Archived Forum Post

Index of archived forum posts

Question:

Certificate order issue / enhancement

Oct 31 '16 at 10:49

Recently I've had two clients who bumped into this "issue". I have an Android app that is using the Chilkat libraries (specifically HTTP). The problem occurs when trying to verify the SSL Certificate chain of the client's server.

Chilkat code throws this error message: Invalid PKCS v1.5 PS separator

The server that I am trying to validate is: https://mail.e-know.net

I believe the problem is caused by the SSL Certificate chain of mail.e-know.net. When I run a test using an SSL checker (i.e.Digicert's tester: https://www.digicert.com/help/ ) it shows a warning that the certificate chain is being served out of order. I'm "guessing" (without being able to look at the Chilkat code of course) that since the certs are out of order Chilkat fails to decrypt / verify the digital signiture, which results in the Invalid PKCS v1.5 PS separator error. If the certs were in the correct order it would work just fine (again, just my theory).

According to the document here, the standard is that certificates should be served in order. Failing to serve the certificate in order could break some applications (but most will handle it gracefully): https://community.qualys.com/docs/DOC-1931

Chrome, for example, still seems find an verify the certificates just fine.

So my guess would be other applications are probably downloading the entire certificate chain, then putting them in order, then verifying them in order. Chilkat, perhaps is just verifying in the order they come down... and choking when they are not in order.

I've already asked the client to raise the issue with his IT group. Unfortunately, my app is not used by a large number of people at his company so it's has gotten a low priority since "other users who are using Chrome ... Outlook ... etc do not have the problem". So he is pretty stuck. It was working just fine for him when I was using HttpClient ... but since I've switch to Chilkat he can no longer use my app, unfortunately (unless I turn OFF certificate verification... which of course would be bad...).

I understand this is really a problem with the certificate order, and not Chilkat. However, it would be nice if Chilkat behavior was consistent with most apps and handled this scenario.

You should be able to easily recreate the issue using code like this:

    String path = "https://mail.e-know.net";
    CkHttp http = getUnlockedHttp();
    ckHttpRequest.put_HttpVerb("GET");
    ckHttpRequest.put_Path(path);
    CkHttpResponse ckHttpResponse = http.SynchronousRequest("mail.e-know.net", 443, true, ckHttpRequest);

The code will throw the error: Invalid PKCS v1.5 PS separator

The expected result (to be consistent with other software) is for the certificate verification to pass.

Please let me know if you need anymore information from me to recreate the issue. Also, whether or not this is something that can be fixed (or perhaps "enhanced") in an upcoming release of Chilkat.

Cheers,


Answer

Thanks Sean,

I have a fix to automatically handle it. I assume this is C++? Which operating system, and if Windows, which version of VC++ do you need?


Answer

Awesome, that was quick! I have been using the Java "Http" package. Looks like the "http" package is no longer available (as far as I can tell). So I would be looking to use the latest Android package.


Answer

Sorry, I mis-stated my last post. It looks like you do still have the HTTP package, which is great (I'm not sure how I missed that). So, to answer your question again (correctly this time!) the "Java Http Library" is what I would need. https://www.chilkatsoft.com/java-http.asp

Thanks again,


Answer

Hi Sean,

Sorry for the confusion. New Android release is available here: https://www.chilkatsoft.com/chilkatAndroid.asp

There is only a single download for Android (just like for all other Chilkat builds, whether it is a static lib, DLL, shared lib, etc.), and the single download contains all Chilkat classes.