Pages: 1

#1 2025-10-13 09:57:33

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 468

ESChannel exception

using THttpClientSocket to connect to server in the internet, in a number of clients I getting an exception after running the THttpClientSocket.OpenOptions:

THttpClientSocket.DoTlsAfter: TLS Failed [ESChannel <the host name>: HandshakeStep returned 80090326 SEC_E_ILLEGAL_MESSAGE, System Error 87 [ERROR_INVALID_PARAMETER]]

Do you propose something? (I have tested TLS.IgnoreCertificateErrors:=true and I am testing now TLS.ClientAllowUnsafeRenegotation:=true)
Thank you in advance

Offline

#2 2025-10-13 10:51:34

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 15,240
Website

Re: ESChannel exception

On which OS?
What is the HTTP server on the other side (look at the HTTP headers e.g. from a browser if you don't know)?

Offline

#3 2025-10-13 11:19:04

dcoun
Member
From: Crete, Greece
Registered: 2020-02-18
Posts: 468

Re: ESChannel exception

Windows 8.1 (which could a good reason for this problem)
It does not return a Server header and it is not available everywhere outside Greece to test its options with an online tool

Offline

#4 2025-10-13 13:39:58

flydev
Member
From: France
Registered: 2020-11-27
Posts: 133
Website

Re: ESChannel exception

Idk if the following is related and could give some hints. I have the same issue on Windows 7; Recently, we switched new deployed computers on Windows 10 and the same issue is happening.

The current http server is apache reverse proxy for a specific reason using a Sectigo RSA certificate. Actually, I havn't tried to fix it, but I observed the following:
- on my own computer, the error isn't triggered.
- some months ago, I could fix it on Windows 7 by registering missing certs on the local certificate store.

So on my side, I suspect a problem on the certificate chain. I will have more info in the next day as we have renewed the certificate and I will update the server conf.

25/06/2025 07:49:02.464	Enter	73	 mormot.rest.http.client.TRestHttpClientSocket(77b1a0).CallBackGet api/timestamp
25/06/2025 07:49:02.464	Enter	73	    mormot.rest.http.client.TRestHttpClientSocket(77b1a0).InternalUri GET
25/06/2025 07:49:03.560	Exception	73	       ESChannel {Message:"<the.domain.fr>: HandshakeStep returned 8009030F [SEC_E_MESSAGE_ALTERED], System Error 5 [ERROR_ACCESS_DENIED]"} [] at 01285bdf mormot.net.sock.windows.inc TSChannelNetTls.ESChannelRaiseLastError (1927)   {65529.79 4.99 12 0.8GB/2GB 1db10a01}
25/06/2025 07:49:03.560	Exception	73	       ESChannel {Message:"recv: Handshake aborted"} [] at 01285d26 mormot.net.sock.windows.inc TSChannelNetTls.FreeAndCheckSocket (1948)   {65529.79 4.99 12 0.8GB/2GB 1db10a01}
25/06/2025 07:49:03.560	Exception	73	       ESChannel {Message:"recv: Handshake aborted"} [] at 01285d26 mormot.net.sock.windows.inc TSChannelNetTls.FreeAndCheckSocket (1948)   {65529.79 4.99 12 0.8GB/2GB 1db10a01}
25/06/2025 07:49:03.560	Client	73	       mormot.rest.http.client.TRestHttpClientSocket(77b1a0) GET api/timestamp status=666 len=0 state=0
25/06/2025 07:49:03.560	Leave	73	    01.102.694
25/06/2025 07:49:03.560	Enter	73	    mormot.rest.http.client.TRestHttpClientSocket(77b1a0).InternalUri GET
25/06/2025 07:49:04.720	Client	73	       mormot.rest.http.client.TRestHttpClientSocket(77b1a0) GET api/timestamp status=200 len=12 state=0
25/06/2025 07:49:04.720	Leave	73	    01.173.370
25/06/2025 07:49:04.720	Service return	73	    mormot.rest.http.client.TRestHttpClientSocket(77b1a0) 135919590467
25/06/2025 07:49:04.720	Leave	73	 02.276.213

The issues I'm aware of (using ssl tools):
- The chain doesn't contain any intermediate certificates

Offline

#5 Yesterday 15:30:09

flydev
Member
From: France
Registered: 2020-11-27
Posts: 133
Website

Re: ESChannel exception

Small update. I migrated the certificate and fixed the server config, previous error not gone, but a new one:

14/10/2025 17:06:49.512	Enter	70	 mormot.rest.http.client.TRestHttpClientSocket(01b84970) CallBackGet api/timestamp
14/10/2025 17:06:49.512	Enter	70	    mormot.rest.http.client.TRestHttpClientSocket(01b84970) InternalUri GET
14/10/2025 17:06:49.512	Exception	70	 ENetSock {LastError:"nrClosed",Message:"THttpClientSocket.SockInReadLn [#5 Closed]"} [TTicketPull sagas] at 016a2f45 mormot.net.sock.pas TCrtSocket.Bind (5841)  mormot.core.os.windows.inc XorOSEntropy (2311) mormot.core.os.windows.inc XorOSEntropy (2316)  {4 0.27 0.76 8 645.8MB/1.7GB 1db10a01}
14/10/2025 17:06:50.160	Client	70	       mormot.rest.http.client.TRestHttpClientSocket(01b84970) GET api/timestamp status=200 len=12 state=0
14/10/2025 17:06:50.160	Leave	70	    00.654.548

Then I patched two machines TLS with KB3140245, and imported missing intermediate certs into Windows 7/10 clients and then no more SEC_E_MESSAGE_ALTERED.

Offline

Pages: 1

Board footer

Powered by FluxBB