Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: From: Arno Garrels arno.garr...@gmx.de It might be that the application loaded some incompatible OpenSSL libraries unless the full path and filenames are specified. try GSSLEAY_DLL_Name := full path and filename; GLIBEAY_DLL_Name := full path and filename; MySslContext.InitContext; // loads the libraries and initializes the SslContext except // Something went wrong, log and handle it. end; ok, tomorrow morning i try this. i'm sure that in the folder of OverbyteIcsSslFtpTst.exe, the dll are 0.9.8e and with ProcessMonitor.exe i see that they are loaded Not required if the image path is actually correct. this morning i've see that if i use OverbyteIcsHttpsTst.exe from the customer's pc, ssl work fine. TSSLContext is different between ftp and http? The xx_bug options are set in the HttpsTst demo. As I understand, your customer uses your application rather than OverbyteIcsSslFtpTst.exe. If so, I would compare all SSL settings of your application with the demo settings. yes, my customer use my application but for this test, i use OverbyteIcsSslFtpTst.exe on the customer's pc. Is it the _same_ OverbyteIcsSslFtpTst.exe? I'm asking because your client_hello size is 90 bytes however my test with the original OverbyteIcsSslFtpTst demo and OSSL 0.9.8e sent a 88 bytes client_hello, this looks like a different different option set in SslContext. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
yes, my customer use my application but for this test, i use OverbyteIcsSslFtpTst.exe on the customer's pc. Is it the _same_ OverbyteIcsSslFtpTst.exe? No, i've compiled OverbyteIcsSslFtpTst and OverbyteIcsSslFtpTst and i make a test. now i've copy SslContext from HTTP and past into Ftp but i've already the error. at the end i past the log. I'm asking because your client_hello size is 90 bytes however my test with the original OverbyteIcsSslFtpTst demo and OSSL 0.9.8e sent a 88 bytes client_hello, this looks like a different different option set in SslContext. can you send me your compiled demo and dll? i hope that i can solve the problem because i need to work on ssl layer. best regards daniele barbato PS: i send you an email. 12.29.18.266 ! HighLevelAsync 0 12.29.18.276 TWSocket will connect to xx:21 12.29.18.306 00A7A350 TryToSend 232 12.29.18.306 00A7A350 TriggerDataSent 232 12.29.18.547 |220-- Welcome to Pure-FTPd [privsep] [TLS] --| 12.29.18.547 |220-You are user number 73 of 80 allowed.| 12.29.18.547 |220-Local time is now 12:29. Server port: 21.| 12.29.18.547 |220-IPv6 connections are also welcome on this server.| 12.29.18.547 |220 You will be disconnected after 20 minutes of inactivity.| 12.29.18.557 ! HighLevelAsync 0 12.29.18.557 00A7A350 PutDataInSendBuffer 232 len 10 [1] 12.29.18.557 00A7A350 TryToSend 232 12.29.18.557 00A7A350 TryToSend 232 12.29.18.557 00A7A350 TriggerDataSent 232 12.29.18.667 |234 AUTH TLS OK.| 12.29.18.667 00A7A350 StartSslHandshake 232 12.29.18.867 00A7A350 InitSSLConnection 232 12.29.18.867 00A7A350 BIO_ctrl(sslbio, BIO_C_SET_SSL, BIO_NOCLOSE, 0x11952B0) = 1 [2] 12.29.18.867 ICB SSL_CB_HANDSHAKE_START 12.29.18.867 ICB SSL_connect: before/connect initialization 12.29.18.867 ICB SSL_connect: SSLv2/v3 write client hello A 12.29.18.867 ICB SSL_connect: error in SSLv2/v3 read server hello A 12.29.18.867 00A7A350 BIO_read(sslbio, 0x1, 0) = -1 [3] 12.29.18.867 00A7A350 BIO_should_retry(sslbio) = 1 [4] 12.29.18.867 00A7A350 TriggerEvent sslFdRead 232 12.29.18.867 00A7A350 TriggerEvent sslFdWrite 232 12.29.18.877 SslAsyncSelect 232, 1 FD_READ 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_READ 232 12.29.18.877 