Jump to content
Thomas RIVANO

SSL Hand shake Error on TSslHttpRest

Recommended Posts

With ICS 8.61, i'm trying to connect to french rest API called "Chorus PRO" (https://chorus-pro.gouv.fr:5443), with :

- HTTP Rest Demo sample

- TLS1.2

- Auth : Basic with login/password

- client p12 certificate;

 

When i try to connect, i've this error (end of log output) :

 

 

ProtoMsg: None, State: SSLv3/TLS write finished, Send, DataLen: 5, Data= 1603030040
ProtoMsg: TLS 1.2 Handshake: Finished, State: SSLv3/TLS write finished, Send, DataLen: 16, Data= 1400000C8754B071224385E797740416
01F41D90 ICB> SSL_connect: SSLv3/TLS write finished
01F41D90 TCustomSslWSocket.Do_FD_CLOSE error #10053 handle=1008
01F41D90 *CloseCalled handle=1008, State=SSLv3/TLS write finished (TLS_ST_CW_Finished), Err=error:00000000:lib(0):func(0):reason(0)
01F41D90 SslHandshakeDone(1) Handle=1008. Failed TLS protocol negotiation: SSLv3/TLS write finished, session reused=False
chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished
01F41D90 FCloseInvoked=0 handle=1008, State=SSLv3/TLS write finished
SessionClosed Error: 10053
Connection closed
01F41D90 ResetSslSession handle=1008
State = httpReady
Request failed: 404 chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished
Request failed, error #10053. Status = 404 - chorus-pro.gouv.fr SSL Handshake Failed: Failed TLS protocol negotiation: SSLv3/TLS write finished
RequestDone

 

 

I've tried many different options with no result.

Can somebody help me?

Thanks.

Share this post


Link to post

I can not reach https://chorus-pro.gouv.fr:5443/ with any of the four browsers on my PC either, so not really surprising that ICS can not reach it, a badly configured site. 

 

Perhaps it only supports an ancient SSL version no longer supported by anyone?  The certificate is issued by someone that is not a trusted CA, but that is not the main issue.  Their main site is fine, but it uses a different SSL certificate to the site on port 5443. 

 

Although ICS provides what looks like detailed SSL debug logging, this is virtually useless for SSL protocol investigations since none of the protocol packets are decoded.  Wireshark does such decoding, but I really would not waste your time, just ask the web company what TLS protocols they support and which browsers.

 

Angus

 

Share this post


Link to post

Thanks.

They use TLS1.2.

 

I've found a partial solution.

I've added, to my root certificates PEM file, Chorus serveur-side certificates (AIFE certificates).

 

It's not an optimal solution, because i must update this file each 2 years. If i use SoapUI to communicate with ChorusPro, i only need my certificate. So i will try later to find a solution to do the same with ICS.

Share this post


Link to post

The chorus certificate is an intermediate, it should be signed by a CA, the main chorus-pro.gouv.fr intermediate is signed by Certigna Services CA which is in the ICS trusted bundle RootCaCertsBundle.pem.

 

But the failure of all the browsers and ICS to connect is not a certificate issue, it is never sent, it failed before that.  Perhaps using SHA1 ciphers or something else outdated.

 

Angus

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×