Archived Forum Post

Index of archived forum posts

Question:

SOAP with certificate error

Feb 28 '14 at 06:03

Hi,

What does following log mean? Does error “Failed to read incoming handshake messages” mean server respond problem?

ChilkatLog:
  SynchronousRequest:
    DllDate: Jul 10 2013
    ChilkatVersion: 9.4.1.26
    UnlockPrefix: GAOSAMHttp
    Username: THINKPAD-SAM:ThinkPad
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    domain: https://example.com.cn
    port: 443
    ssl: 1
    RequestData:
      HttpVersion: 1.1
      Verb: POST
      Path: /services
      Charset: gb2312
      SendCharset: 0
      MimeHeader: Content-Type: text/xml
    --RequestData
    ReadTimeout: 20
    ConnectTimeout: 10
    httpConnect:
      hostname: example.com.cn
      port: 443
      ssl: 1
      Need to establish connection to the HTTP server...
      ConnectTimeoutMs_1: 10000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      connectingTo: ws-gateway-cert-qs.vgc.com.cn
      resolveHostname1:
        Resolving domain name (IPV4) via gethostbyname
      --resolveHostname1
      GetHostByNameHB_ipv4: Elapsed time: 1046 millisec
      myIP_1: 192.168.1.107
      myPort_1: 51560
      connect successful (1)
      clientHelloMajorMinorVersion: 3.1
      buildClientHello:
        majorVersion: 3
        minorVersion: 1
        numRandomBytes: 32
        sessionIdSize: 0
        numCipherSuites: 10
        numCompressionMethods: 1
      --buildClientHello
      readIncomingTls_serverHello:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: ServerHello
            handshakeMessageLen: 0x46
            processHandshakeMessage:
              MessageType: ServerHello
              Processing ServerHello...
              ServerHello:
                MajorVersion: 3
                MinorVersion: 1
                SessionIdLen: 32
                CipherSuite: RSA_WITH_AES_256_CBC_SHA
                CipherSuite: 00,35
                CompressionMethod: 0
                Queueing ServerHello message.
                ServerHello is OK.
              --ServerHello
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_serverHello
      HandshakeQueue:
        MessageType: ServerHello
      --HandshakeQueue
      Dequeued ServerHello message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: Certificate
            handshakeMessageLen: 0x846
            processHandshakeMessage:
              MessageType: Certificate
              ProcessCertificates:
                Certificate:
                  derSize: 1024
                  certSubjectCN: example.com.cn
                  certSerial: 0E4A49
                  certIssuerCN: VW-CA-PROC-06
                --Certificate
                Certificate:
                  derSize: 1085
                  certSubjectCN: VW-CA-PROC-06
                  certSerial: 03A133
                  certIssuerCN: VW-CA-ROOT-04
                --Certificate
                NumCertificates: 2
                Queueing Certificates message...
              --ProcessCertificates
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued Certificate message.
      readIncomingTls_6:
        processTlsRecord:
          processHandshake:
            handshakeMessageType: CertificateRequest
            handshakeMessageLen: 0x11d
            processHandshakeMessage:
              MessageType: CertificateRequest
              CertificateRequest:
                NumCertificateTypes: 3
                Certificate Type: RSA Sign
                Certificate Type: DSS Sign
                OtherCertificateType: 64
                totalLen: 279
                DistinguishedName: DC=com, DC=VWPKI, CN=VW-CA-ROOT-04
                DistinguishedName: DC=com, DC=VWPKI, CN=VW-CA-PROC-06
                DistinguishedName: DC=com, DC=VWPKI, CN=VW-CA-ROOT-05
                NumDistinguishedNames: 3
                CertificateRequest message is OK.
                Queueing CertificateRequest message.
              --CertificateRequest
            --processHandshakeMessage
            handshakeMessageType: ServerHelloDone
            handshakeMessageLen: 0x0
            processHandshakeMessage:
              MessageType: ServerHelloDone
              Queueing HelloDone message.
            --processHandshakeMessage
          --processHandshake
        --processTlsRecord
      --readIncomingTls_6
      Dequeued CertificateRequest message.
      DequeuedMessageType: ServerHelloDone
      OK to ServerHelloDone!
      Sending 0-length certificate (this is normal).
      CertificatesMessage:
        numCerts: 0
        CertificateSize: 0x3
      --CertificatesMessage
      Encrypted pre-master secret with server certificate RSA public key is OK.
      Sending ClientKeyExchange...
      Sent ClientKeyExchange message.
      Sending ChangeCipherSpec...
      Sent ChangeCipherSpec message.
      Derived keys.
      Installed new outgoing security params.
      Sending FINISHED message..
      algorithm: aes
      keyLength: 256
      Sent FINISHED message..
      readIncomingTls_changeCipherSpec2:
        processTlsRecord:
          processAlert:
            TlsAlert:
              level: fatal
              descrip: handshake failure
            --TlsAlert
            Closing connection in response to fatal error.
          --processAlert
        --processTlsRecord
      --readIncomingTls_changeCipherSpec2
      Failed to read incoming handshake messages. (3)
      Client handshake failed. (3)
      Failed to connect.
    --httpConnect
    connectTime1: Elapsed time: 1201 millisec
    totalTime: Elapsed time: 1201 millisec
    Failed.
  --SynchronousRequest
--ChilkatLog

LastHeader:

Sam


Answer

The server is requesting a client-side certificate for authentication. It can be seen from this part of the LastErrorText:

        processTlsRecord:
          processHandshake:
            handshakeMessageType: CertificateRequest
            handshakeMessageLen: 0x11d

Your application, however, did not provide one. In this case, Chilkat will send a 0-length Certificates message, which is the only choice. See this part of the LastErrorText:

      Sending 0-length certificate (this is normal).
      CertificatesMessage:
        numCerts: 0
        CertificateSize: 0x3
      --CertificatesMessage

The solution is to provide an adequate client-side certificate via either the http.SetSslClientCert or http.SetSslClientCertPfx methods.


