Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.
I have it working with the Thunderbird extension. I couldn't be more embarrassed or apologetic because it was a stupid error on my side that was causing the issue. I had created templates for all the CAs in my certificate chain but when I copied them I forgot to change the "CRL Distribution Point" so every CA certificate was pointing to the same CRL.idiot. That said though, I cannot believe that Firefox, cURL, and IE were happily validating my certificate all the while not being able to retrieve a valid CRL. (I can maybe understand the browsers not wanting to break https just because a CRL server is overloaded for a few seconds [but then what's the point of CRL checking at all?] but I'm surprised at cURL's behaviour). The only strange thing is that the wx-dl client still gives me the same error. I assume it's caching the certificate somewhere, right? I'm not going to use the client but I can still check this more if you'd like. Anyway, this was totally my fault and I really appreciate the time you took to try and help me. (I can't believe my name is permanently attached to this thread...) -- Mark
Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.
On Fri, Dec 01 2017, Mark Pagnotta wrote: > The command returned an ID and a URL. The ticket was created and the > file stored on the server successfully. ("POST /rest.php/newticket > HTTP/1.1" 200 0) Then the server is correctly configured, no need to look further server-side. > Is there any other information I can dig up that may help narrow down > the issue? What's interesting here is that dl-wx is built using PyInstaller which simply bundles python and openssl. There's nothing magic being done in dl-wx. But thunderbird is using libnss, which is completely independent. libnss is also used by the matching firefox version, so if firefox works, I don't expect issues with thunderbird. As a suggestion, I would further try dl-cli, the python command line client. First from your bsd system, then I would try the same client under windows to replicate the same issue as dl-wx. To run dl-cli (or dl-wx), install anaconda from https://www.anaconda.com/. This will install also a bash terminal with a pre-set path for the anaconda's python. From there, simply run dl-cli as you would on *nix. The advantage here is that you're testing the same setup as dl-wx.
Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.
I installed an SSL cert on my server and attempted to use forced https rewrite. The various files failed to link to each other. I had to disable the forced re-write. I can login via https, but then it falls back to http. On November 29, 2017 5:10:41 PM CST, Yuri D'Eliawrote: >On Wed, Nov 29 2017, Mark Pagnotta wrote: >> "DL connection error: schannel: next InitializeSecurityContext >failed: >> unknown error (0x80092012) - The revocation function was unable to >check >> revocation for the certificate" If I uncheck the "Verify SSL >> certificate" box, it all works normally. > >That would be surprising. Any change you could share (even privately) >the server URL? I just need to perform a connection, so no credentials >are necessary. > >> The https://dl.company.com/rest.php gives me a blank page in all >browsers. > >rest.php needs some extra configuration server-side to forward >authentication credentials to PHP. Errors here are visible on the >server >logs, not on the client. > >What kind of web server and PHP setup are you using? > >> If the issue is in my PKI, I think that Internet Explorer would fail >in >> its connection attempt as well (inetcpl has the "check revocations" >> option enabled). I'm not sure what other troubleshooting I can do. I >> can't seem to get any more information on why the client and addon >> connections are failing. > >AFAIK, the old dl-wx client was built with an ancient version of >openssl which didn't support SNI. But the current version available >online does. > >I never had CRL problems before, but we could easily have a check. -- Sent from my Android tablet with K-9 Mail.
Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.
On Wed, Nov 29 2017, Mark Pagnotta wrote: > "DL connection error: schannel: next InitializeSecurityContext failed: > unknown error (0x80092012) - The revocation function was unable to check > revocation for the certificate" If I uncheck the "Verify SSL > certificate" box, it all works normally. That would be surprising. Any change you could share (even privately) the server URL? I just need to perform a connection, so no credentials are necessary. > The https://dl.company.com/rest.php gives me a blank page in all browsers. rest.php needs some extra configuration server-side to forward authentication credentials to PHP. Errors here are visible on the server logs, not on the client. What kind of web server and PHP setup are you using? > If the issue is in my PKI, I think that Internet Explorer would fail in > its connection attempt as well (inetcpl has the "check revocations" > option enabled). I'm not sure what other troubleshooting I can do. I > can't seem to get any more information on why the client and addon > connections are failing. AFAIK, the old dl-wx client was built with an ancient version of openssl which didn't support SNI. But the current version available online does. I never had CRL problems before, but we could easily have a check.
[dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.
When I attempt to upload a file to my DL server using the dl-wx client, I receive the error: "DL connection error: schannel: next InitializeSecurityContext failed: unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate" If I uncheck the "Verify SSL certificate" box, it all works normally. When I attempt to setup the thunderbird addon with my local DL server, when I press the "Setup Account" button I receive the message: "An error occured while setting up the account!" There is no other error displayed. The error console only shows the GET request to the DL server that never completes (response is empty, I'm assuming 'cause the certificate check failed, like with the dl-ws client). It's frustrating that I don't see any other errors in the console. All the sections are activated (Net, CDD, JS, etc...). Am i doing something wrong there? On every failed connection, I get 2 errors in my event log: schannel#36876 "The certificate received from the remote server has not validated correctly. The error code is 0x80092012. The SSL connection request has failed. The attached data contains the server certificate." schannel#36888 "The following fatal alert was generated: 43. The internal error state is 552." Googling the combination of above errors and DL error messages only gave me results from people who had an improperly implemented certificate chain. The https://dl.company.com web interface works fine in Firefox and Internet Explorer. I can connect and upload files. The https://dl.company.com/rest.php gives me a blank page in all browsers. The DL server certificate is signed by a trusted root. The certificate signer uses the CRL distribution point extension and publishes revocation lists to an http server that is up and running. I assume that since the certificate validates in Internet explorer that the problem is not with the windows part of the certificate checking. The plugin and addon never seem to make any connection to the server hosting the CRLs (tried wireshark and sysutils Process Monitor). If the issue is in my PKI, I think that Internet Explorer would fail in its connection attempt as well (inetcpl has the "check revocations" option enabled). I'm not sure what other troubleshooting I can do. I can't seem to get any more information on why the client and addon connections are failing. -- Mark