#1 2023-05-03 07:52:32

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 430

Certificate error when connecting through transparent proxy

I am getting the following errors trying to access a Mormot2 server from a windows 10 machine acting as client:

Exception: 20230503 05435100  ! EXC   ENetSock {Message:"THttpClientWebSockets.DoTlsAfter: TLS failed [ESChannel <www.mydomain.com>: ComputeAndSendAnswer returned 80092012 [2148081682], System Error 1397 [Mutual Authentication failed. The server's password is out of date at the domain controller]]"} [Main] at ce1539 mormot.net.sock.pas  ......
https://gist.github.com/dkounal/c83413c … 9161984290

The server is behind an nginx with TLS works OK from other clients. With IgnoreTlsCertificateErrors=True the above problem is fixed.
A custom root certificate is needed to be installed in windows  for some sites during using classic web browsers in this windows terminal which produces this error as client.
Does it worth to have an event callback to check the certificate provided (and not ignoring all errors) and it that practically possible?

Last edited by dcoun (2023-05-03 07:54:29)

Offline

#2 2023-05-03 08:36:00

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Certificate error when connecting through transparent proxy

You have all needed info and callbacks in TNetTlsContext.

Offline

#3 2023-05-03 10:27:01

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 430

Re: Certificate error when connecting through transparent proxy

As I can understand from mormot.net.sock line 580, I have to use USE_OPENSSL for callbacks to be used. Is it needed, so?
Should I include also libssl-3.dll and libcrypto-3.dll or it can statically linked?

Thank you in advance

Offline

#4 2023-05-03 10:46:43

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Certificate error when connecting through transparent proxy

You are right SChannel has no callback support yet.

With pure SChannel, the only option is to use IgnoreTlsCertificateErrors=True

Offline

Board footer

Powered by FluxBB