Archived Forum Post
Index of archived forum posts
Question:
Archived Forum PostQuestion:
I'm using https://www.example-code.com/cpp/socket_async.asp as a starting point for my tests. We have a server that supports SSL 3.0, but not SSL 2.0. Using socket.put_SslProtocol( "SSL 3.0" ); works, and using socket.put_SslProtocol( "SSL 2.0" ); fails, as it should. However, socket.put_SslProtocol( "default" ); fails, but it should not. I expect it to detect and use SSL 3.0. Note that default did work with SSL 3.0 as of chilkat version 9.3.2, which I am upgrading from.
Note that your example server (chilkatsoft.com:443) supports SSL 2.0 but not SSL 3.0 and using default works. It may be that default always uses SSL 2.0 rather than detecting the server. If true, this would contradict the documentation at https://www.chilkatsoft.com/refdoc/vcCkSocketRef.html, put_SslProtocol.
I'm using v9.5.0.66 (x86-vc12) from 2/2/2017 and a simple Visual Studio C++ app to test.
Our test server was using a very old version of Chilkat Socket. Once I upgraded it to the new version, it worked fine. I consider this issue closed. Thanks.
Thanks, I'll give it a check to see what's happening..
Everything worked fine for me. In C++, you can set the CkSettings::m_verboseSsl boolean to true to get really detailed TLS handshake logging in the LastErrorText.
Here's the test program:
CkSettings settings;
settings.m_verboseSsl = true;
CkSocket sock;
sock.put_VerboseLogging(true);
sock.put_SslProtocol("default");
//bool success = sock.Connect("www.chilkatsoft.com",443,true,20000);
bool success = sock.Connect("chilkatsoft.com",443,true,20000);
printf("%sn",sock.lastErrorText());
Here's the LastErrorText
ChilkatLog:
Connect_Socket(297ms):
ChilkatVersion: 9.5.0.66
Component successfully unlocked using purchased unlock code.
clsSocketConnect(297ms):
hostname: chilkatsoft.com
port: 443
tls: 1
maxWaitMs: 20000
socket2Connect(297ms):
connect2(297ms):
hostname: chilkatsoft.com
port: 443
ssl: 1
connectImplicitSsl(297ms):
Clearing TLS client certificates.
connectSocket(125ms):
domainOrIpAddress: chilkatsoft.com
port: 443
connectTimeoutMs: 20000
connect_ipv6_or_ipv4(125ms):
Multi-threaded domain to IP address resolution
connecting to IPV4 address...
ipAddress: 107.180.46.206
createSocket:
Setting SO_SNDBUF size
sendBufSize: 262144
Setting SO_RCVBUF size
recvBufSize: 4194304
--createSocket
connect(31ms):
Waiting for the connect to complete...
myIP: 192.168.1.100
myPort: 55910
socket connect successful.
--connect
--connect_ipv6_or_ipv4
--connectSocket
clientHandshake(172ms):
The client cert chain is NULL.
cacheClientCerts:
Cached TLS client certificates.
Client cert chain is NULL.
--cacheClientCerts
tlsProtocol: SSL 3.0 or higher
clientHandshake2(172ms):
buildClientHello:
clientVersion: 3.3
m_reqMajorVersion: 3
m_reqMinorVersion: 3
AllowedCiphers:
Allowing all default SSL/TLS cipher suites.
