Rebex HTTPS Not working on server which forces TLS 1.2

0 votes
asked Feb 5 by omergulzar (150 points)

I am using the 2018 R4 (build number 6930) to make post calls to a server that only allows TLS 1.2, but the request fails with an error code 408.

However the same request seems to be working on an identical server, the only difference is that server allows TLS 1.0

INFO HttpRequest(1)[1] TLS: Connection secured using cipher: TLS 1.2.
DEBUG HttpRequest(1)[1] TLS: Session ID: 
 0000 |31-84-3B-50-43-4C-0F-3E 46-14-4C-5B-62-86-FE-D6| 1.;PCL.>F.L[b...
 0010 |52-95-A7-1F-6E-52-9E-73 D3-3B-26-A9-68-B1-4B-5C| R...nR.s.;&.h.K\
INFO HttpRequest(1)[1] HTTP: Sending request: POST /<internalAddress>/<internalLink0>
DEBUG HttpRequest(1)[1] HTTP: Request Connection: keep-alive.
DEBUG HttpRequest(1)[1] HTTP: Sending request (211 bytes).
DEBUG HttpRequest(1)[1] HTTP: Sending 57 bytes of data.
INFO HttpRequest(1)[1] HTTP: Received response: 200 200.
DEBUG HttpRequest(1)[1] HTTP: Received 5 headers.
DEBUG HttpRequest(1)[1] HTTP: Response Content-Length: 0 bytes.
DEBUG HttpRequest(1)[1] HTTP: Response Connection: close.
DEBUG HttpRequest(1)[1] HTTP: Response Content-Encoding not specified.
DEBUG HttpRequest(1)[1] HTTP: Response Transfer-Encoding not specified.
DEBUG HttpRequest(2)[1] HTTP: Using new HTTP session (2) provided by Rebex.Net.HttpRequestCreator(2).
INFO HttpRequest(2)[1] HTTP: Connecting to 'https://<internalIP>:443'...
DEBUG HttpRequest(2)[1] Info: Assembly: Rebex.Networking 2018 R4 for .NET 4.0-4.7
DEBUG HttpRequest(2)[1] Info: Platform: Windows 6.2.9200 32-bit; CLR: 4.0.30319.42000
DEBUG HttpRequest(2)[1] Info: Culture: en; Windows-1252
DEBUG HttpRequest(2)[1] Proxy: Connecting to <internalIP>:443 (no proxy).
DEBUG HttpRequest(2)[1] TLS: Enabled cipher suites: 0x000FFDF7FFE0E640.
DEBUG HttpRequest(2)[1] TLS: Applicable cipher suites: 0x000FFDF7FFE0E640.
INFO HttpRequest(2)[1] TLS: State StateChange:Negotiating
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ClientHello was sent.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerHello was received.
INFO HttpRequest(2)[1] TLS: Negotiating TLS 1.2.
DEBUG HttpRequest(2)[1] TLS: The server supports secure renegotiation.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Certificate was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerKeyExchange was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerHelloDone was received.
DEBUG HttpRequest(2)[1] TLS: Verifying server certificate ('<certificateInfo>').
DEBUG HttpRequest(2)[1] TLS: Certificate verification result: Accept
DEBUG HttpRequest(2)[1] TLS: Verifying server key exchange signature.
DEBUG HttpRequest(2)[1] TLS: Using ephemeral ECDH public key exchange with NIST P-256 curve.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ClientKeyExchange was sent.
DEBUG HttpRequest(2)[1] TLS: CipherSpec:ChangeCipherSpec was sent.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Finished was sent.
DEBUG HttpRequest(2)[1] TLS: CipherSpec:ChangeCipherSpec was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Finished was received.
INFO HttpRequest(2)[1] TLS: State StateChange:Secured
INFO HttpRequest(2)[1] TLS: Connection secured using cipher: TLS 1.2.
DEBUG HttpRequest(2)[1] TLS: Session ID: 
 0000 |B4-F1-86-A8-56-FC-6D-AB 71-11-FA-99-46-42-DE-37| ....V.m.q...FB.7
 0010 |B4-97-76-A6-AC-E2-79-1B 77-7D-D5-E0-59-F4-5A-6D| ..v...y.w}..Y.Zm
INFO HttpRequest(2)[1] HTTP: Sending request: POST /<internalAddress>/<internalLink1>
DEBUG HttpRequest(2)[1] HTTP: Request Connection: keep-alive.
DEBUG HttpRequest(2)[1] HTTP: Sending request (311 bytes).
DEBUG HttpRequest(2)[1] HTTP: Sending 342 bytes of data.
INFO HttpRequest(2)[1] HTTP: Received response: 302 302.
DEBUG HttpRequest(2)[1] HTTP: Received 7 headers.
DEBUG HttpRequest(2)[1] HTTP: Response Content-Length: 0 bytes.
DEBUG HttpRequest(2)[1] HTTP: Response Connection: close.
DEBUG HttpRequest(2)[1] HTTP: Response Content-Encoding not specified.
DEBUG HttpRequest(2)[1] HTTP: Response Transfer-Encoding not specified.
DEBUG HttpRequest(2)[1] HTTP: Discarding pending response data...
DEBUG HttpRequest(2)[1] HTTP: Received content (0 bytes).
INFO HttpRequest(2)[1] TLS: Alert Alert:Alert was received.
INFO HttpRequest(2)[1] TLS: Alert Alert:Alert was sent.
INFO HttpRequest(2)[1] TLS: State StateChange:Closed
DEBUG HttpRequest(2)[1] TLS: Closing TLS socket.
DEBUG HttpRequest(2)[1] HTTP: Closing response stream.
INFO HttpRequest(2)[1] HTTP: Reconnecting to 'https://<internalIP>:443'...
DEBUG HttpRequest(2)[1] Info: Assembly: Rebex.Networking 2018 R4 for .NET 4.0-4.7
DEBUG HttpRequest(2)[1] Info: Platform: Windows 6.2.9200 32-bit; CLR: 4.0.30319.42000
DEBUG HttpRequest(2)[1] Info: Culture: en; Windows-1252
DEBUG HttpRequest(2)[1] Proxy: Connecting to <internalIP>:443 (no proxy).
DEBUG HttpRequest(2)[1] TLS: Enabled cipher suites: 0x000FFDF7FFE0E640.
DEBUG HttpRequest(2)[1] TLS: Applicable cipher suites: 0x000FFDF7FFE0E640.
INFO HttpRequest(2)[1] TLS: State StateChange:Negotiating
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ClientHello was sent.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerHello was received.
INFO HttpRequest(2)[1] TLS: Negotiating TLS 1.2.
DEBUG HttpRequest(2)[1] TLS: The server supports secure renegotiation.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Certificate was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerKeyExchange was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ServerHelloDone was received.
DEBUG HttpRequest(2)[1] TLS: Verifying server certificate ('<certificateInfo>').
DEBUG HttpRequest(2)[1] TLS: Certificate verification result: Accept
DEBUG HttpRequest(2)[1] TLS: Verifying server key exchange signature.
DEBUG HttpRequest(2)[1] TLS: Using ephemeral ECDH public key exchange with NIST P-256 curve.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:ClientKeyExchange was sent.
DEBUG HttpRequest(2)[1] TLS: CipherSpec:ChangeCipherSpec was sent.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Finished was sent.
DEBUG HttpRequest(2)[1] TLS: CipherSpec:ChangeCipherSpec was received.
DEBUG HttpRequest(2)[1] TLS: HandshakeMessage:Finished was received.
INFO HttpRequest(2)[1] TLS: State StateChange:Secured
INFO HttpRequest(2)[1] TLS: Connection secured using cipher: TLS 1.2.
DEBUG HttpRequest(2)[1] TLS: Session ID: 
 0000 |D2-A4-FC-82-9A-03-EE-D7 97-A7-42-3C-69-51-7F-56| ..........B<iQ.V
 0010 |A0-1F-B4-DA-AE-CC-F0-2D C7-51-8A-14-40-4F-D3-BF| .......-.Q..@O..
INFO HttpRequest(2)[1] HTTP: Sending request: GET /<internalAddress>/<internalLink2>
DEBUG HttpRequest(2)[1] HTTP: Request Connection: keep-alive.
DEBUG HttpRequest(2)[1] HTTP: Sending request (336 bytes).
INFO HttpRequest(2)[1] HTTP: Received response: 408 408.

