Error SSL 248

[Alberto]

Hi, trying to connect to a WS, in test mode its http and in prod mode its https
When connecting http all is ok but when connecting to the https ws I get the error
Please see image
Im using:
!        These settings would be required if you were talkig to a SOAP server that only did SSL.
!        ws.SSLCertificateOptions.CertificateFile = ''
!        ws.SSLCertificateOptions.PrivateKeyFile = ''
        ws.SSLCertificateOptions.DontVerifyRemoteCertificateCommonName = 1
        ws.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = 1
!        ws.SSLCertificateOptions.CARootFile = '' !If https use a root cluster like '.\CA_Roots.pem'

[Bruce]

did you install the Visual C runtime on the server?
http://www.capesoft.com/docs/NetTalk11/NetTalk.htm#DeployingAtlsClientOrServer

[Alberto]

The WS is not mine, Im trying to consume it and Im using my produccion box, I dont think I need it... or yes?
Weird thing ids Im consuming another https ws without problem.

[urayoan]

michelis, as far as i know, you need the libraries to consume or serve web services.

[Alberto]

All the dlls are ok in the app folder and still the same error.

Now I tried with NetDemo.exe and same error.

Attached goes the NetDemo.ini with which you can easily try, just copy it to the NetDemo folder , run NetDemo.exe and go to the Generic Post Tab and click Post.

Image attached. NetDemo.ini attached but renamed as netdemo.imc

[Bruce]

I get the same error here connecting to that address with NetDemo.
I'll dig a bit deeper...

cheers
Bruce

[Bruce]

Hi Alberto,

It helps that you give the URL of the site you are connecting to, because the problem is on their side, not your side.
Using the URL I was able to duplicate in NetDemo and also determine the appropriate fix.

The site is pretty insecure. You can see this by going to
https://www.ssllabs.com/ssltest/analyze.html?d=www.siogranos.com.ar
As you can see there are all kinds of things wrong - the primary ones being only support for TLS 1.0 and the (very) limited number of weak, and insecure ciphers being supported.

To connect to a site like this you seen to set the ciper list to AES128-SHA and turn off the remote certificate ca root check.
(The site is using a certificate which we don't "trust".)

ThisWebClient.SSLCertificateOptions.CiphersAllowed = 'AES128-SHA'
ThisWebClient.SSLCertificateOptions.DontVerifyRemoteCertificateWithCARoot = true

all the other settings can be left to default values.

Of course the above code will break when they do finally get around to securing the server, and then the AES cipher will no longer work.

Cheers
Bruce

[Alberto]

Thank you very very much.
You are THE man!

[Alberto]

Is it possible that it doesnot work with NT10 ? same sln ok in NT11 and wrong in NT10.