1

I'm updating a legacy application to use a new payment REST service and I'm having trouble with a POST request. The code runs fine on a Windows 10 development machine but fails on Windows Server 2008 SP2:

Set HttpReq = Server.CreateObject("MSXML2.ServerXMLHTTP")
HttpReq.open "POST", uri, False
HttpReq.setRequestHeader "Content-Type", "application/json"
HttpReq.setRequestHeader "Authorization", authHeader

HttpReq.send json  '<-- Error here

The Error I receive is:

msxml3.dll error '80072f8f'
A security error occurred

The webservice I'm calling only supports TLS 1.2, but as far as I can tell the machine running this code also supports TLS 1.2.

There is another question on StackOverflow with similar symptoms to this question that occurs on a Windows Server 2003 machine. The solution to that question suggests a HotFix be applied, but the link to the hotfix has been replaced with a cryptography programming guide which, whilst probably relevant, does not point to an obvious solution.

Update: It looks like I can send the same request via CURL on the same machine, so the machine itself can handle the connection to the url

Update 2: I've check the cipher suites available on the server against those reported for the target site, and there is some overlap. Also the target site is accessible via CURL, so I assume the two machines are able to communicate over https at some level

Update 3: I've adjusted the CreateObject line to use "MSXML2.ServerXMLHTTP.3.0" and "MSXML2.ServerXMLHTTP.6.0", but the error is just the same

Update 4: I've added the setOption line as suggested in other solutions on SO here and here, but the error code is the same. E.g. objHTTP.SetOption 2, objHTTP.GetOption(2)

Update 5: I ended up working around the problem by writing the necessary logic in a .NET Framework assembly, and accessing the functionality via COM. I don't particularly like the solution as it spreads the code across many codebases and complicates the deployment somewhat, but it was a pragmatic choice. I've also advised the business owners that the application and server are overdue for modernisation

RikRak
  • 898
  • 1
  • 7
  • 21
  • Windows 10 and Windows Server 2008 SP2 are not equivalent, Windows 10 is a lot more recent. The likelihood is there is a cipher suite missing from the target machine. You can test this using [ssllabs.com](https://www.ssllabs.com/ssltest/) and compare it with the cipher suites installed on the server. – user692942 Oct 21 '22 at 07:31
  • I've checked the cipher suites and there are ciphers that appear in both sides. I can also make a successful connection via CURL, so my current assumption is that there's something specific about msxml and it's ability to handle the connection. Not sure how to validate that theory, however... – RikRak Oct 21 '22 at 07:36
  • Does this answer your question? [VBA ServerXMLHTTP https request with self signed certificate](https://stackoverflow.com/questions/11573022/vba-serverxmlhttp-https-request-with-self-signed-certificate) – user692942 Oct 21 '22 at 07:36
  • Does this answer your question? [The certificate authority is invalid or incorrect](https://stackoverflow.com/a/64409144/692942) – user692942 Oct 21 '22 at 07:39
  • [https://stackoverflow.com/questions/11573022/vba-serverxmlhttp-https-request-with-self-signed-certificate] does not help unfortunately – RikRak Oct 21 '22 at 07:51
  • Nor does the second suggestion (it proposes the same solution as the first from what I can see) – RikRak Oct 21 '22 at 07:53
  • There is a bunch of suggestions not just one. – user692942 Oct 21 '22 at 08:07
  • Does not work isn't helpful, you also haven't updated the question to show what you have tried. – user692942 Oct 21 '22 at 08:19
  • I'm currently running on Windows Server 2008 SP2. From what I can tell TLS 1.2 is enabled from a client and server perspective – RikRak Oct 27 '22 at 19:36
  • Maybe [this](https://stackoverflow.com/questions/61255148/troubleshooting-how-to-enabled-tls-1-2-on-windows-2008-server-sp2#comment108372509_61255148) will help. – user692942 Oct 27 '22 at 23:10
  • 2
    Unfortunately, you should consider replacing this application, and soon. You WILL probably be able to fix the issue this time, but TLS 1.2 is also planned for eventually (soonish) retirement, and when that happens Server 2008 simply will not be able to do the job at all. – Joel Coehoorn Nov 07 '22 at 22:15
  • @JoelCoehoorn, I also agree that the Windows Server 2008 should be updated before becoming totally obsolete but I'm not sure it's necessary to change the app on the other hand... – b126 Nov 10 '22 at 10:10

1 Answers1

0

I add the same issue a couple of years ago.

Then, can you try this piece of code and confirm that you see TLS v1.2 at the end of the response?

Set Http = CreateObject("MSXML2.ServerXMLHTTP.6.0")
http.SetOption(2) = 13056
http.open "GET", yourUri, False
http.Send
Response.write http.responseText

If TLS VERSION returned is not TLS 1.2, then it means your Windows 2008 server still needs a bit of configuration. Please proceed like described here and it should work.

b126
  • 544
  • 4
  • 11