1 Answer

+1 vote
answered Feb 5 by Lukas Pokorny (99,010 points)

This looks like a TLS 1.2 session has been successfully negotiated, and that a HTTP request has been successfully sent and a response received. The response was a "302" response indicating that the client should retrieve the resource from another URL, which it then tried as well. It negotiated a TLS 1.2 session without issues again and sent the request, but received a response with "408" status codes that indicates "Request Timeout".

The "408" response is used by HTTP servers to indicate that "the server did not receive a complete request message within the time that it was prepared to wait". Is it possible this is the case because TLS 1.2 negotiation took too long? The log you posted is missing all timestamps, which makes it impossible to tell.

commented Feb 6 by omergulzar (150 points)
Thanks lucas for the indepth anaylsis

I found something interesting about cookies, when the server responds with a 302 redirect, it also updates the cookie value.

Is there anyway i can catch that event and get the cookie value ?
commented Feb 6 by omergulzar (150 points)
Or can i handle the redirect myself ?
commented Feb 7 by Lukas Pokorny (99,010 points)
Yes, you can handle the redirect yourself if you use the HttpRequest/HttpResponse API. Just set HttpRequest's AllowAutoRedirect property to 'false'.

You can read the cookies as well from the Headers property of HttpResponse (we plan to support .NET-like CookieContainer soon as well).
commented Feb 7 by omergulzar (150 points)
Thanks Lukas

its working after handling all the redirects manually :)
commented Feb 7 by Lukas Pokorny (99,010 points)
Thanks for letting us know! I'm sure this could be useful to other users as well.
...