Archived Forum Post

Index of archived forum posts

Question:

TLS failure in Chilkat.Http 9.4.0.0

Oct 26 '16 at 09:54

A client we are connecting to are upgrading to make their platform SHA-2/TLS1.2 compliant.

In accordance with this I am trying to test to ensure that we're able to connect this way in the above version. The docs indicate that the connection will negotiate with the server for the highest version available and use that.

How ever it's unclear which SSL protocols this version of the chilkat.http module support, and we are receiving the following error:

ChilkatLog:
  SynchronousRequest:
    DllDate: Dec 12 2012
    UnlockPrefix: redacted
    Username: redacted
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 0
    domain: redacted
    port: 443
    ssl: 1
    RequestData:
      HttpVersion: 1.1
      Verb: POST
      Path: redacted
      Charset: utf-8
      SendCharset: 0
      MimeHeader: Content-Type: text/xml
    --RequestData
    ReadTimeout: 30
    ConnectTimeout: 30
    httpConnect:
      hostname: redacted
      port: 443
      ssl: 1
      Need to establish connection to the HTTP server...
      ConnectTimeoutMs_1: 30000
      calling ConnectSocket2
      IPV6 enabled connect with NO heartbeat.
      connectingTo: redacted
      resolveHostname1:
        dnsCacheLookup: redacted
        dnsCacheHit: redacted
      --resolveHostname1
      GetHostByNameHB_ipv4: Elapsed time: 0 millisec
      myIP_1: redacted
      myPort_1: 53298
      connect successful (1)
      cacheClientCerts:
        Reached the root cert..
        Finished caching client certs.
      --cacheClientCerts
      clientHelloMajorMinorVersion: 3.1
      buildClientHello:
        majorVersion: 3
        minorVersion: 1
        numRandomBytes: 32
        sessionIdSize: 0
        numCipherSuites: 10
        numCompressionMethods: 1
      --buildClientHello
      readIncomingTls_serverHello:
        readTlsRecord:
          numBytesRequested: 5
          Connection closed by connected peer.
          Failed to read beginning of SSL/TLS record.
        --readTlsRecord
      --readIncomingTls_serverHello
      Failed to read incoming handshake messages. (1)
      Client handshake failed. (3)
      Failed to connect.
    --httpConnect
    connectTime1: Elapsed time: 109 millisec
    totalTime: Elapsed time: 109 millisec
    Failed.
  --SynchronousRequest
--ChilkatLog

Gateway.S3Ssl is set to true. (docs note: If True, Chilkat uses TLS 1.2) Gateway.SslProtocol is set to default. Gateway.SetSslClientCertPem returns true also.

Can anyone advise why we are failing to read beginning of SSL/TLS record and if this is even related to TLS version?

Kind regards,

Gavin.

Accepted Answer

You're using a very old version of Chilkat. The solution is to update to the latest version.

If the server finds all of the options (protocol version, cipher suites, etc.) listed in the ClientHello as unacceptable, then it will (likely) immediately disconnect. You're using a very old version of Chilkat, and much has been added to TLS since 4 years ago.

Also... 4 years from now, I'm sure there will be servers with stringent requirements that won't accept this current October 2016 version of Chilkat, but given that Chilkat will keep up to date, the October 2020 version will be fine. In general, when there's a chance in the development schedule to update to a later version of Chilkat, it is wise to do so. The external world of servers and protocols is not stationary. You don't want to wait 4 years before updating. It's best to update on a more frequent schedule, even if once per year.