Question / Problem with SSL vs. normal Connection

itSDS · 2016-10-29 08:52:06

Hi (all) maybe one can help has a idea ?!

since nearly 1,5 year we have a productive mormot server with SSL On port xxxx running.
Everything runs fine Crossplatform iOS/Android / Windows Client

But yesterday i had a problem i have no idea to solve - i need some help.

two of our customer with windows client run the client on windows 2008r2 server. If they want to connect to our mormot with the mormot client they get ERROR 501 -Could not connect to server. If i use Internet Explorer on same machine to oprn our mvc page (Same Port, Same SSL) the Connection is done.
There is no Proxy. For test reason i turned off SSL and the mormot client can connect.
In my eyes there must be a firewall problem with the ssl and mormot client.

Is there a second Port to be opened on Firewall ? Is it possible to filter ssl versa non ssl trafic on Firewalls ?

Any Ideas ? Pls help

mpv · 2016-10-29 10:58:53

You are using the HTTP.SYS based server? May be your SSL certificate is expire?

itSDS · 2016-10-29 14:57:49

ty but certificate expires on 15.11.2016

itSDS · 2016-10-31 10:21:23

We found the workaround ?!

We used the default TSQLHttpClient which is mapped to TSQLHttpClientWinHTTP
Using TSQLHttpClientWinINet solved the Problem. Connection is established.

But what i don't know is the reason for not connecting. - Which Setting (Firewall) is responsible that the HTTP Client can not connect ?!

The Error Message from the WinHTTP Client was : Server not available - Invalid Request.

@AB is it possible to enhance the error - Handling/Messages generated ?
For Example: WinHTTP can not connect to server because of .... Pls try WinINet Client !

ab · 2016-10-31 11:44:53

Proxy feature?

itSDS · 2016-10-31 12:19:41

The Client is a server of a customer. This customer buys internet access as a service. Obviously there is no proxy (No Proxy Settings made on the Server) - But there may be a hidden proxy or something else ... we (and our customer don't know)

Just an IDEA:
is it possible (for you ) to write a "Mormot" Ping which is able to Test a mORMot Connectiocn Client to Server with proper Error Messages ?
ATM the first ErrorMessage i get is A Excetion in SetUser / or SyncTimeStamp

I wrote a litte PortOpen Method using TIdClient to test if Port Is Open. In this special case it returns true - But mORMot Connection failes.
Is there a possibility for example to "Auto-Select" the proper Client (May be first HTTP then INet then Socket ....)

itSDS · 2016-11-17 15:04:20

After a little Testing i found the Error today:

winhttp.dll on Server has Version 6.0.6002.19655

WinHttpSetOption in SynCrtSock Give Error 87 on WINHTTP_OPTION_SECURE_PROTOCOLS with:
WINHTTP_FLAG_SECURE_PROTOCOL_MODERN : DWORD =
WINHTTP_FLAG_SECURE_PROTOCOL_SSL3
or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1
or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 or WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;

Removing TLS1_1 and TLS1_2 solves the Problem an fixes the Error.

My Question is: is TLS1_1/2 necessary for mORMot or can it be removed. Or could the programming be enhacend with Version Control in winhttp.dll ??
Or can WinHttpQueryOption help to get valid Options.
Or try to set full Options and reduce them step by step if 87 occurs ?!

What do you say ?

Last edited by itSDS (2016-11-17 15:05:47)

mpv · 2016-11-17 15:47:52

Try to enable a TLS as described here
We use a TLS1.2 for a long time without a problems

itSDS · 2016-11-17 15:58:21

ty mpv the server is not my property. But we have client with 2008r2 where tls1.2 works and 2 clients with 2008r2 where not. I thought that winhttp.dll has not the 1.2 feature build in.
the version off winhttp.dll on the 2008r2 where tls1.2 works is 6.1.x.x

but i'll chek if this may be an option.

erick · 2016-11-17 23:27:46

TLS < 1.2 is not secure anymore IIRC

mpv · 2016-11-25 19:15:39

@itSDS - I reproduce your TLS 1.2 problem on one of my old server software. For now I'm sure I'ts actually not related to TLS 1.2, because the executable with one line of code

begin
 TWinHTTP.Get('https://google.com')
end.

work without error
But the same line inside the server code work with error. May be it depends on HTTP.SYS initialization we do inside server. I continue investigation.

mORMot Open Source

#1 2016-10-29 08:52:06

Question / Problem with SSL vs. normal Connection

#2 2016-10-29 10:58:53

Re: Question / Problem with SSL vs. normal Connection

#3 2016-10-29 14:57:49

Re: Question / Problem with SSL vs. normal Connection

#4 2016-10-31 10:21:23

Re: Question / Problem with SSL vs. normal Connection

#5 2016-10-31 11:44:53

Re: Question / Problem with SSL vs. normal Connection

#6 2016-10-31 12:19:41

Re: Question / Problem with SSL vs. normal Connection

#7 2016-11-17 15:04:20

Re: Question / Problem with SSL vs. normal Connection

#8 2016-11-17 15:47:52

Re: Question / Problem with SSL vs. normal Connection

#9 2016-11-17 15:58:21

Re: Question / Problem with SSL vs. normal Connection

#10 2016-11-17 23:27:46

Re: Question / Problem with SSL vs. normal Connection

#11 2016-11-25 19:15:39

Re: Question / Problem with SSL vs. normal Connection

Board footer