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_MD5
cipherSuite: TLS_DHE_RSA_WITH_DES_CBC_SHA
cipherSuite: TLS_RSA_WITH_DES_CBC_SHA
--buildClientHello
sendClientHello:
TlsClientHello_buildMessage:
majorVersion: 3
minorVersion: 3
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 30
numCompressionMethods: 1
SNI_hostname: chilkatsoft.com
--TlsClientHello_buildMessage
--sendClientHello
readHandshakeMessages(47ms):
readIncomingMessages(47ms):
readTlsRecord(47ms):
TLS 1.2, Handshake, sz=4209
--readTlsRecord
processTlsRecord:
processHandshakeRecord:
handshakeMessageType: ServerHello
handshakeMessageLen: 0x51
handshakeMessageLen: 81
nBytesLeft: 4205
processHandshakeMessage:
MessageType: ServerHello
processServerHello:
SessionIdLen: 32
serverHelloExtensionsLen: 9
HelloExtension: renegotiation_info
HelloExtensionLen: 1
HelloExtension: server_name
HelloExtensionLen: 0
negotiatedTlsVersion: TLS 1.2
negotiatedCipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
minAcceptableRsaKeySize: 1024
Queueing ServerHello message.
ServerHello is OK.
--processServerHello
--processHandshakeMessage
handshakeMessageType: Certificate
handshakeMessageLen: 0xec7
handshakeMessageLen: 3783
nBytesLeft: 4120
processHandshakeMessage:
MessageType: Certificate
processIncomingCertificates:
Certificate:
certDN: Domain Control Validated, example-code.com
certSerial: 00A52E97C72BCAC010
certIssuerCN: Go Daddy Secure Certificate Authority - G2
--Certificate
Certificate:
certDN: US, Arizona, Scottsdale, "GoDaddy.com, Inc.", http://certs.godaddy.com/repository/, Go Daddy Secure Certificate Authority - G2
certSerial: 07
certIssuerCN: Go Daddy Root Certificate Authority - G2
--Certificate
Certificate:
certDN: US, Arizona, Scottsdale, "GoDaddy.com, Inc.", Go Daddy Root Certificate Authority - G2
certSerial: 1BE715
certIssuerCN:
--Certificate
NumCertificates: 3
Queueing Certificates message...
--processIncomingCertificates
--processHandshakeMessage
handshakeMessageType: ServerKeyExchange
handshakeMessageLen: 0x149
handshakeMessageLen: 329
nBytesLeft: 333
processHandshakeMessage:
MessageType: ServerKeyExchange
processServerKeyExchange:
Need to get SERVER_HELLO from incoming queueu..
Dequeued ServerHello message.
processEcDheKx:
curveType: 3
namedCurve: secp256r1
ecPointLen: 65
selectHashAlg: 2
selectSignAlg: 1
signatureLen: 256
Queueing ServerKeyExchange message.
--processEcDheKx
--processServerKeyExchange
--processHandshakeMessage
handshakeMessageType: ServerHelloDone
handshakeMessageLen: 0x0
handshakeMessageLen: 0
nBytesLeft: 0
processHandshakeMessage:
MessageType: ServerHelloDone
Queueing ServerHelloDone message.
--processHandshakeMessage
--processHandshakeRecord
--processTlsRecord
--readIncomingMessages
--readHandshakeMessages
handleServerCert:
Dequeued Certificate message.
The TlsPinSet is empty.
--handleServerCert
handleServerKeyExchange:
Dequeued ServerKeyExchange message.
--handleServerKeyExchange
DequeuedMessageType: ServerHelloDone
numClientCerts: 0
No client certificate required by the server.
buildClientKeyExchange(47ms):
buildClientKeyExchangeECDHE(47ms):
verifyServerKeyExchange(16ms):
composeVerifyData:
selectedKeyExchangeHashAlg: 2
--composeVerifyData
verifyHash(16ms):
keyType: Public
hashInSize: 20
padding: PKCS v1.5
HashOid: 1.3.14.3.2.26
--verifyHash
ServerKeyExchange signature is valid.
--verifyServerKeyExchange
Verified server key exchange.
namedCurve: secp256r1
generateNewKey_ecc(15ms):
loadCurveByName:
name: secp256r1
--loadCurveByName
--generateNewKey_ecc
loadSshPubKey:
loadCurveByName:
name: secp256r1
--loadCurveByName
--loadSshPubKey
--buildClientKeyExchangeECDHE
--buildClientKeyExchange
Sending ClientKeyExchange...
