login about faq

When I try no perform a TlsRenegotiate, it always fails with this error:

ChilkatLog:
  TlsRenegotiate:
    ChilkatVersion: 9.5.0.56
    socket2_tlsRenegotiate:
      clientRenegotiate:
        clientHandshake:
          clientHandshake2:
            readHandshakeMessages:
              processAlert:
                TlsAlert:
                  level: fatal
                  descrip: internal error
                --TlsAlert
                Closing connection in response to fatal SSL/TLS alert.
              --processAlert
              Aborting handshake because of fatal alert.
            --readHandshakeMessages
          --clientHandshake2
        --clientHandshake
      --clientRenegotiate
    --socket2_tlsRenegotiate
    Failed.
  --TlsRenegotiate
--ChilkatLog
Any idea why this is happening?

asked May 11 at 15:30

dutchguy's gravatar image

dutchguy
11

edited May 12 at 17:36

chilkat's gravatar image

chilkat ♦♦
11.8k316358420


The problem is fixed: It should now be possible to initiate the TlsRenegotiate from both sides: client or server.

Here's the new build:
32-bit Download: http://www.chilkatsoft.com/download/preRelease/ChilkatDotNet4-9.5.0-win32.zip
64-bit Download: http://www.chilkatsoft.com/download/preRelease/ChilkatDotNet4-9.5.0-x64.zip

link

answered May 13 at 10:36

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Thanks. I don't know why it's happening, but I can describe in a little more detail. The "internal error" is a message sent from the server to Chilkat. You called TlsRenegotiate, and Chilkat sends the TLS protocol message to begin renegotiation. The server then responded with a TLS alert with the message "internal error". My guess is that the server implementation had just that -- an internal implementation error. In other words, it's likely some sort of internal assertion failed and the "internal error" was the action taken. (By the way.. TLS servers can, and should, sometimes send error messages that cloud the real reason for failure, and this is for security purposes. But I don't recall anything from the TLS protocol specs about sending an "internal error" in lieu of something else..)

When I have a chance, I'll give the TlsRenegotiate a test. It should already be in the QA test suite, so a new release can't go out without passing it..

link

answered May 11 at 17:24

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

Ok, maybe to give you some extra info: I am using the Chilkat library on both sides (a connection between a master and a slave). Both connect correctly using TLS, but when I try to renegotiate from the slave (receiving side, which waits for a connection), I get this error.

Does it matter on which socket I do the renegotiate? I have a base socket on which the connection is made and 2 cloned read and write sockets. I guess I have to do it on the base socket?

(May 12 at 03:06) dutchguy

So far everything is working in my testing. Can you get a LastErrorText using verbose logging from the server side? At some point, it must fail on some call because of the renegotiate.

Also, please provide the full verbose LastErrorText. I would've uploaded a new build for you to test, but I cannot see what programming language / operating system /etc you're using, so I don't which build you need.

(May 12 at 17:38) chilkat ♦♦

I will get the LastErrorText from the server too. What do you mean with the "full verbose LastErrorText"? I just copied the complete string?

I am using Windows as OS, C# as language and .NET 4.0.

(May 13 at 03:12) dutchguy

Oh, already solved the full verbose problem: I can set VerboseLogging to true...

(May 13 at 04:07) dutchguy

Thanks! I tested by initiating the renegotiate from the client side. As far as I know, the renegotiate can be initiated by either side at any time. I'll test by initiating from the server-side.

Here's a snippet of my C++ code I used for testing:

Client Side

    success = sock.Connect("localhost",QA_ACCEPT_PORT,true,1000);
    if (!success) QA_FAILED_LASTERR(sock);
    printf("Client connected.n");

// Send something..
success = sock.SendString("Hello 1");
if (!success) QA_FAILED_LASTERR(sock);

// Now renegotiate.
success = sock.TlsRenegotiate();
if (!success) QA_FAILED_LASTERR(sock);

// Now send something else.
success = sock.SendString("Hello 2");
if (!success) QA_FAILED_LASTERR(sock);

// Read the final response.
CkString s;
success = sock.ReceiveUntilMatch("1",s);
if (!success) QA_FAILED_LASTERR(sock);

printf("Received %s\n",s.getString());

Server Side

    //  Accept a single client connection and establish the secure SSL/TLS channel:
    CkSocket *clientSock = 0;
    int maxWaitMillisec = 5000;
    clientSock = listenSslSocket.AcceptNextConnection(maxWaitMillisec);
    if (clientSock == 0 ) {
    printf("AcceptFailReason: %dn",listenSslSocket.get_AcceptFailReason());
        std::cout << listenSslSocket.lastErrorText() << "rn";
        return;
    }
        //std::cout << listenSslSocket.lastErrorText() << "rn";

printf("accepted client sock TLS version: %s\n",clientSock->tlsVersion());
printf("accepted client sock TLS cipherSuite: %s\n",clientSock->tlsCipherSuite());

printf("listen sock TLS version: %s\n",listenSslSocket.tlsVersion());
printf("listen sock TLS cipherSuite: %s\n",listenSslSocket.tlsCipherSuite());

printf("Client connection accepted.\n");

if (testNum == TLS_TEST_RENEGOTIATE)
{
CkString s;
success = clientSock->ReceiveUntilMatch("1",s);
if (!success) 
    {
    std::cout << clientSock->lastErrorText() << "\r\n";
    delete clientSock;
    return;
    }
    //std::cout << clientSock->lastErrorText() << "\r\n";
printf("Server received %s\n",s.getString());

s.clear();
success = clientSock->ReceiveUntilMatch("2",s);
if (!success) 
    {
    std::cout << clientSock->lastErrorText() << "\r\n";
    delete clientSock;
    return;
    }
   // std::cout << clientSock->lastErrorText() << "\r\n";
printf("Server received %s\n",s.getString());

success = clientSock->SendString("Hello my client 1");
if (!success) 
    {
    std::cout << clientSock->lastErrorText() << "\r\n";
    delete clientSock;
    return;
    }
printf("Server sent msg\n");
}

delete clientSock;
link

answered May 13 at 08:35

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

edited May 13 at 08:37

To clarify: To renegotiate the TLS connection, one side calls TlsRenegotiate. The other side automatically handles it within the communications. In the example above, the client calls TlsRenegotiate after sending "Hello 1". On the server side, the 2nd call to ReceiveUntilMatch will (internally) receive the renegotiate and automatically handle it. Your application code never has to worry about explicitly handling an incoming renegotiate -- it's just part of the TLS protocol..

link

answered May 13 at 09:03

chilkat's gravatar image

chilkat ♦♦
11.8k316358420

edited May 13 at 09:04

After some investigation, it seemed renegotiation was only working from the client side to the server side, but not the other way around. Thanks to a quick fix, I now have a version which works both sides.

link

answered May 17 at 06:28

dutchguy's gravatar image

dutchguy
11

edited May 17 at 06:28

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×60
×32

Asked: May 11 at 15:30

Seen: 391 times

Last updated: May 17 at 06:28

powered by OSQA