login about faq

Recently I've had two clients who bumped into this "issue". I have an Android app that is using the Chilkat libraries (specifically HTTP). The problem occurs when trying to verify the SSL Certificate chain of the client's server.

Chilkat code throws this error message: Invalid PKCS v1.5 PS separator

The server that I am trying to validate is: https://mail.e-know.net

I believe the problem is caused by the SSL Certificate chain of mail.e-know.net. When I run a test using an SSL checker (i.e.Digicert's tester: https://www.digicert.com/help/ ) it shows a warning that the certificate chain is being served out of order. I'm "guessing" (without being able to look at the Chilkat code of course) that since the certs are out of order Chilkat fails to decrypt / verify the digital signiture, which results in the Invalid PKCS v1.5 PS separator error. If the certs were in the correct order it would work just fine (again, just my theory).

According to the document here, the standard is that certificates should be served in order. Failing to serve the certificate in order could break some applications (but most will handle it gracefully): https://community.qualys.com/docs/DOC-1931

Chrome, for example, still seems find an verify the certificates just fine.

So my guess would be other applications are probably downloading the entire certificate chain, then putting them in order, then verifying them in order. Chilkat, perhaps is just verifying in the order they come down... and choking when they are not in order.

I've already asked the client to raise the issue with his IT group. Unfortunately, my app is not used by a large number of people at his company so it's has gotten a low priority since "other users who are using Chrome ... Outlook ... etc do not have the problem". So he is pretty stuck. It was working just fine for him when I was using HttpClient ... but since I've switch to Chilkat he can no longer use my app, unfortunately (unless I turn OFF certificate verification... which of course would be bad...).

I understand this is really a problem with the certificate order, and not Chilkat. However, it would be nice if Chilkat behavior was consistent with most apps and handled this scenario.

You should be able to easily recreate the issue using code like this:

    String path = "https://mail.e-know.net";
    CkHttp http = getUnlockedHttp();
    ckHttpRequest.put_HttpVerb("GET");
    ckHttpRequest.put_Path(path);
    CkHttpResponse ckHttpResponse = http.SynchronousRequest("mail.e-know.net", 443, true, ckHttpRequest);

The code will throw the error: Invalid PKCS v1.5 PS separator

The expected result (to be consistent with other software) is for the certificate verification to pass.

Please let me know if you need anymore information from me to recreate the issue. Also, whether or not this is something that can be fixed (or perhaps "enhanced") in an upcoming release of Chilkat.

Cheers,

  • Sean

asked Oct 22 '16 at 09:36

Sean_McKeon's gravatar image

Sean_McKeon
113

edited Oct 22 '16 at 09:36


Thanks Sean,

I have a fix to automatically handle it. I assume this is C++? Which operating system, and if Windows, which version of VC++ do you need?

link

answered Oct 24 '16 at 12:40

chilkat's gravatar image

chilkat ♦♦
12.8k318383533

Awesome, that was quick! I have been using the Java "Http" package. Looks like the "http" package is no longer available (as far as I can tell). So I would be looking to use the latest Android package.

link

answered Oct 24 '16 at 22:57

Sean_McKeon's gravatar image

Sean_McKeon
113

Sorry, I mis-stated my last post. It looks like you do still have the HTTP package, which is great (I'm not sure how I missed that). So, to answer your question again (correctly this time!) the "Java Http Library" is what I would need. https://www.chilkatsoft.com/java-http.asp

Thanks again,

  • Sean
link

answered Oct 31 '16 at 10:46

Sean_McKeon's gravatar image

Sean_McKeon
113

Hi Sean,

Sorry for the confusion. New Android release is available here: https://www.chilkatsoft.com/chilkatAndroid.asp

There is only a single download for Android (just like for all other Chilkat builds, whether it is a static lib, DLL, shared lib, etc.), and the single download contains all Chilkat classes.

link

answered Oct 31 '16 at 10:49

chilkat's gravatar image

chilkat ♦♦
12.8k318383533

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×38
×3

Asked: Oct 22 '16 at 09:36

Seen: 1,002 times

Last updated: Oct 31 '16 at 10:49

powered by OSQA