00A7A350 BIO_ctrl_get_read_request(nbio) = 7 [5] 12.29.18.877 00A7A350 Winsock recv( 232, 0x12DD1C, 7, 0) = -1 [6] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 90 [7] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [8] 12.29.18.877 SslAsyncSelect 232, 2 FD_WRITE 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 90 [9] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 90) = 90 [10] 12.29.18.877 00A7A350 my_RealSend (0xE8, 1228092, 90) = 90 [11] 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [12] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [13] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [14] 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [15] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 0) = 0 [16] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [17] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [18] 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [19] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 0) = 0 [20] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [21] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [22] 12.29.18.987 00A7A350 TCustomSslWSocket.Do_FD_READ 232 12.29.18.987 00A7A350 BIO_ctrl_get_read_request(nbio) = 7 [23] 12.29.18.987 00A7A350 Winsock recv( 232, 0x12DD38, 7, 0) = 7 [24] 12.29.18.987 00A7A350 BIO_write(nbio, 0x12DD38, 7) = 7 [25] 12.29.18.987 00A7A350 BIO_ctrl(nbio, BIO_CTRL_FLUSH, 0, 0x0) = 1 [26] 12.29.18.987 ICB SSL3 alert read fatal unknown 12.29.18.987 ICB SSL_connect: error in SSLv2/v3 read server hello A 12.29.18.987 00A7A350 BIO_read(sslbio, 0x1, 0) = -1 [27] 12.29.18.987 00A7A350 BIO_should_retry(sslbio) = 0 [28] 12.29.18.987 00A7A350 232 [29] error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) 12.29.18.987 00A7A350 TriggerEvent sslFdClose 232 12.29.18.987 00A7A350 NetworkError #10053 12.29.18.987 SslAsyncSelect 232, 32 FD_CLOSE 12.29.18.987 00A7A350
Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: can you send me your compiled demo and dll? Just sent my working binary by private mail. Please let us know how it works. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
- Original Message - From: Arno Garrels arno.garr...@gmx.de Just sent my working binary by private mail. Please let us know how it works. Hi Arno, now work fine, the problem was SslContext. Now i investigate for understand wich parameter can give me the error. Thank you for cooperation, best regards daniele barbato -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: now work fine, the problem was SslContext. Good news. Now i investigate for understand wich parameter can give me the error. Confusing and often misunderstood is property SslVersionMethod. In most cases, if not all, it should be set to one of the sslV23_XX options. The sslV23_XX options include all version methods including TLS v1. In order to disable a version, use SslOptions sslOpt_NO_XXX instead. Thank you for cooperation, You are welcome. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] 535 SSL handshake failed. Error #1
Hi, i've a problem with on a customer pc. When i try to open a connection over tls layer, i recive the error 535 SSL handshake failed. Error #1. I use the last ICS package and delphi 2010, i use OverbyteIcsSslFtpTst.exe for this test. Anyone can help me? Best regards daniele This is IcsLog: 09.42.49.399 TWSocket will connect to 95.110.201.126:21 09.42.49.399 00A6D550 TryToSend 212 09.42.49.399 00A6D550 TriggerDataSent 212 09.42.49.649 |220-- Welcome to Pure-FTPd [privsep] [TLS] --| 09.42.49.649 |220-You are user number 2 of 80 allowed.| 09.42.49.649 |220-Local time is now 09:42. Server port: 21.