Thomas RIVANO 0 Posted February 3, 2020 With ICS 8.61, i'm trying to connect to french rest API called "Chorus PRO" (https://chorus-pro.gouv.fr:5443), with : - HTTP Rest Demo sample - TLS1.2 - Auth : Basic with login/password - client p12 certificate; When i try to connect, i've this error (end of log output) : ProtoMsg: None, State: SSLv3/TLS write finished, Send, DataLen: 5, Data= 1603030040 ProtoMsg: TLS 1.2 Handshake: Finished, State: SSLv3/TLS write finished, Send, DataLen: 16, Data= 1400000C8754B071224385E797740416 01F41D90 ICB> SSL_connect: SSLv3/TLS write finished 01F41D90 TCustomSslWSocket.Do_FD_CLOSE error #10053 handle=1008 01F41D90 *CloseCalled handle=1008, State=SSLv3/TLS write finished (TLS_ST_CW_Finished), Err=error:00000000:lib(0):func(0):reason(0) 01F41D90 SslHandshakeDone(1) Handle=1008. Failed TLS protocol negotiation: SSLv3/TLS write finished, session reused=False chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished 01F41D90 FCloseInvoked=0 handle=1008, State=SSLv3/TLS write finished SessionClosed Error: 10053 Connection closed 01F41D90 ResetSslSession handle=1008 State = httpReady Request failed: 404 chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished Request failed, error #10053. Status = 404 - chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished RequestDone I've tried many different options with no result. Can somebody help me? Thanks. Share this post Link to post
Angus Robertson 574 Posted February 3, 2020 I can not reach https://chorus-pro.gouv.fr:5443/ with any of the four browsers on my PC either, so not really surprising that ICS can not reach it, a badly configured site. Perhaps it only supports an ancient SSL version no longer supported by anyone? The certificate is issued by someone that is not a trusted CA, but that is not the main issue. Their main site is fine, but it uses a different SSL certificate to the site on port 5443. Although ICS provides what looks like detailed SSL debug logging, this is virtually useless for SSL protocol investigations since none of the protocol packets are decoded. Wireshark does such decoding, but I really would not waste your time, just ask the web company what TLS protocols they support and which browsers. Angus Share this post Link to post
Fr0sT.Brutal 900 Posted February 4, 2020 Probably https://www.ssllabs.com/ssltest/analyze.html could help Share this post Link to post
Angus Robertson 574 Posted February 4, 2020 Ssllabs testing is wonderful, but only works on port 443. Angus Share this post Link to post
Thomas RIVANO 0 Posted February 6, 2020 Thanks. They use TLS1.2. I've found a partial solution. I've added, to my root certificates PEM file, Chorus serveur-side certificates (AIFE certificates). It's not an optimal solution, because i must update this file each 2 years. If i use SoapUI to communicate with ChorusPro, i only need my certificate. So i will try later to find a solution to do the same with ICS. Share this post Link to post
Angus Robertson 574 Posted February 6, 2020 The chorus certificate is an intermediate, it should be signed by a CA, the main chorus-pro.gouv.fr intermediate is signed by Certigna Services CA which is in the ICS trusted bundle RootCaCertsBundle.pem. But the failure of all the browsers and ICS to connect is not a certificate issue, it is never sent, it failed before that. Perhaps using SHA1 ciphers or something else outdated. Angus Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
