403 Forbidden error with Rebex HTTPS on WINCE 6.0

0 votes
asked Jan 10 by Rebex KB (8,210 points)

(Note: This question was original asked in a comment.)

We are trying to connect the server with HTTPS through TLS1.2 -from my WINCE 6.0 device.
When i send the request we getting response as

2018-01-09 18:42:01 INFO HttpRequest(8)[117244586] TLS: Connection secured using cipher: TLS 1.2, RSA, AES with 256-bit key in CBC mode, SHA1
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] TLS: Session ID: 
 0000 |00-28-00-00-98-29-D8-57 F7-6B-84-AE-57-26-A1-C5| .(...).W.k..W&..
 0010 |9D-60-A9-4F-F6-BE-99-49 70-A1-B9-DF-2C-92-FE-3E| .`.O...Ip...,..>
2018-01-09 18:42:01 VERBOSE HttpRequest(8)[117244586] TLS: Received TLS packet: 
 0000 |17-03-02-00-71-48-54-54 50-2F-31-2E-31-20-34-30| ....qHTTP/1.1 40
 0010 |33-20-46-6F-72-62-69-64 64-65-6E-0D-0A-43-6F-6E| 3 Forbidden..Con
 0020 |74-65-6E-74-2D-4C-65-6E 67-74-68-3A-20-30-0D-0A| tent-Length: 0..
 0030 |53-65-72-76-65-72-3A-20 4D-69-63-72-6F-73-6F-66| Server: Microsof
 0040 |74-2D-48-54-54-50-41-50 49-2F-32-2E-30-0D-0A-44| t-HTTPAPI/2.0..D
 0050 |61-74-65-3A-20-54-75-65 2C-20-30-39-20-4A-61-6E| ate: Tue, 09 Jan
 0060 |20-32-30-31-38-20-32-33 3A-34-32-3A-30-32-20-47|  2018 23:42:02 G
 0070 |4D-54-0D-0A-0D-0A                              | MT....
2018-01-09 18:42:01 VERBOSE HttpRequest(8)[117244586] HTTP: Received data:
 0000 |48-54-54-50-2F-31-2E-31 20-34-30-33-20-46-6F-72| HTTP/1.1 403 For
 0010 |62-69-64-64-65-6E-0D-0A 43-6F-6E-74-65-6E-74-2D| bidden..Content-
 0020 |4C-65-6E-67-74-68-3A-20 30-0D-0A-53-65-72-76-65| Length: 0..Serve
 0030 |72-3A-20-4D-69-63-72-6F 73-6F-66-74-2D-48-54-54| r: Microsoft-HTT
 0040 |50-41-50-49-2F-32-2E-30 0D-0A-44-61-74-65-3A-20| PAPI/2.0..Date: 
 0050 |54-75-65-2C-20-30-39-20 4A-61-6E-20-32-30-31-38| Tue, 09 Jan 2018
 0060 |20-32-33-3A-34-32-3A-30 32-20-47-4D-54-0D-0A-0D|  23:42:02 GMT...
 0070 |0A                                             | .
2018-01-09 18:42:01 INFO HttpRequest(8)[117244586] HTTP: Received response: 403 Forbidden.
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] HTTP: Received 3 headers.
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] HTTP: Response Content-Length: 0 bytes.
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] HTTP: Response Transfer-Encoding not specified.
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] HTTP: Received content (0 bytes).
2018-01-09 18:42:01 DEBUG HttpRequest(8)[117244586] HTTP: Caching HTTP session (5).

- kindly suggest on this.

i used below settinng.

var binding = new Rebex.Samples.WcfBinding();
binding.RequestCreator.Settings.SslAcceptAllCertificates = true;
binding.RequestCreator.Settings.SslAllowedVersions = Rebex.Net.TlsVersion.TLS11;
// binding.RequestCreator.Settings.SslSessionCacheEnabled = false;
binding.RequestCreator.Proxy.ProxyType = ProxyType.None;
binding.RequestCreator.Register();
binding.RequestCreator.LogWriter = new Rebex.FileLogWriter(@"/log.txt", Rebex.LogLevel.Verbose);

1 Answer

+1 vote
answered Jan 10 by Lukas Pokorny (88,550 points)
edited Jan 10 by Lukas Pokorny

According to the log, the server is rejecting your request with "403 Forbidden" error. A 403 error indicates that you are trying to access an URL that you don't have access to. This is similar to "401 Unauthorized" error and Wikipedia explains the difference nicely:

Status codes 401 (Unauthorized) and 403 (Forbidden) have distinct meanings.