| 09.42.49.649 |220-IPv6 connections are also welcome on this server.| 09.42.49.659 |220 You will be disconnected after 20 minutes of inactivity.| 09.42.50.711 00A6D550 PutDataInSendBuffer 212 len 27 [1] 09.42.50.711 00A6D550 TryToSend 212 09.42.50.711 00A6D550 TryToSend 212 09.42.50.711 00A6D550 TriggerDataSent 212 09.42.50.831 |331 User xxx OK. Password required| 09.42.51.912 00A6D550 PutDataInSendBuffer 212 len 13 [2] 09.42.51.912 00A6D550 TryToSend 212 09.42.51.912 00A6D550 TryToSend 212 09.42.51.912 00A6D550 TriggerDataSent 212 09.42.52.143 |230-User xxx has group access to: easwebjv | 09.42.52.143 |230-OK. Current restricted directory is /| 09.42.52.143 |230 38714 Kbytes used (2%) - authorized: 1638400 Kb| 09.42.54.586 00A6D550 PutDataInSendBuffer 212 len 8 [3] 09.42.54.586 00A6D550 TryToSend 212 09.42.54.586 00A6D550 TryToSend 212 09.42.54.586 00A6D550 TriggerDataSent 212 09.42.54.706 |200 TYPE is now 8-bit binary| 09.42.56.599 00A6D550 PutDataInSendBuffer 212 len 10 [4] 09.42.56.599 00A6D550 TryToSend 212 09.42.56.599 00A6D550 TryToSend 212 09.42.56.599 00A6D550 TriggerDataSent 212 09.42.56.719 |234 AUTH TLS OK.| 09.42.56.719 00A6D550 StartSslHandshake 212 09.42.56.919 00A6D550 InitSSLConnection 212 09.42.56.919 00A6D550 BIO_ctrl(sslbio, BIO_C_SET_SSL, BIO_NOCLOSE, 0x1085A70) = 1 [5] 09.42.56.919 ICB SSL_CB_HANDSHAKE_START 09.42.56.919 ICB SSL_connect: before/connect initialization 09.42.56.919 ICB SSL_connect: SSLv2/v3 write client hello A 09.42.56.919 ICB SSL_connect: error in SSLv2/v3 read server hello A 09.42.56.919 00A6D550 BIO_read(sslbio, 0x1, 0) = -1 [6] 09.42.56.919 00A6D550 BIO_should_retry(sslbio) = 1 [7] 09.42.56.919 00A6D550 TriggerEvent sslFdRead 212 09.42.56.919 00A6D550 TriggerEvent sslFdWrite 212 09.42.56.919 SslAsyncSelect 212, 1 FD_READ 09.42.56.919 00A6D550 TCustomSslWSocket.Do_FD_READ 212 09.42.56.919 00A6D550 BIO_ctrl_get_read_request(nbio) = 7 [8] 09.42.56.919 00A6D550 Winsock recv( 212, 0x12DD44, 7, 0) = -1 [9] 09.42.56.919 00A6D550 TriggerEvents 212 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 90 [10] 09.42.56.919 00A6D550 BIO_ctrl_get_write_guarantee(nbio) = 4096 [11] 09.42.56.919 SslAsyncSelect 212, 2 FD_WRITE 09.42.56.919 00A6D550 TCustomSslWSocket.Do_FD_WRITE 212 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 90 [12] 09.42.56.919 00A6D550 BIO_read(nbio, 0x12BD60, 90) = 90 [13] 09.42.56.919 00A6D550 my_RealSend (0xD4, 1228128, 90) = 90 [14] 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [15] 09.42.56.919 00A6D550 TriggerEvents 212 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [16] 09.42.56.919 00A6D550 BIO_ctrl_get_write_guarantee(nbio) = 4096 [17] 09.42.56.919 00A6D550 TCustomSslWSocket.Do_FD_WRITE 212 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [18] 09.42.56.919 00A6D550 BIO_read(nbio, 0x12BD6C, 0) = 0 [19] 09.42.56.919 00A6D550 TriggerEvents 212 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [20] 09.42.56.919 00A6D550 BIO_ctrl_get_write_guarantee(nbio) = 4096 [21] 09.42.56.919 00A6D550 TCustomSslWSocket.Do_FD_WRITE 212 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [22] 09.42.56.919 00A6D550 BIO_read(nbio, 0x12BD6C, 0) = 0 [23] 09.42.56.919 00A6D550 TriggerEvents 212 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 09.42.56.919 00A6D550 BIO_ctrl_pending(nbio) = 0 [24] 09.42.56.919 00A6D550 BIO_ctrl_get_write_guarantee(nbio) = 4096 [25] 09.42.57.040 00A6D550 TCustomSslWSocket.Do_FD_READ 212 09.42.57.040 00A6D550 BIO_ctrl_get_read_request(nbio) = 7 [26] 09.42.57.040 00A6D550 Winsock recv( 212, 0x12DD6C, 7, 0) = 7 [27] 09.42.57.040 00A6D550 BIO_write(nbio, 0x12DD6C, 7) = 7 [28] 09.42.57.040 00A6D550 BIO_ctrl(nbio, BIO_CTRL_FLUSH, 0, 0x0) = 1 [29] 09.42.57.040 ICB SSL3 alert read fatal unknown 09.42.57.040 ICB SSL_connect: error in SSLv2/v3 read server hello A 09.42.57.040 00A6D550 BIO_read(sslbio, 0x1, 0) = -1 [30] 09.42.57.040 00A6D550
