Archived Forum Post

Index of archived forum posts

Question:

ssl handshake failure

Oct 27 '16 at 08:38

Hello, our vb program uses chilkat http to connect to our servers; from yesterday there's often the above response from chilkat:

IBS ErrEst1 & 27/10/2016 11:40:30   proc=TestIBproxy

ChilkatLog:
  QuickGetStr:
    DllDate: Jul 10 2013
    ChilkatVersion: 9.4.1.26
    UnlockPrefix: IBSSASHttp
    Username: NB-FELTRING:Giuseppe.Feltrin
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    QuickReq:
      url: https://www.ibs.ve.it/testproxy.html
      QuickGetToOutput_OnExisting:
        qGet_1:
          simpleHttpRequest_3:
            httpMethod: GET
            requestUrl: https://www.ibs.ve.it/testproxy.html
            Connecting to web server...
            httpServer: www.ibs.ve.it
            port: 443
            Using HTTPS.
            ConnectTimeoutMs_1: 30000
            calling ConnectSocket2
            IPV6 enabled connect with NO heartbeat.
            connectingTo: www.ibs.ve.it
            resolveHostname1:
              Resolving domain name (IPV4) via gethostbyname
            --resolveHostname1
            GetHostByNameHB_ipv4: Elapsed time: 0 millisec
            myIP_1: 10.30.4.145
            myPort_1: 51720
            connect successful (1)
            clientHelloMajorMinorVersion: 3.1
            buildClientHello:
              majorVersion: 3
              minorVersion: 1
              numRandomBytes: 32
              sessionIdSize: 0
              numCipherSuites: 10
              numCompressionMethods: 1
            --buildClientHello
            readIncomingTls_serverHello:
              processTlsRecord:
                processHandshake:
                  handshakeMessageType: ServerHello
                  handshakeMessageLen: 0x46
                  processHandshakeMessage:
                    MessageType: ServerHello
                    Processing ServerHello...
                    ServerHello:
                      MajorVersion: 3
                      MinorVersion: 1
                      SessionIdLen: 32
                      CipherSuite: RSA_WITH_AES_128_CBC_SHA
                      CipherSuite: 00,2f
                      CompressionMethod: 0
                      Queueing ServerHello message.
                      ServerHello is OK.
                    --ServerHello
                  --processHandshakeMessage
                --processHandshake
              --processTlsRecord
            --readIncomingTls_serverHello
            HandshakeQueue:
              MessageType: ServerHello
            --HandshakeQueue
            Dequeued ServerHello message.
            readIncomingTls_6:
              processTlsRecord:
                processHandshake:
                  handshakeMessageType: Certificate
                  handshakeMessageLen: 0x9a7
                  processHandshakeMessage:
                    MessageType: Certificate
                    ProcessCertificates:
                      Certificate:
                        derSize: 1288
                        certSubjectCN: sprint.ibs.ve.it
                        certSerial: 037C55025697C6800069F409C4A2A6AF6110
                        certIssuerCN: Let's Encrypt Authority X3
                      --Certificate
                      Certificate:
                        derSize: 1174
                        certSubjectCN: Let's Encrypt Authority X3
                        certSerial: 0A0141420000015385736A0B85ECA708
                        certIssuerCN: DST Root CA X3
                      --Certificate
                      NumCertificates: 2
                      Queueing Certificates message...
                    --ProcessCertificates
                  --processHandshakeMessage
                --processHandshake
              --processTlsRecord
            --readIncomingTls_6
            Dequeued Certificate message.
            readIncomingTls_6:
              processTlsRecord:
                processHandshake:
                  handshakeMessageType: ServerHelloDone
                  handshakeMessageLen: 0x0
                  processHandshakeMessage:
                    MessageType: ServerHelloDone
                    Queueing HelloDone message.
                  --processHandshakeMessage
                --processHandshake
              --processTlsRecord
            --readIncomingTls_6
            DequeuedMessageType: ServerHelloDone
            OK to ServerHelloDone!
            No client certificate required by the server.
            Encrypted pre-master secret with server certificate RSA public key is OK.
            Sending ClientKeyExchange...
            Sent ClientKeyExchange message.
            Sending ChangeCipherSpec...
            Sent ChangeCipherSpec message.
            Derived keys.
            Installed new outgoing security params.
            Sending FINISHED message..
            algorithm: aes
            keyLength: 128
            Sent FINISHED message..
            readIncomingTls_changeCipherSpec2:
              processTlsRecord:
                processChangeCipherSpec:
                  ccsProtocolType: 1
                --processChangeCipherSpec
              --processTlsRecord
            --readIncomingTls_changeCipherSpec2
            readIncomingTls_handshakeFinished2:
              processTlsRecord:
                processHandshake:
                  handshakeMessageType: HandshakeFinished
                  handshakeMessageLen: 0xc
                  processHandshakeMessage:
                    MessageType: HandshakeFinished
                    FinishedMsgLen: 12
                    Queueing Finished message.
                  --processHandshakeMessage
                --processHandshake
              --processTlsRecord
            --readIncomingTls_handshakeFinished2
            Dequeue the FINISHED message...
            Dequeued Finished message.
            Handshake completed successfully.
            Secure Channel Established.
            connectElapsedMs: 172
            -- BuildGetRequest --
            Not auto-adding cookies.
            sendElapsedMs: 0
            tlsRecvAppData:
              readIncomingTls_appData:
                processTlsRecord:
                  processAlert:
                    TlsAlert:
                      level: fatal
                      descrip: handshake failure
                    --TlsAlert
                    Closing connection in response to fatal error.
                  --processAlert
                --processTlsRecord
              --readIncomingTls_appData
              Failed to read SSL/TLS application messages.
            --tlsRecvAppData
            Failed to get response header
          --simpleHttpRequest_3
        --qGet_1
      --QuickGetToOutput_OnExisting
    --QuickReq
    Failed.
  --QuickGetStr
--ChilkatLog

We did non change anything both on server and client side; anyone has some idea about the error? We can't understand what is it. We checked server's log and it returns something like client failure, but no so sure. Thanks a lot!!!


Answer

Ok, it seems we found the solution: ssl cerficates will expire next monday (31/10); after renewal chilkat started again to work...did someone know if chilckat makes a some check on certs expire? If yes in which way?


Answer

You're using a very old version of Chilkat, and much has been added to TLS since 3 years ago.

Also... 3 years from now, I'm sure there will be servers with stringent requirements that won't accept this current October 2016 version of Chilkat, but given that Chilkat will keep up to date, the October 2019 version will be fine. In general, when there's a chance in the development schedule to update to a later version of Chilkat, it is wise to do so. The external world of servers and protocols is not stationary. You don't want to wait 3 years before updating. It's best to update on a more frequent schedule, even if once per year.