A 401 response indicates that access to the resource is restricted, and the request did not provide any HTTP authentication. It is possible that a new request for the same resource will succeed if authentication is provided. The response must include an HTTP WWW-Authenticate header to prompt the user-agent to provide credentials.

A 403 response generally indicates one of two conditions:
a) Authentication was provided, but the authenticated user is not
permitted to perform the requested operation.
b) The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.

Unfortunately, we don't know anything about the web service you are trying to access, and parts of the log seem to be missing, so the only advice we can offer at this point is to make sure you are accessing the proper URLs and performing authentication as required by the web service. Additionally, if the web service is under your control, a server log might contain some information indicating the cause of the failure.

If possible, please send a more complete version of the log to support@rebex.net for analysis. It's OK if you remove sensitive data, but please don't remove essential information about what is going on, or the version of Rebex HTTPS you use.

commented Jan 10 by RajaK (110 points)
Thank You

I checked further - My application not receiving the exact Exception(forbidden) - since the below code in wvcfRequestchannel.cs( I downloaded from this Rebex forum only) - is returing the Root element not found exception to my application..

 request.Method = "POST";
            request.Headers.Add("SOAPAction", '"' + action + '"');
            request.Headers.Add("Content-Type", "text/xml; charset=utf-8");

            message.Headers.Clear();

            using (var requestStream = request.GetRequestStream())
            {
                var buffer = this.encoder.WriteMessage(message, MAX_MESSAGE_SIZE, this.bufferManager);
                requestStream.Write(buffer.Array, buffer.Offset, buffer.Count);
            }

            WcfMessage responseMessage;
            try
            {
                using (var responseStream = request.GetResponse().GetResponseStream())
                {
                    responseMessage = new WcfMessage(binding.MessageVersion, responseStream);
                }
            }
            catch (WebException ex)
            {
                if (ex.Response == null)
                {
                    throw new WebException(GetExceptionMessage(ex), ex);
                }
                using (var responseStream = ex.Response.GetResponseStream())
                {
                    responseMessage = new WcfMessage(binding.MessageVersion, responseStream);
                }
                if (responseMessage.IsEmpty)
                {
                    throw new WebException(GetExceptionMessage(ex), ex);
                }
            }


 - is there any way to pass this Exception to downplayed application? it will be helpfull
commented Jan 11 by Lukas Pokorny (88,550 points)
In the "WcfRequestChannel.cs" file, locate the "public Message Request(Message message, TimeSpan timeout)" method. Remove the the "catch (WebException ex)" block and the corresponding "try". This should stop the request channel from treating error responses as successful responses.
commented Jan 11 by RajaK (110 points)
Hi Lukas,
  Thanks for the reply.
      we are seeing the issue" TLS: No suitable client certificate is available."   the device which am using is wince 6.0 /.net 3.5  - we got only .CER/.pvk  formatted file

Logs:

