Error codes for certificate issues?

0 votes
asked Aug 14, 2018 by Rebex KB (8,210 points)

(This question was converted from a comment by RajaK)

Very good evening.
am using Rebex http.dll for Weservices connection with my remote server though https.
I got one requirement to fallback to http mode if we facing below exceptions.

i. Whenever the trust between the client and server cannot be established via https
ii. When the client certificate is expired
iii. When the client certificate cannot be found
iv. When the client certificate does not have the private key
v. When the client certs fails any basic checks

- is there any Error code for above scenario that I can capture in application layer to try to reconnect with http mode?

1 Answer

0 votes
answered Aug 14, 2018 by Lukas Pokorny (100,710 points)

Hello,

i) When the trust between the client and server cannot be established via TLS (HTTPS is HTTP over TLS), a TlsException is thrown and will appear in the exception chain cought by your application. To find the TlsException, pass the caught exception to a routine such as this one:

    private TlsException GetTlsException(Exception error)
    {
        while (error != null)
        {
            var tlsError = error as TlsException;
            if (tlsError != null)
            {
                return tlsError;
            }

            error = error.InnerException;
        }

        return null;
    }

However, we have to point out that it is strongly discouraged to fall back to HTTP mode when HTTP over TLS does not work. Doing so would make it trivial for an attacker to force your connections into unencrypted mode simply by disrupting the TLS traffic.

ii), iii), v) Once you find the TlsException using the approach described above, inspect its ProtocolMessage property. It will contain one of the following values:
CloseNotify
UnexpectedMessage
BadRecordMac
DecryptionFailed
RecordOverflow
DecompressionFailure
HandshakeFailure
NoCertificate
BadCertificate
UnsupportedCertificate
CertificateRevoked
CertificateExpired
CertificateUnknown
IllegalParameter
UnknownCa
AccessDenied
DecodeError
DecryptError
ExportRestriction
ProtocolVersion
InsufficientSecurity
InternalError
UserCanceled
NoRenegotiation
UnknownError

These correspond to TLS error alerts and include certificate errors you are interested in.

iv) When the client certificate returned by a certificate request handler doesn't is not associated with a private key, a TlsException with ProtocolMessage of "InternalError" and a Message of "Certificate does not have a private key." will be thrown. It's recommended to prevent this from occurring by making sure that the certificate retured by a custom certificate request handler has a private key - use Certificate's HasPrivateKey method to make sure.

commented Aug 24, 2018 by Lukas Matyska (52,850 points)
You can send it to support@rebex.net - also, email is preferred communication support channel. However, if you prefer forum.rebex.net you can continue using it. It is up to you.

I will wait for the log, and I will reply to your email.
commented Aug 24, 2018 by RajaK (110 points)
I have just forwarded the logs  Lukas.
commented Aug 24, 2018 by Lukas Matyska (52,850 points)
Thank you, I will reply in minute.
commented Dec 17, 2018 by RajaK (110 points)
Hi Lukas,
 Very Good morning ,
  We are using Rebex client for  - TLS12  - for Webservices over https - we are observing below scenarios.

1.Whenever the device  - Establishing the connection with Server , the Alerts  which  the device sent is reaching the server with  in 2 to 4 seconds
2.If we leave the Device for  1 hour idle the same alerts will take around 20 seconds.

  - hence we requesting your help to understood whether is the Any Keep alive concepts is available for  https/TLS12  - to keep the session created for particular server for a while  ,
To avoid disconnect the session after timed out and establishing with  following all process like  - Certificate verification ,TLS12 negotiation and all ?
commented Dec 20, 2018 by Lukas Matyska (52,850 points)
Hi RajaK, I converted your comment to new question. But I forgot to write it here.
Sorry for delay, please find the answer at http://forum.rebex.net/9530/how-to-keep-alive-http-session
...