Re: [twsocket] 535 SSL handshake failed. Error #1
09.42.57.040 00A6D550 212 [32] error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) Error number 1095 seems to mean const SSL_R_KRB5_C_GET_CRED which has been changed from 1095 to 287 in OpenSSL 0.9.8a to 0.9.8b. Dunno the meaning of this error, may have to do with Kerberos. Hi Arno, thank you for your answer. LibEay32.dll is 0.9.8e and is the same on ftp server. From my pc work fine with same dll. Can you give me an idea for investigate? In my lan there is any kerberos's server. best regards daniele barbato -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
Hello, Svemu - Reparto Sviluppo wrote: 09.42.57.040 00A6D550 212 [32] error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) Error number 1095 seems to mean const SSL_R_KRB5_C_GET_CRED which has been changed from 1095 to 287 in OpenSSL 0.9.8a to 0.9.8b. Dunno the meaning of this error, may have to do with Kerberos. LibEay32.dll is 0.9.8e and is the same on ftp server. It might be that the application loaded some incompatible OpenSSL libraries unless the full path and filenames are specified. Quote from thread New DLL hijacking vulnerability KB 2269637: The DLL names are globally writable typed constants, set their values before the OpenSSL libraries are loaded. OSSL is dynamically loaded at runtime, that is when the first OpenSSL function is called. In order to enforce a load call TSslContext.InitContext or set TSslDynamicLock/TSslStaticLock.Enabled to TRUE. I prefer this anyway since the load errors don't raise somewhere but where I can handle them easily: try GSSLEAY_DLL_Name := full path and filename; GLIBEAY_DLL_Name := full path and filename; MySslContext.InitContext; // loads the libraries and initializes the SslContext except // Something went wrong, log and handle it. end; From my pc work fine with same dll. I just tested from here with the demo OverbyteIcsSslFtpTst.exe and that works for me as well. Can you give me an idea for investigate? As I understand, your customer uses your application rather than OverbyteIcsSslFtpTst.exe. If so, I would compare all SSL settings of your application with the demo settings. Or you could ask for a reason of error error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) in the OpenSSL mailing list. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
From: Arno Garrels arno.garr...@gmx.de It might be that the application loaded some incompatible OpenSSL libraries unless the full path and filenames are specified. try GSSLEAY_DLL_Name := full path and filename; GLIBEAY_DLL_Name := full path and filename; MySslContext.InitContext; // loads the libraries and initializes the SslContext except // Something went wrong, log and handle it. end; ok, tomorrow morning i try this. i'm sure that in the folder of OverbyteIcsSslFtpTst.exe, the dll are 0.9.8e and with ProcessMonitor.exe i see that they are loaded this morning i've see that if i use OverbyteIcsHttpsTst.exe from the customer's pc, ssl work fine. TSSLContext is different between ftp and http? As I understand, your customer uses your application rather than OverbyteIcsSslFtpTst.exe. If so, I would compare all SSL settings of your application with the demo settings. yes, my customer use my application but for this test, i use OverbyteIcsSslFtpTst.exe on the customer's pc. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
