#1 2016-10-29 08:52:06

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Question / Problem with SSL vs. normal Connection

Hi (all) maybe one can help has a idea ?!

since nearly 1,5 year we have a productive mormot server with SSL On port xxxx running.
Everything runs fine Crossplatform iOS/Android / Windows Client

But yesterday i had a problem i have no idea to solve - i need some help.

two of our customer with windows client run the client on windows 2008r2 server. If they want to connect to our mormot with the mormot client they get ERROR 501 -Could not connect to server. If i use Internet Explorer on  same machine to oprn our mvc page (Same Port, Same SSL) the Connection is done.
There is no Proxy. For test reason i turned off SSL and the mormot client can connect.
In my eyes there must be a firewall problem with the ssl and mormot client.

Is there a second Port to be opened on Firewall ? Is it possible to filter ssl versa non ssl trafic on Firewalls ?

Any Ideas ? Pls help smile


Rad Studio 12.1 Santorini

Offline

#2 2016-10-29 10:58:53

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: Question / Problem with SSL vs. normal Connection

You are using the HTTP.SYS based server? May be your SSL certificate is expire?

Offline

#3 2016-10-29 14:57:49

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Re: Question / Problem with SSL vs. normal Connection

ty but certificate expires on 15.11.2016


Rad Studio 12.1 Santorini

Offline

#4 2016-10-31 10:21:23

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Re: Question / Problem with SSL vs. normal Connection

We found the workaround ?!

We used the default TSQLHttpClient which is mapped to TSQLHttpClientWinHTTP
Using TSQLHttpClientWinINet solved the Problem. Connection is established.

But what i don't know is the reason for not connecting. - Which Setting (Firewall) is responsible that the HTTP Client can not connect ?!

The Error Message from the WinHTTP Client was : Server not available - Invalid Request.

@AB is it possible to enhance the error - Handling/Messages generated ?
For Example: WinHTTP can not connect to server because of .... Pls try WinINet Client !


Rad Studio 12.1 Santorini

Offline

#5 2016-10-31 11:44:53

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,667
Website

Re: Question / Problem with SSL vs. normal Connection

Proxy feature?

Offline

#6 2016-10-31 12:19:41

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Re: Question / Problem with SSL vs. normal Connection

The Client is a server of a customer. This customer buys internet access as a service. Obviously there is no proxy (No Proxy Settings made on the Server)  - But there may be a hidden proxy or something else ... we (and our customer don't know)

Just an IDEA:
is it possible (for you smile ) to write a "Mormot" Ping which is able to Test a mORMot Connectiocn Client to Server with proper Error Messages ?
ATM the first ErrorMessage i get is A Excetion in SetUser / or SyncTimeStamp

I wrote a litte PortOpen Method using TIdClient to test if Port Is Open. In this special case it returns true - But mORMot Connection failes.
Is there a possibility for example to "Auto-Select" the proper Client (May be first HTTP then INet then Socket ....)


Rad Studio 12.1 Santorini

Offline

#7 2016-11-17 15:04:20

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Re: Question / Problem with SSL vs. normal Connection

After a little Testing i found the Error today:

winhttp.dll on Server has Version 6.0.6002.19655

WinHttpSetOption in SynCrtSock Give Error 87 on WINHTTP_OPTION_SECURE_PROTOCOLS with:
    WINHTTP_FLAG_SECURE_PROTOCOL_MODERN : DWORD =
      WINHTTP_FLAG_SECURE_PROTOCOL_SSL3
         or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1
           or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;

Removing TLS1_1 and TLS1_2 solves the Problem an fixes the Error.

My Question is: is TLS1_1/2 necessary for mORMot or can it be removed. Or could the programming be enhacend with Version Control in winhttp.dll ??
Or can WinHttpQueryOption help to get valid Options.
Or try to set full Options and reduce them step by step if 87 occurs ?!

What do you say ?

Last edited by itSDS (2016-11-17 15:05:47)


Rad Studio 12.1 Santorini

Offline

#8 2016-11-17 15:47:52

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: Question / Problem with SSL vs. normal Connection

Try to enable a TLS as described here
We use a TLS1.2 for a long time without a problems

Offline

#9 2016-11-17 15:58:21

itSDS
Member
From: Germany
Registered: 2014-04-24
Posts: 516

Re: Question / Problem with SSL vs. normal Connection

ty mpv the server is not my property. But we have client with 2008r2 where tls1.2 works and 2 clients with 2008r2 where not. I thought that winhttp.dll has not the 1.2 feature build in.
the version off winhttp.dll on the 2008r2 where tls1.2 works is 6.1.x.x

but i'll chek if this may be an option.


Rad Studio 12.1 Santorini

Offline

#10 2016-11-17 23:27:46

erick
Member
Registered: 2015-09-09
Posts: 155

Re: Question / Problem with SSL vs. normal Connection

TLS < 1.2 is  not secure anymore IIRC

Offline

#11 2016-11-25 19:15:39

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,571
Website

Re: Question / Problem with SSL vs. normal Connection

@itSDS - I reproduce your TLS 1.2 problem on one of my old server software. For now I'm sure I'ts actually not related to TLS 1.2, because the executable with one line of code

begin
 TWinHTTP.Get('https://google.com')
end.

work without error
But the same line inside the server code work with error. May be it depends on HTTP.SYS initialization we do inside server. I continue investigation.

Offline

Board footer

Powered by FluxBB