2

We're using HttpWebRequest for REST interaction, over HTTPS, with keep-alive enabled. This works, but on the server side (Apache) we have frequent errors like this : "Re-negotiation handshake failed: Not accepted by client!?"

(no more info with verbose logging)

On client side, in System.Net traces we have the message : Decrypt returned SEC_I_RENEGOTIATE. (more complete log below). Also, the TCP connection is not re-used (keep-alive not working, although it works well when I test without SSL). This slows down the interaction with the REST api a lot.

The HttpWebRequest is configured with keep-alive enabled, client certificate, server certificate callback. I've tested both ServicePointManager.SecurityProtocol SSL3 and TLS.

Client is running on .NET framework 3.5 SP1 on win XP SP3.

Any help to diagnose and correct this will be much appreciated ! Thanks

The full log :

2011-08-01 21:40:22.702 - System.Net Verbose: 0 : [2320] WebRequest::Create(https://mo.dev.xyz.eu:9969/aaa-web/service/10001/1/utilisateur)
2011-08-01 21:40:22.749 - System.Net Verbose: 0 : [2320] HttpWebRequest#53502362::HttpWebRequest(https://mo.dev.xyz.eu:9969/aaa-web/service/10001/1/utilisateur#2027466596)
2011-08-01 21:40:22.796 - System.Net Verbose: 0 : [2320] Exiting HttpWebRequest#53502362::HttpWebRequest() 
2011-08-01 21:40:22.843 - System.Net Verbose: 0 : [2320] Exiting WebRequest::Create()   -> HttpWebRequest#53502362
2011-08-01 21:40:22.890 - System.Net Verbose: 0 : [2320] HttpWebRequest#53502362::BeginGetResponse()
2011-08-01 21:40:22.936 - System.Net Information: 0 : [2320] Associating HttpWebRequest#53502362 with ServicePoint#62474978
2011-08-01 21:40:22.983 - System.Net Information: 0 : [2320] Associating Connection#13358335 with HttpWebRequest#53502362
2011-08-01 21:40:23.030 - System.Net Verbose: 0 : [2320] Exiting HttpWebRequest#53502362::BeginGetResponse()    -> ContextAwareResult#35634409
2011-08-01 21:40:23.108 - System.Net Information: 0 : [1440] TlsStream#41394993::.ctor(host=mo.dev.xyz.eu, #certs=1)
2011-08-01 21:40:23.155 - System.Net Information: 0 : [1440] Associating HttpWebRequest#53502362 with ConnectStream#28913487
2011-08-01 21:40:23.202 - System.Net Information: 0 : [1440] HttpWebRequest#53502362 - Request: GET /aaa-web/service/10001/1/utilisateur HTTP/1.1

2011-08-01 21:40:23.249 - System.Net Information: 0 : [1440] SecureChannel#41727345::.ctor(hostname=mo.dev.xyz.eu, #clientCertificates=1)
2011-08-01 21:40:23.327 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Attempting to restart the session using the user-provided certificate: [Version]
  V3

[Subject]
  CN=G6-99999615-01, OU=EIB-TPV, O=xyz
  Simple Name: G6-99999615-01
  DNS Name: G6-99999615-01

[Issuer]
  CN=AC-INT-TPV, OU=EIB, O=xyz
  Simple Name: AC-INT-TPV
  DNS Name: AC-INT-TPV

[Serial Number]
  008757A7

[Not Before]
  28/12/2010 23:00:32

[Not After]
  28/12/2020 23:00:32

[Thumbprint]
  3B412465B069579441132DEF6E390BB62637B7AB

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 b9 28 16 ea 58 d5 74 5f 2f 71 f1 b0 5d be a8 fb 87 90 6a e9 90 ef 46 8a d0 ae 0f e9 77 17 d5 5b 23 44 82 25 97 a1 2e b0 88 65 5f 6e 2e 42 4d 4e c9 d8 b7 df 43 63 ca 37 ab 80 a6 65 18 b0 6b 62 19 a1 a8 31 23 8c 5d a7 3b 32 65 eb 64 32 4e ff fb 8e 2f 77 d3 97 b2 b3 a7 4c d8 65 fa 18 73 86 3c 79 4e 19 55 e1 b3 28 1c 0c 52 34 ce d9 58 2b f4 c1 ae 0f 38 b2 29 37 ae e6 36 1f b5 89 90 af d8 68 89 c1 87 e5 34 80 13 3a 79 d5 d6 d5 f8 7d 6e ef a6 d2 c7 e0 be c9 2a 88 c3 f2 34 e3 ....
2011-08-01 21:40:23.374 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Left with 1 client certificates to choose from.
2011-08-01 21:40:23.421 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Trying to find a matching certificate in the certificate store.
2011-08-01 21:40:23.499 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Locating the private key for the certificate: [Version]
  V3

[Subject]
  CN=G6-99999615-01, OU=EIB-TPV, O=xyz
  Simple Name: G6-99999615-01
  DNS Name: G6-99999615-01