Answer

Here is my code, I do use the "http.SetSslClientCert', please let me know what's wrong in the code?

Thanks

Sam

 http := TChilkatHttp.Create(Self);
  //  Any string unlocks the component for the 1st 30-days.
  success := http.UnlockComponent('XXXXXX');
  if (success <> 1) then
  begin
    ShowMessage(http.LastErrorText);
    Exit;
  end;
  cert := TChilkatCert.Create(Self);
  success := cert.LoadPfxFile(programpath+'TAMRCHQ.p12','4X019JT8');
  if (success <> 1) then
  begin
    Memo1.Lines.Add(cert.LastErrorText);
    Exit;
  end;
  http.SetSslClientCert(cert.ControlInterface As CHILKATHTTPLib_TLB.IChilkatCert);<====here I set the client cert.
  xml := TChilkatXml.Create(Self).ControlInterface;
  success := xml.LoadXmlFile('test.xml');
  if (success <> 1) then
    begin
      ShowMessage(xml.LastErrorText);
      Exit;
    end;
  req := TChilkatHttpRequest.Create(Self);
  strXml := xml.GetXml();
  req.UseXmlHttp(strXml);
  req.AddHeader('SOAPAction','http://xmldefs.volkswagenag.com/Wholesale/TelematicEventNotificationService/V1/TelematicEventNotificationServicePortType/ProcessAliveTest');

  domain := 'https://example.com.cn';
  req.Path:='/services';
  port := 443;
  ssl := 1;

  resp := http.SynchronousRequest(domain,port,ssl,req.DefaultInterface);
  if (resp = nil ) then
  begin
    Memo1.Lines.Add(http.LastErrorText);

    Memo1.Lines.Add('LastHeader:');
    Memo1.Lines.Add(http.LastHeader);
  end
  else begin

    responseStatusCode := resp.StatusCode;
    //  You may wish to verify that the responseStatusCode equals 200...
    Memo1.Lines.Add('Response Status Code: '
         + IntToStr(responseStatusCode));

    //  You may examine the exact HTTP header sent with the POST like this:
    Memo1.Lines.Add('LastHeader:');
    Memo1.Lines.Add(http.LastHeader);

    //  Examine the XML returned by the web service:
    Memo1.Lines.Add('XML Response:');
    xmlResp := TChilkatXml.Create(Self).ControlInterface;
    success := xmlResp.LoadXml(resp.BodyStr);
    //  Assume the LoadXml is successful...
    //  Get rid of the SOAP wrappings and get to the meat of this particular response.
    //  The TagContent method returns the content of the 1st node in the XML document
    //  having a specific tag:

    unwrappedXml := xmlResp.TagContent('tns:AcknowledgeAliveTest');
    Memo1.Lines.Add(unwrappedXml);

    //  The unwrapped XML could be loaded into an XML object and parsed...
    xmlMeat := TChilkatXml.Create(Self).ControlInterface;
    success := xmlMeat.LoadXml(unwrappedXml);

    //  ...
  end;

Answer

It may be that you also need an update for the ChilkatCert.dll Please download and use this one:

http://www.chilkatsoft.com/preRelease/ChilkatCert-9.5.0-win32.zip

Also, make sure to check the return value of the call to http.SetSslClientCert, to make sure that it did not fail..


Answer

I've updated the new "ChilkatCert.dll", just copied to "C:Program Files (x86)Chilkat Software IncChilkat HTTP ActiveX", is this operation correct?

Then I run application again, got following log. It said "The private key is not marked as exportable.". How can I make it exportable?

 cert := TChilkatCert.Create(Self);
  success := cert.LoadPfxFile(programpath+'TAMRCHQ.p12','4X019JT8');
  if (success <> 1) then
  begin
    Memo1.Lines.Add(cert.LastErrorText);
    Exit;
  end;
  success := http.SetSslClientCert(cert.ControlInterface As CHILKATHTTPLib_TLB.IChilkatCert);
  if (success <> 1) then
  begin
    Memo1.Lines.Add(http.LastErrorText);
    Exit;
  end;

log:

ChilkatLog:
  SetSslClientCert:
    DllDate: Jul 10 2013
    ChilkatVersion: 9.4.1.26
    UnlockPrefix: SDDD
    Username: THINKPAD-SAM:ThinkPad
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    The private key is not marked as exportable.
    Chilkat must have access to the private key in order to use it in the SSL/TLS handshake.
    Failed.
  --SetSslClientCert
--ChilkatLog