2018-01-11 15:53:28 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:ServerHello was received.
2018-01-11 15:53:28 INFO HttpRequest(1)[107479502] TLS: Using TLS 1.1.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: Performing secure renegotiation.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:Certificate was received.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:CertificateRequest was received.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:ServerHelloDone was received.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: Verifying server certificate ('O="Xerox State and Local Solutions, Inc.", C=US, OU=MULTI-ALLOWED, OU=SIMPLE-SSL, CN=10.36.88.185').
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: Certificate verification result: Accept
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: Client certificate authentication was requested.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: No suitable client certificate is available.
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Sent TLS packet:
 0000 |16-03-02-00-07-0B-00-00 03-00-00-00            | ............
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:Certificate was sent.
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Sent TLS packet:
 0000 |16-03-02-01-06-10-00-01 02-01-00-2D-B5-FE-E7-1A| ...........-....
 0010 |5C-81-2F-E2-90-89-B7-56 72-95-6F-7C-13-38-53-CD| \./....Vr.o|.8S.
 0020 |14-B0-A5-28-B2-02-A1-C3 08-B9-F2-3C-15-81-02-00| ...(.......<....
 0030 |0D-52-ED-83-04-1E-3D-54 EE-8A-90-C1-95-90-F0-A6| .R....=T........
 0040 |40-20-12-13-41-9A-73-AC 3B-D3-1F-CF-5B-86-B8-6C| @ ..A.s.;...[..l
 0050 |8C-0A-4E-9F-85-AC-71-FE F2-B9-33-D7-D5-6D-D8-F2| ..N...q...3..m..
 0060 |D0-06-6A-36-D1-6B-81-DD 5B-DD-20-8C-1F-61-F0-9C| ..j6.k..[. ..a..
 0070 |00-96-A2-1C-42-17-95-ED FA-46-E6-CA-2C-1F-CD-1A| ....B....F..,...
 0080 |C9-78-F0-2A-72-09-F1-88 AB-FB-44-2F-0C-ED-2A-EF| .x.*r.....D/..*.
 0090 |CB-11-AF-FE-FF-A2-23-2B 30-CE-DF-8E-99-74-F3-B7| ......#+0....t..
 00A0 |1D-24-E8-22-E5-D4-3C-F9 9A-93-3E-25-8A-E4-CB-F8| .$."..<...>%....
 00B0 |63-2E-1F-B3-53-F6-6D-37 34-A2-76-22-1B-1F-86-78| c...S.m74.v"...x
 00C0 |F5-5D-E7-A3-24-76-9B-FC AA-06-23-2B-1A-01-2C-08| .]..$v....#+..,.
 00D0 |9C-62-02-2B-AB-09-BA-DE 8A-62-A3-48-70-D1-69-80| .b.+.....b.Hp.i.
 00E0 |77-54-C5-4A-2C-6A-5A-C6 F8-13-7C-AD-84-AD-8F-14| wT.J,jZ...|.....
 00F0 |42-0F-83-0B-7F-E8-6D-93 15-D4-54-D7-B8-ED-B8-25| B.....m...T....%
 0100 |F4-C3-48-4E-79-05-02-F2 C5-73-62               | ..HNy....sb
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:ClientKeyExchange was sent.
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Sent TLS packet:
 0000 |14-03-02-00-01-01                              | ......
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: CipherSpec:ChangeCipherSpec was sent.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:Finished was sent.