Sent ClientKeyExchange message.
Sending ChangeCipherSpec...
Sent ChangeCipherSpec message.
Derived keys.
Installed new outgoing security params.
Sending FINISHED message..
Sent FINISHED message..
readHandshakeMessages(78ms):
readIncomingMessages(78ms):
readTlsRecord(78ms):
TLS 1.2, ChangeCipherSpec, sz=1
--readTlsRecord
processTlsRecord:
ccsProtocolType: 1
--processTlsRecord
--readIncomingMessages
--readHandshakeMessages
readHandshakeMessages:
readIncomingMessages:
readTlsRecord:
TLS 1.2, Handshake, sz=64
--readTlsRecord
processTlsRecord:
processHandshakeRecord:
handshakeMessageType: HandshakeFinished
handshakeMessageLen: 0xc
handshakeMessageLen: 12
nBytesLeft: 12
processHandshakeMessage:
MessageType: HandshakeFinished
processFinished:
FinishedMsgLen: 12
Queueing Finished message.
--processFinished
--processHandshakeMessage
--processHandshakeRecord
--processTlsRecord
--readIncomingMessages
--readHandshakeMessages
Dequeue the FINISHED message...
Dequeued Finished message.
Handshake completed successfully.
saveSecureRenegInfo:
serverHello_extRenegotiateInfo: 1
clientFinishedVerifyDataSize: 12
serverFinishedVerifyDataSize: 12
--saveSecureRenegInfo
--clientHandshake2
--clientHandshake
checkServerCert:
Not verifying server certificate...
Set the RequireSslCertVerify property to enable verification.
--checkServerCert
SSL/TLS Channel Established.
--connectImplicitSsl
--connect2
--socket2Connect
socketOptions:
SO_SNDBUF: 262144
SO_RCVBUF: 4194304
TCP_NODELAY: 0
SO_KEEPALIVE: 1
--socketOptions
Success.
--clsSocketConnect
Success.
--Connect_Socket
--ChilkatLog
I switched to your sample code. Here is the long form error that I am getting. Note the Failed to read beginning of SSL/TLS record near the end. The server supports SSL 3.0 but not SSL 2.0. put_SslProtocol("SSL 3.0") works, but not put_SslProtocol("default");. If you'd like me to give you the hostname of our test server, please give me a way of sending you a private message.
ChilkatLog:
Connect_Socket(16ms):
ChilkatVersion: 9.5.0.66
clsSocketConnect(16ms):
hostname: XXX.X.XXX.XXX
port: 24
tls: 1
maxWaitMs: 20000
socket2Connect(16ms):
connect2(16ms):
hostname: XXX.X.XXX.XXX
port: 24
ssl: 1
connectImplicitSsl(16ms):
Clearing TLS client certificates.
connectSocket(16ms):
domainOrIpAddress: XXX.X.XXX.XXX
port: 24
connectTimeoutMs: 20000
connect_ipv6_or_ipv4(16ms):
This is an IPV4 numeric address.
Domain to IP address resolution not needed.
connecting to IPV4 address...
ipAddress: XXX.X.XXX.XXX
createSocket:
Setting SO_SNDBUF size
sendBufSize: 262144
Setting SO_RCVBUF size
recvBufSize: 4194304
--createSocket
connect(16ms):
Waiting for the connect to complete...
myIP: 192.168.0.209
myPort: 58506
socket connect successful.
--connect
--connect_ipv6_or_ipv4
--connectSocket
clientHandshake:
The client cert chain is NULL.
cacheClientCerts:
Cached TLS client certificates.
Client cert chain is NULL.
--cacheClientCerts
tlsProtocol: SSL 3.0 or higher
clientHandshake2:
buildClientHello:
clientVersion: 3.3
m_reqMajorVersion: 3
m_reqMinorVersion: 3
AllowedCiphers:
Allowing all default SSL/TLS cipher suites.
