved because the customer was not able to get us access to the system (sound familiar?) By the way, it looks like the customer's email address is in the same domain as yours, so it probably the exact same issue. Unfortunately this means that we still need access. Can you get them to put up a server that they don't care about that does the same kind of authorization? Or can you get them to tell you how to set one up? |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 17, 2004 2:59 PM Yeah, that would be Scott - he wasn't able to figure it out, so I get it :-) Let me contact them and see about getting access. Can you email me an IP address that you'd be coming in from? I'll ask them to give you permission to connect from that IP, and strongly suggest that it's the only way we're going to ID the problem. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 20, 2004 6:30 PM The owner of the server says that it's for certain: Dart is not sending the entire certificate chain, just the client cert itself. It needs to send the client cert as well as the cert above it, otherwise the connection will be refused. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 20, 2004 6:30 PM PS: We tried connecting with the same certs using OpenSSL and it works fine. |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted February 20, 2004 7:14 PM We already know this. We don't send the entire cert chain because we use the Microsoft CryptoAPI. We're trying to find out if we can even do it. The issue is scheduled to be addressed next week. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted February 20, 2004 7:23 PM Okay, let me know what you guys come up with. Thanks for looking into it, it's appreciated! |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted March 4, 2004 4:40 PM Any resolution, Tony? |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted March 4, 2004 4:59 PM No. We're still waiting from someone from your end to give us an example of a CryptoAPI based solution that works with that server. At this point we can't move forward until that occurs. |
| cambler From: Redmond, WA USA Posts: 102 Member Since: 04/14/03 |
posted March 4, 2004 5:01 PM Um, Tony? Your note, above (dated 20 February) said, "We already know this. We don't send the entire cert chain because we use the Microsoft CryptoAPI. We're trying to find out if we can even do it. The issue is scheduled to be addressed next week." That indicates to me that you were going to address it the next week and see if you can even do it. We don't have a CryptoAPI codebase to do this because we use Dart! If we wanted to code against CryptoAPI, we wouldn't have bought your product. |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted March 4, 2004 5:06 PM We seem to be dealing with this issue in two places. Here and via email. Please use email from this point on. I will respond via email now. |
| Scott Roberts From: Oklahoma City, OK USA Posts: 2 Member Since: 03/22/05 |
posted March 22, 2005 6:52 PM Unfortunate that you took it to email. Was the issue ever resolved? It sounds very similar to what I'm experiencing. Oh yeah, I can't give you access to the server I'm trying to connect to either. :-) |
| Tony Priest From: Utica, NY USA Posts: 8466 Member Since: 04/11/00 |
posted March 22, 2005 7:18 PM Chris: If you have anything to add, please respond in the new thread that Scott created: http://support.dart.com/postings?topicid=5241 |
| Reply | PowerTCP Sockets for .NET (Secure and Standard) Topics | Forums |
This site is powered by
PowerTCP WebServer for ActiveX
|