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Sent TLS packet:
 0000 |16-03-02-00-10-14-00-00 0C-AF-62-78-2B-6E-75-65| ..........bx+nue
 0010 |B9-9C-83-8E-9B                                 | .....
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Received TLS packet:
 0000 |14-03-02-00-01-01                              | ......
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: CipherSpec:ChangeCipherSpec was received.
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Received TLS packet:
 0000 |16-03-02-00-10-14-00-00 0C-B8-DD-8E-44-E5-A5-C3| ............D...
 0010 |48-7D-81-A6-0A                                 | H}...
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: HandshakeMessage:Finished was received.
2018-01-11 15:53:29 INFO HttpRequest(1)[107479502] TLS: State StateChange:Secured
2018-01-11 15:53:29 INFO HttpRequest(1)[107479502] TLS: Connection secured using cipher: TLS 1.1, RSA, AES with 256-bit key in CBC mode, SHA1
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] TLS: Session ID:
 0000 |56-1A-00-00-58-04-AF-A3 D2-48-60-61-BF-1B-FF-9D| V...X....H`a....
 0010 |64-CE-5B-4C-B9-AC-42-91 BE-B8-30-BF-E7-EE-67-54| d.[L..B...0...gT
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] TLS: Received TLS packet:
 0000 |17-03-02-00-71-48-54-54 50-2F-31-2E-31-20-34-30| ....qHTTP/1.1 40
 0010 |33-20-46-6F-72-62-69-64 64-65-6E-0D-0A-43-6F-6E| 3 Forbidden..Con
 0020 |74-65-6E-74-2D-4C-65-6E 67-74-68-3A-20-30-0D-0A| tent-Length: 0..
 0030 |53-65-72-76-65-72-3A-20 4D-69-63-72-6F-73-6F-66| Server: Microsof
 0040 |74-2D-48-54-54-50-41-50 49-2F-32-2E-30-0D-0A-44| t-HTTPAPI/2.0..D
 0050 |61-74-65-3A-20-54-68-75 2C-20-31-31-20-4A-61-6E| ate: Thu, 11 Jan
 0060 |20-32-30-31-38-20-32-30 3A-35-33-3A-32-39-20-47|  2018 20:53:29 G
 0070 |4D-54-0D-0A-0D-0A                              | MT....
2018-01-11 15:53:29 VERBOSE HttpRequest(1)[107479502] HTTP: Received data:
 0000 |48-54-54-50-2F-31-2E-31 20-34-30-33-20-46-6F-72| HTTP/1.1 403 For
 0010 |62-69-64-64-65-6E-0D-0A 43-6F-6E-74-65-6E-74-2D| bidden..Content-
 0020 |4C-65-6E-67-74-68-3A-20 30-0D-0A-53-65-72-76-65| Length: 0..Serve
 0030 |72-3A-20-4D-69-63-72-6F 73-6F-66-74-2D-48-54-54| r: Microsoft-HTT
 0040 |50-41-50-49-2F-32-2E-30 0D-0A-44-61-74-65-3A-20| PAPI/2.0..Date:
 0050 |54-68-75-2C-20-31-31-20 4A-61-6E-20-32-30-31-38| Thu, 11 Jan 2018
 0060 |20-32-30-3A-35-33-3A-32 39-20-47-4D-54-0D-0A-0D|  20:53:29 GMT...
 0070 |0A                                             | .
2018-01-11 15:53:29 INFO HttpRequest(1)[107479502] HTTP: Received response: 403 Forbidden.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] HTTP: Received 3 headers.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] HTTP: Response Content-Length: 0 bytes.
2018-01-11 15:53:29 DEBUG HttpRequest(1)[107479502] HTTP: Response Transfer-Encoding not specified.