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_MD5
cipherSuite: TLS_DHE_RSA_WITH_DES_CBC_SHA
cipherSuite: TLS_RSA_WITH_DES_CBC_SHA
--buildClientHello
sendClientHello:
TlsClientHello_buildMessage:
majorVersion: 3
minorVersion: 3
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 30
numCompressionMethods: 1
--TlsClientHello_buildMessage
--sendClientHello
readHandshakeMessages:
readIncomingMessages:
readTlsRecord:
TLS 1.0, Alert, sz=2
--readTlsRecord
processTlsRecord:
processAlert:
TlsAlert:
level: warning
descrip: close notify
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingMessages
readIncomingMessages:
readTlsRecord:
numBytesRequested: 5
Connection closed by peer.
passiveClose:
Passive socket closing complete.
--passiveClose
sockRecv: Socket connection closed.
Failed to read beginning of SSL/TLS record.
b: 0
dbSize: 0
nReadNBytes: 0
--readTlsRecord
--readIncomingMessages
--readHandshakeMessages
--clientHandshake2
--clientHandshake
Client handshake failed. (3)
--connectImplicitSsl
ConnectFailReason: 103
--connect2
--socket2Connect
Failed.
--clsSocketConnect
Failed.
--Connect_Socket
--ChilkatLog
Press any key to continue . . .
You can send email to support@chilkatsoft.com. Make sure to include your unlock code to verify that your 1YR support has not expired.
I tested against your server, and here's my result (your server's IP address is not included in this listing) An explanation follows...
tlsProtocol: SSL 3.0 or higher
clientHandshake2(125ms):
buildClientHello(32ms):
clientVersion: 3.3
m_reqMajorVersion: 3
m_reqMinorVersion: 3
AllowedCiphers:
Allowing all default SSL/TLS cipher suites.
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
cipherSuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
cipherSuite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_RSA_WITH_3DES_EDE_CBC_SHA
cipherSuite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_SHA
cipherSuite: TLS_RSA_WITH_RC4_128_MD5
cipherSuite: TLS_DHE_RSA_WITH_DES_CBC_SHA
cipherSuite: TLS_RSA_WITH_DES_CBC_SHA
--buildClientHello
sendClientHello:
TlsClientHello_buildMessage:
majorVersion: 3
minorVersion: 3
numRandomBytes: 32
sessionIdSize: 0
numCipherSuites: 30
numCompressionMethods: 1
--TlsClientHello_buildMessage
--sendClientHello
readHandshakeMessages(93ms):
readIncomingMessages(93ms):
readTlsRecord(93ms):
TLS 1.0, Alert, sz=2
--readTlsRecord
processTlsRecord:
processAlert:
TlsAlert:
level: warning
descrip: close notify
--TlsAlert
--processAlert
--processTlsRecord
--readIncomingMessages
The "default" is to accept SSL 3.0 or higher.
This is how a TLS handshake works:
Both sides send their "hello" messages. The client sends a ClientHello, and the server sends its ServerHello. The hello messages indicate what cipher suites, etc are supported. Each Hello message also indicates the highest TLS protocol version it supports. Chilkat supports TLS 1.2 and lower. Therefore, it sends a major/minor version of 3,3.
Major Minor Protocol ----- ----- --------- 3 0 SSL 3.0 3 1 TLS 1.0 3 2 TLS 1.1 3 3 TLS 1.2
It is the server that decides which version of the SSL/TLS protocol to use. If the server does not like the algorithms/protocol versions presented in the ClientHello, then it will choose to abort the TLS handshake. This is exactly what your server did.
It was not a mistake for Chilkat to send 3,3 for "SSL 3.0 and higher". It sends this, and the if the server had chosen any of SSL 3.0, TLS 1.0, 1.1, or 1.2, then Chilkat would've accepted. If the server chose SSL 2.0, then Chilkat would've aborted the handshake.
So.. the error is not in Chilkat. Your server decided it did not like the choices of algorithms and aborted.