[Issuer]
  CN=AC-INT-TPV, OU=EIB, O=xyz
  Simple Name: AC-INT-TPV
  DNS Name: AC-INT-TPV

[Serial Number]
  008757A7

[Not Before]
  28/12/2010 23:00:32

[Not After]
  28/12/2020 23:00:32

[Thumbprint]
  3B412465B069579441132DEF6E390BB62637B7AB

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 b9 28 16 ea 58 d5 74 5f 2f 71 f1 b0 5d be a8 fb 87 90 6a e9 90 ef 46 8a d0 ae 0f e9 77 17 d5 5b 23 44 82 25 97 a1 2e b0 88 65 5f 6e 2e 42 4d 4e c9 d8 b7 df 43 63 ca 37 ab 80 a6 65 18 b0 6b 62 19 a1 a8 31 23 8c 5d a7 3b 32 65 eb 64 32 4e ff fb 8e 2f 77 d3 97 b2 b3 a7 4c d8 65 fa 18 73 86 3c 79 4e 19 55 e1 b3 28 1c 0c 52 34 ce d9 58 2b f4 c1 ae 0f 38 b2 29 37 ae e6 36 1f b5 89 90 af d8 68 89 c1 87 e5 34 80 13 3a 79 d5 d6 d5 f8 7d 6e ef a6 d2 c7 e0 be c9 2a 88 c3 f2 34 e3 ....
2011-08-01 21:40:23.546 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Certificate is of type X509Certificate2 and contains the private key.
2011-08-01 21:40:23.593 - System.Net Information: 0 : [1440] Using the cached credential handle.
2011-08-01 21:40:23.640 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:23.702 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffer length=0, Out-Buffer length=109, returned code=ContinueNeeded).
2011-08-01 21:40:23.765 - System.Net Information: 0 : [1440] ConnectStream#28913487 - Sending headers
{
Accept-Encoding: gzip,gzip
Mo-Version: 2.2.0-SNAPSHOT
User-Agent: xyz
Content-Type: text/xml;charset=UTF-8
Host: mo.dev.xyz.eu:9969
}.
2011-08-01 21:40:23.811 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:23.952 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.030 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.093 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.140 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.186 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=310, returned code=ContinueNeeded).
2011-08-01 21:40:24.280 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.327 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=ContinueNeeded).
2011-08-01 21:40:24.390 - System.Net Information: 0 : [1440] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = 59e7b10:920a0, targetName = mo.dev.xyz.eu, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)
2011-08-01 21:40:24.436 - System.Net Information: 0 : [1440] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).
2011-08-01 21:40:24.515 - System.Net Information: 0 : [1440] Remote certificate: [Version]
  V3

[Subject]
  CN=*.dev.xyz.eu, OU=EIB-Servers, O=xyz
  Simple Name: *.dev.xyz.eu
  DNS Name: *.dev.xyz.eu

[Issuer]
  CN=AC-INT-SERVEURS, OU=EIB, O=xyz
  Simple Name: AC-INT-SERVEURS
  DNS Name: AC-INT-SERVEURS

[Serial Number]
  00FDF961

[Not Before]
  13/10/2010 17:40:31

[Not After]
  13/10/2020 17:40:31

[Thumbprint]
  930C9B8BBEBC0F96D19B1714AA7E6682A8816750

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 bf e6 03 fe d5 41 ce f1 42 9a a1 cf 2e 53 df 7a 26 d1 0b 8b b1 5d 3b 26 1c e6 fe 8a df bf 44 6b b4 f5 ea e8 74 2a 9a 50 0b b0 3c ac f3 21 59 bf e7 68 c6 6e 59 3e d6 ab 76 52 58 cd f2 9c af dc e6 42 d9 94 b6 7d 41 39 52 19 7b cf 3f 6d 26 bb 76 ea 5d a4 5f b2 ae a4 ef ef a2 3c 17 f2 41 57 9a b5 de 38 5c 13 6e 05 2d a6 3c 21 42 62 68 b3 82 b4 92 4e da 34 f7 83 9f 83 80 0a ab d6 cf b1 bd 6b f2 c0 10 11 04 21 3b 06 5e 21 71 93 ce 12 ba 0e ed 9e 82 d2....
2011-08-01 21:40:24.561 - System.Net Information: 0 : [1440] SecureChannel#41727345 - Remote certificate was verified as valid by the user.
2011-08-01 21:40:24.655 - System.Net Error: 0 : [1440] Decrypt returned SEC_I_RENEGOTIATE.
mathieu
  • 2,330
  • 2
  • 24
  • 44

1 Answers1

0

You need to handle the SEC_I_RENEGOTIATE on the client-side . When DecryptMessage return SEC_I_RENEGOTIATE you need to do the handshake loop again. The Microsofts Documentation will help you solve. You can also find the example codes in github.

Liyanth Raj
  • 11
  • 2