- we using evaluation version of Rexbex cline for our pilot application
commented Jan 12 by Lukas Pokorny (88,550 points)
Use Microsoft's pvk2pfx utility (https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pvk2pfx) to convert the .PVK file to a .PFX/.P12 file, and then use that to authenticate to the server (https://rebex.net/https/features/tls-ssl.aspx#client-certificate).
commented Jan 12 by RajaK (110 points)
Hi Lukas,
  Thanks a lot for your quick guidance, I have used .pfx file client certificate authentication  with below methods.

   CertificateChain certificate = CertificateChain.LoadPfx(@"\certificate.pfx", "pass");

  binding.RequestCreator.Settings.SslClientCertificateRequestHandler = CertificateRequestHandler.CreateRequestHandler(certificate);

 -  below logs I could see.

-

2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:ServerHello was received.
2018-01-08 19:16:20 INFO HttpRequest(2)[86704478] TLS: Using TLS 1.2.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: The server supports secure renegotiation.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:Certificate was received.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:ServerHelloDone was received.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: Certificate verification result: Accept
2018-01-08 19:16:20 VERBOSE HttpRequest(2)[86704478] TLS: Sent TLS packet:
 0000 |16-03-03-01-06-10-00-01 02-01-00-64-49-89-07-94| ...........dI...
 0010 |A2-68-D3-BD-27-A6-D6-64 9E-50-55-E4-D0-69-8B-FB| .h..'..d.PU..i..
 0020 |24-C2-89-8F-BA-76-1C-AF 97-A4-E4-A8-35-3E-37-13| $....v......5>7.
 0030 |8F-72-A2-3D-8C-EE-4E-46 A8-C1-C5-1B-AA-59-8F-06| .r.=..NF.....Y..
 0040 |21-44-B4-BD-93-54-55-6C A4-6F-86-CA-15-1F-01-F4| !D...TUl.o......
 0050 |52-F6-FB-CC-A3-61-62-0E EE-46-26-B3-75-D9-87-1A| R....ab..F&.u...
 0060 |DE-54-42-56-7E-23-E7-60 D9-5C-2A-C5-23-A7-D9-11| .TBV~#.`.\*.#...
 0070 |1F-7A-E6-CB-0A-4D-4C-F5 CA-66-68-80-D5-65-7F-EA| .z...ML..fh..e..
 0080 |88-14-C2-40-EE-A3-8E-41 6E-5A-7F-85-C5-CE-40-80| ...@...AnZ....@.
 0090 |04-A7-80-BE-B0-02-29-5D B3-18-2E-7D-9A-29-B7-EC| ......)]...}.)..
 00A0 |E4-F2-BF-F6-04-86-FB-8A 9F-21-2F-3E-8F-1E-11-F8| .........!/>....
 00B0 |2C-45-87-C2-9C-73-AE-5D 96-94-63-41-47-DD-6F-6C| ,E...s.]..cAG.ol
 00C0 |72-03-D7-CD-6B-56-E4-EB CF-F2-6E-CC-F1-06-87-56| r...kV....n....V
 00D0 |E2-28-0E-BA-6D-24-3C-93 6E-80-97-6F-25-35-37-53| .(..m$<.n..o%57S
 00E0 |2F-E5-75-3A-6A-1A-60-A6 B5-E7-B2-2B-D5-68-2E-C0| /.u:j.`....+.h..
 00F0 |F1-A9-46-9E-F0-9F-26-60 08-35-7C-72-CB-30-BB-90| ..F...&`.5|r.0..
 0100 |6C-42-97-14-D3-F0-1C-9C 32-6E-1E               | lB......2n.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:ClientKeyExchange was sent.
2018-01-08 19:16:20 VERBOSE HttpRequest(2)[86704478] TLS: Sent TLS packet:
 0000 |14-03-03-00-01-01                              | ......
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: CipherSpec:ChangeCipherSpec was sent.
2018-01-08 19:16:20 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:Finished was sent.
2018-01-08 19:16:20 VERBOSE HttpRequest(2)[86704478] TLS: Sent TLS packet:
 0000 |16-03-03-00-10-14-00-00 0C-DD-20-83-58-C1-1A-4F| .......... .X..O
 0010 |60-52-B2-3E-96                                 | `R.>.
2018-01-08 19:16:21 VERBOSE HttpRequest(2)[86704478] TLS: Received TLS packet:
 0000 |14-03-03-00-01-01                              | ......
2018-01-08 19:16:21 DEBUG HttpRequest(2)[86704478] TLS: CipherSpec:ChangeCipherSpec was received.
2018-01-08 19:16:21 VERBOSE HttpRequest(2)[86704478] TLS: Received TLS packet:
 0000 |16-03-03-00-10-14-00-00 0C-4F-6D-9E-79-78-EE-57| .........Om.yx.W
 0010 |2B-28-71-F8-D7                                 | +(q..
2018-01-08 19:16:21 DEBUG HttpRequest(2)[86704478] TLS: HandshakeMessage:Finished was received.
2018-01-08 19:16:21 INFO HttpRequest(2)[86704478] TLS: State StateChange:Secured
2018-01-08 19:16:21 INFO HttpRequest(2)[86704478] TLS: Connection secured using cipher: TLS 1.2, RSA, AES with 256-bit key in GCM mode, AEAD
2018-01-08 19:16:21 DEBUG HttpRequest(2)[86704478] TLS: Session ID:
 0000 |BA-21-00-00-67-01-9C-94 28-FC-B9-6D-2D-5A-20-49| .!..g...(..m-Z I
 0010 |7E-CC-B3-80-6B-EC-12-0A 3F-5E-F8-54-50-2C-B7-3C| ~...k...?^.TP,.<

 - I would like know your suggestion on  based on below  line in log
TLS: Connection secured using cipher: TLS 1.2, RSA, AES with 256-bit key in GCM mode, AEAD

 -please clarify
1.Whether the connection through  TLS 1.2??
2.this is SHA1 or SHA2 ?

 -
commented Jan 15 by Lukas Pokorny (88,550 points)
1. Yes, the line in the log indicates that "TLS 1.2" has been used.
2. AES in GCM mode is an AEAD cipher that doesn't use a separate MAC algorithm. For AES/GCM ciphers, SHA-2 is only used during key derivation calculations.
commented Jan 15 by RajaK (110 points)
Thank you Lukas for the confirmation , we will do the further testing .
...