Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: > now work fine, the problem was SslContext. Good news. > Now i investigate for understand wich parameter can give me the error. Confusing and often misunderstood is property SslVersionMethod. In most cases, if not all, it should be set to one of the sslV23_XX options. The sslV23_XX options include all version methods including TLS v1. In order to disable a version, use SslOptions sslOpt_NO_XXX instead. > > Thank you for cooperation, You are welcome. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
- Original Message - From: "Arno Garrels" Just sent my working binary by private mail. Please let us know how it works. Hi Arno, now work fine, the problem was SslContext. Now i investigate for understand wich parameter can give me the error. Thank you for cooperation, best regards daniele barbato -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: > can you send me your compiled demo and dll? Just sent my working binary by private mail. Please let us know how it works. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
yes, my customer use my application but for this test, i use OverbyteIcsSslFtpTst.exe on the customer's pc. Is it the _same_ OverbyteIcsSslFtpTst.exe? No, i've compiled OverbyteIcsSslFtpTst and OverbyteIcsSslFtpTst and i make a test. now i've copy SslContext from HTTP and past into Ftp but i've already the error. at the end i past the log. I'm asking because your client_hello size is 90 bytes however my test with the original OverbyteIcsSslFtpTst demo and OSSL 0.9.8e sent a 88 bytes client_hello, this looks like a different different option set in SslContext. can you send me your compiled demo and dll? i hope that i can solve the problem because i need to work on ssl layer. best regards daniele barbato PS: i send you an email. 12.29.18.266 ! HighLevelAsync 0 12.29.18.276 TWSocket will connect to xx:21 12.29.18.306 00A7A350 TryToSend 232 12.29.18.306 00A7A350 TriggerDataSent 232 12.29.18.547 >|220-- Welcome to Pure-FTPd [privsep] [TLS] --| 12.29.18.547 >|220-You are user number 73 of 80 allowed.| 12.29.18.547 >|220-Local time is now 12:29. Server port: 21.| 12.29.18.547 >|220-IPv6 connections are also welcome on this server.| 12.29.18.547 >|220 You will be disconnected after 20 minutes of inactivity.| 12.29.18.557 ! HighLevelAsync 0 12.29.18.557 00A7A350 PutDataInSendBuffer 232 len 10 [1] 12.29.18.557 00A7A350 TryToSend 232 12.29.18.557 00A7A350 TryToSend 232 12.29.18.557 00A7A350 TriggerDataSent 232 12.29.18.667 >|234 AUTH TLS OK.| 12.29.18.667 00A7A350 StartSslHandshake 232 12.29.18.867 00A7A350 InitSSLConnection 232 12.29.18.867 00A7A350 BIO_ctrl(sslbio, BIO_C_SET_SSL, BIO_NOCLOSE, 0x11952B0) = 1 [2] 12.29.18.867 ICB> SSL_CB_HANDSHAKE_START 12.29.18.867 ICB> SSL_connect: before/connect initialization 12.29.18.867 ICB> SSL_connect: SSLv2/v3 write client hello A 12.29.18.867 ICB> SSL_connect: error in SSLv2/v3 read server hello A 12.29.18.867 00A7A350 BIO_read(sslbio, 0x1, 0) = -1 [3] 12.29.18.867 00A7A350 BIO_should_retry(sslbio) = 1 [4] 12.29.18.867 00A7A350 TriggerEvent sslFdRead 232 12.29.18.867 00A7A350 TriggerEvent sslFdWrite 232 12.29.18.877 SslAsyncSelect 232, 1 FD_READ 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_READ 232 12.29.18.877 00A7A350 BIO_ctrl_get_read_request(nbio) = 7 [5] 12.29.18.877 00A7A350 Winsock recv( 232, 0x12DD1C, 7, 0) = -1 [6] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 90 [7] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [8] 12.29.18.877 SslAsyncSelect 232, 2 FD_WRITE 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 90 [9] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 90) = 90 [10] 12.29.18.877 00A7A350 my_RealSend (0xE8, 1228092, 90) = 90 [11] 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [12] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [13] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [14] 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [15] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 0) = 0 [16] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [17] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [18] 12.29.18.877 00A7A350 TCustomSslWSocket.Do_FD_WRITE 232 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [19] 12.29.18.877 00A7A350 BIO_read(nbio, 0x12BD3C, 0) = 0 [20] 12.29.18.877 00A7A350 TriggerEvents 232 SslState: SSL_ST_INIT // MayFD_Read=0 MayDoRecv=-1 MayFD_Write=-1 MaySslTryToSend=-1 bSslAllSent=0 bAllSent=-1 12.29.18.877 00A7A350 BIO_ctrl_pending(nbio) = 0 [21] 12.29.18.877 00A7A350 BIO_ctrl_get_write_guarantee(nbio) = 4096 [22] 12.29.18.987 00A7A350 TCustomSslWSocket.Do_FD_READ 232 12.29.18.987 00A7A350 BIO_ctrl_get_read_request(nbio) = 7 [23] 12.29.18.987 00A7A350 Winsock recv( 232, 0x12DD38, 7, 0) = 7 [24] 12.29.18.987 00A7A350 BIO_write(nbio, 0x12DD38, 7) = 7 [25] 12.29.18.987 00A7A350 BIO_ctrl(nbio, BIO_CTRL_FLUSH, 0, 0x0) = 1 [26] 12.29.18.987 ICB> SSL3 alert read fatal unknown 12.29.18.987 ICB> SSL_connect: error in SSLv2/v3 read server hello A 12.29.18.987 00A7A350 BIO_read(sslbio, 0x1, 0) = -1 [27] 12.29.18.987 00A7A350 BIO_should_retry(sslbio) = 0 [28] 12.29.18.987 00A7A350 232 [29] error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) 12.29.18.987 00A7A350 TriggerEvent sslFdClose 232 12.29.18.987 00A7A350 NetworkError #10053 12.29.18.987 SslAsyncSelect 232, 32 FD_CLOSE 12.29.18.987 00A7A350 TCustomSslWSoc
Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: > From: "Arno Garrels" >> It might be that the application loaded some incompatible >> OpenSSL libraries unless the full path and filenames are >> specified. >> >> try >>GSSLEAY_DLL_Name := ; >>GLIBEAY_DLL_Name := ; >>MySslContext.InitContext; // loads the libraries and initializes >> the SslContext >> except >>// Something went wrong, log and handle it. >> end;" > > > ok, tomorrow morning i try this. > i'm sure that in the folder of OverbyteIcsSslFtpTst.exe, the dll are > 0.9.8e and with ProcessMonitor.exe i see that they are loaded Not required if the image path is actually correct. > this morning i've see that if i use OverbyteIcsHttpsTst.exe from the > customer's pc, ssl work fine. > TSSLContext is different between ftp > and http? The xx_bug options are set in the HttpsTst demo. > >> As I understand, your customer uses your application rather >> than OverbyteIcsSslFtpTst.exe. If so, I would compare all >> SSL settings of your application with the demo settings. > > yes, my customer use my application but for this test, i use > OverbyteIcsSslFtpTst.exe on the customer's pc. Is it the _same_ OverbyteIcsSslFtpTst.exe? I'm asking because your client_hello size is 90 bytes however my test with the original OverbyteIcsSslFtpTst demo and OSSL 0.9.8e sent a 88 bytes client_hello, this looks like a different different option set in SslContext. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
From: "Arno Garrels" It might be that the application loaded some incompatible OpenSSL libraries unless the full path and filenames are specified. try GSSLEAY_DLL_Name := ; GLIBEAY_DLL_Name := ; MySslContext.InitContext; // loads the libraries and initializes the SslContext except // Something went wrong, log and handle it. end;" ok, tomorrow morning i try this. i'm sure that in the folder of OverbyteIcsSslFtpTst.exe, the dll are 0.9.8e and with ProcessMonitor.exe i see that they are loaded this morning i've see that if i use OverbyteIcsHttpsTst.exe from the customer's pc, ssl work fine. TSSLContext is different between ftp and http? As I understand, your customer uses your application rather than OverbyteIcsSslFtpTst.exe. If so, I would compare all SSL settings of your application with the demo settings. yes, my customer use my application but for this test, i use OverbyteIcsSslFtpTst.exe on the customer's pc. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
Hello, Svemu - Reparto Sviluppo wrote: >>> 09.42.57.040 00A6D550 212 [32] error:14077447:SSL >>> routines:SSL23_GET_SERVER_HELLO:reason(1095) >> >> Error number 1095 seems to mean const SSL_R_KRB5_C_GET_CRED >> which has been changed from 1095 to 287 in OpenSSL 0.9.8a >> to 0.9.8b. Dunno the meaning of this error, may have to do >> with Kerberos. > > LibEay32.dll is 0.9.8e and is the same on ftp server. It might be that the application loaded some incompatible OpenSSL libraries unless the full path and filenames are specified. Quote from thread "New DLL hijacking vulnerability KB 2269637": "The DLL names are globally writable typed constants, set their values before the OpenSSL libraries are loaded. OSSL is dynamically loaded at runtime, that is when the first OpenSSL function is called. In order to enforce a load call TSslContext.InitContext or set TSslDynamicLock/TSslStaticLock.Enabled to TRUE. I prefer this anyway since the load errors don't raise somewhere but where I can handle them easily: try GSSLEAY_DLL_Name := ; GLIBEAY_DLL_Name := ; MySslContext.InitContext; // loads the libraries and initializes the SslContext except // Something went wrong, log and handle it. end;" > From my pc work fine with same dll. I just tested from here with the demo OverbyteIcsSslFtpTst.exe and that works for me as well. > > Can you give me an idea for investigate? As I understand, your customer uses your application rather than OverbyteIcsSslFtpTst.exe. If so, I would compare all SSL settings of your application with the demo settings. Or you could ask for a reason of error "error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095)" in the OpenSSL mailing list. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
09.42.57.040 00A6D550 212 [32] error:14077447:SSL routines:SSL23_GET_SERVER_HELLO:reason(1095) Error number 1095 seems to mean const SSL_R_KRB5_C_GET_CRED which has been changed from 1095 to 287 in OpenSSL 0.9.8a to 0.9.8b. Dunno the meaning of this error, may have to do with Kerberos. Hi Arno, thank you for your answer. LibEay32.dll is 0.9.8e and is the same on ftp server. From my pc work fine with same dll. Can you give me an idea for investigate? In my lan there is any kerberos's server. best regards daniele barbato -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] 535 SSL handshake failed. Error #1
Svemu - Reparto Sviluppo wrote: > Hi, > i've a problem with on a customer pc. > > When i try to open a connection over tls layer, i recive the error > "535 SSL handshake failed. Error #1". > > I use the last ICS package and delphi 2010, i use > OverbyteIcsSslFtpTst.exe for this test. Have you tried a more recent OpenSSL version yet? > 09.42.57.040 00A6D550 212 [32] error:14077447:SSL > routines:SSL23_GET_SERVER_HELLO:reason(1095) Error number 1095 seems to mean const SSL_R_KRB5_C_GET_CRED which has been changed from 1095 to 287 in OpenSSL 0.9.8a to 0.9.8b. Dunno the meaning of this error, may have to do with Kerberos. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
