Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

[Mark Pagnotta]

I have it working with the Thunderbird extension. I couldn't be more 
embarrassed or apologetic because it was a stupid error on my side that 
was causing the issue. I had created templates for all the CAs in my 
certificate chain but when I copied them I forgot to change the "CRL 
Distribution Point" so every CA certificate was pointing to the same 
CRL.idiot. That said though, I cannot believe that Firefox, cURL, 
and IE were happily validating my certificate all the while not being 
able to retrieve a valid CRL. (I can maybe understand the browsers not 
wanting to break https just because a CRL server is overloaded for a few 
seconds [but then what's the point of CRL checking at all?] but I'm 
surprised at cURL's behaviour).


The only strange thing is that the wx-dl client still gives me the same 
error. I assume it's caching the certificate somewhere, right? I'm not 
going to use the client but I can still check this more if you'd like.


Anyway, this was totally my fault and I really appreciate the time you 
took to try and help me. (I can't believe my name is permanently 
attached to this thread...)


--
Mark

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

[Yuri D'Elia]

On Fri, Dec 01 2017, Mark Pagnotta wrote:
> The command returned an ID and a URL. The ticket was created and the
> file stored on the server successfully. ("POST /rest.php/newticket
> HTTP/1.1" 200 0)

Then the server is correctly configured, no need to look further
server-side.

> Is there any other information I can dig up that may help narrow down
> the issue?

What's interesting here is that dl-wx is built using PyInstaller which
simply bundles python and openssl. There's nothing magic being done in
dl-wx.

But thunderbird is using libnss, which is completely independent. libnss
is also used by the matching firefox version, so if firefox works, I
don't expect issues with thunderbird.

As a suggestion, I would further try dl-cli, the python command line
client. First from your bsd system, then I would try the same client
under windows to replicate the same issue as dl-wx.

To run dl-cli (or dl-wx), install anaconda from
https://www.anaconda.com/. This will install also a bash terminal with a
pre-set path for the anaconda's python. From there, simply run dl-cli as
you would on *nix. The advantage here is that you're testing the same
setup as dl-wx.

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

[Blair Alper]

I installed an SSL cert on my server and attempted to use forced https rewrite. 
 The various files failed to link to each other.  I had to disable the forced 
re-write.  I can login via https, but then it falls back to http.


On November 29, 2017 5:10:41 PM CST, Yuri D'Elia  wrote:
>On Wed, Nov 29 2017, Mark Pagnotta wrote:
>> "DL connection error: schannel: next InitializeSecurityContext
>failed:
>> unknown error (0x80092012) - The revocation function was unable to
>check
>> revocation for the certificate" If I uncheck the "Verify SSL
>> certificate" box, it all works normally.
>
>That would be surprising. Any change you could share (even privately)
>the server URL? I just need to perform a connection, so no credentials
>are necessary.
>
>> The https://dl.company.com/rest.php gives me a blank page in all
>browsers.
>
>rest.php needs some extra configuration server-side to forward
>authentication credentials to PHP. Errors here are visible on the
>server
>logs, not on the client.
>
>What kind of web server and PHP setup are you using?
>
>> If the issue is in my PKI, I think that Internet Explorer would fail
>in
>> its connection attempt as well (inetcpl has the "check revocations"
>> option enabled). I'm not sure what other troubleshooting I can do. I
>> can't seem to get any more information on why the client and addon
>> connections are failing.
>
>AFAIK, the old dl-wx client was built with an ancient version of
>openssl which didn't support SNI. But the current version available
>online does.
>
>I never had CRL problems before, but we could easily have a check.

-- 
Sent from my Android tablet with K-9 Mail.

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

[Yuri D'Elia]

On Wed, Nov 29 2017, Mark Pagnotta wrote:
> "DL connection error: schannel: next InitializeSecurityContext failed:
> unknown error (0x80092012) - The revocation function was unable to check
> revocation for the certificate" If I uncheck the "Verify SSL
> certificate" box, it all works normally.

That would be surprising. Any change you could share (even privately)
the server URL? I just need to perform a connection, so no credentials
are necessary.

> The https://dl.company.com/rest.php gives me a blank page in all browsers.

rest.php needs some extra configuration server-side to forward
authentication credentials to PHP. Errors here are visible on the server
logs, not on the client.

What kind of web server and PHP setup are you using?

> If the issue is in my PKI, I think that Internet Explorer would fail in
> its connection attempt as well (inetcpl has the "check revocations"
> option enabled). I'm not sure what other troubleshooting I can do. I
> can't seem to get any more information on why the client and addon
> connections are failing.

AFAIK, the old dl-wx client was built with an ancient version of
openssl which didn't support SNI. But the current version available
online does.

I never had CRL problems before, but we could easily have a check.

[dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

[Mark Pagnotta]

When I attempt to upload a file to my DL server using the dl-wx client, 
I receive the error:
"DL connection error: schannel: next InitializeSecurityContext failed: 
unknown error (0x80092012) - The revocation function was unable to check 
revocation for the certificate" If I uncheck the "Verify SSL 
certificate" box, it all works normally.


When I attempt to setup the thunderbird addon with my local DL server, 
when I press the "Setup Account" button I receive the message:
"An error occured while setting up the account!" There is no other error 
displayed. The error console only shows the GET request to the DL server 
that never completes (response is empty, I'm assuming 'cause the 
certificate check failed, like with the dl-ws client). It's frustrating 
that I don't see any other errors in the console. All the sections are 
activated (Net, CDD, JS, etc...). Am i doing something wrong there?


On every failed connection, I get 2 errors in my event log:
schannel#36876 "The certificate received from the remote server has not 
validated correctly. The error code is 0x80092012. The SSL connection 
request has failed. The attached data contains the server certificate."
schannel#36888 "The following fatal alert was generated: 43. The 
internal error state is 552."
Googling the combination of above errors and DL error messages only gave 
me results from people who had an improperly implemented certificate chain.


The https://dl.company.com web interface works fine in Firefox and 
Internet Explorer. I can connect and upload files.

The https://dl.company.com/rest.php gives me a blank page in all browsers.

The DL server certificate is signed by a trusted root. The certificate 
signer uses the CRL distribution point extension and publishes 
revocation lists to an http server that is up and running. I assume that 
since the certificate validates in Internet explorer that the problem is 
not with the windows part of the certificate checking. The plugin and 
addon never seem to make any connection to the server hosting the CRLs 
(tried wireshark and sysutils Process Monitor).


If the issue is in my PKI, I think that Internet Explorer would fail in 
its connection attempt as well (inetcpl has the "check revocations" 
option enabled). I'm not sure what other troubleshooting I can do. I 
can't seem to get any more information on why the client and addon 
connections are failing.


--
Mark