1

Topic: SSL handshake brakes

All greetings. We have.Net application which is connected to the server on  through HTTPS. We have a problem on one of installations: connection establishment occupies three seconds. Hundred server sides it is had self-signed the certificate (S1) From client side too we have the certificate (S2). Attempt  System.Net did not result in special success. We see that for, actually, 0ms we have all handshake to an exchange of certificates. Then - InitializeSecurityContext (). The following record in a broad gull for 3 seconds later, and there  "here the certificate, connection it is installed". Traces of that, than System.Net is engaged these three seconds, in a broad gull is not present. Connection to the server the browser fulfills for 10-30ms (it without the client certificate). That is  not on server side. In what here there can be a business? What is possible ? Connection goes on IP to the address; subject the certificate, apparently from a broad gull, arbitrary (5c3d720e - 2307-4573-9183-5ce5837e5bd5). System.Net Information: 0: [6608 InitializeSecurityContext (In-Buffers count=2, Out-Buffer length=0, returned code=OK). ProcessId=5744 DateTime=2016-07-18T 11:45:11.9261348Z System.Net Information: 0: [6608 Remote certificate: [Version] V3 [Subject] CN=5c3d720e-2307-4573-9183-5ce5837e5bd5, OU=Controller, O=Parallels, C=RU Simple Name: 5c3d720e-2307-4573-9183-5ce5837e5bd5 DNS Name: 5c3d720e-2307-4573-9183-5ce5837e5bd5 [Issuer] CN=5c3d720e-2307-4573-9183-5ce5837e5bd5, OU=Controller, O=Parallels, C=RU Simple Name: 5c3d720e-2307-4573-9183-5ce5837e5bd5 DNS Name: 5c3d720e-2307-4573-9183-5ce5837e5bd5 [Serial Number] B7C7B6A6 [Not Before] 27/08/2014 5:59:44 AM [Not After] 23/08/2029 5:59:44 AM [Thumbprint] 403269EB21359E618F617D3C866B2DF3065118E8 [Signature Algorithm] sha1RSA (1.2.840.113549.1.1.5) [Public Key] Algorithm: RSA Length: 2048 Key Blob: 30 82 01 0a 02 82 01 01 00.... ProcessId=5744 DATETIME=2016-07 18T11:45:15.1085404Z

2

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> All greetings. It is necessary still  traffics to understand - who . On symptoms what someone long checks the certificate status (there CDP inaccessible is similar is not present a case?) certutil-URL <the certificate file> too long fulfills?

3

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> It is necessary still  traffics to understand - who . So and at us it is included verbose for system.net. Sockets. There all traffic transits before the shown records of a broad gull. DOO> on symptoms what someone long checks the certificate status (there CDP inaccessible is similar is not present a case?) certutil-URL <the certificate file> too long fulfills?  we look. It is necessary to look on client or on server certificates?

4

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> Hello, DOOM, you wrote: DOO>> It is necessary still  traffics to understand - who . S> So and at us it is included verbose for system.net. Sockets. There all traffic transits before the shown records of a broad gull. Well last who received a packet and blunted? The client? Then after all any network exchange all the same proceeds. DOO>> on symptoms what someone long checks the certificate status (there CDP inaccessible is similar is not present a case?) certutil-URL <the certificate file> too long fulfills? S> Shcha we look. It is necessary to look on client or on server certificates? Look at both certificates, but on that side where the time delay is watched.] by the way, will be even more demonstrative certutil-f-urlfetch-verify [FilenameOfCertificate] - there it should be visually visible, where stumbles. P.S. On client Windows certutil, most likely, it will be necessary to deliver separately.

5

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> the Following record in a broad gull for 3 seconds later, and there  "here the certificate, connection it is installed". S> Traces of that, than System.Net is engaged these three seconds, in a broad gull is not present. Very similar on check Client Certificate Revocation of the Link on a subject: https://blogs.msdn.microsoft.com/kausha … ck-on-iis/ http://stackoverflow.com/questions/1976 … on-windows Microsoft SharePoint suffers from it https://blogs.msdn.microsoft.com/chaun/ … t-servers/

6

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> the Following record in a broad gull for 3 seconds later, and there  "here the certificate, connection it is installed". S> Traces of that, than System.Net is engaged these three seconds, in a broad gull is not present. As a variant: http://stackoverflow.com/questions/7341 … ance-issue

7

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO>>> On symptoms what someone long checks the certificate status (there CDP inaccessible is similar is not present a case?) certutil-URL <the certificate file> too long fulfills? S>> Shcha we look. It is necessary to look on client or on server certificates? DOO> look at both certificates, but on that side where the time delay is watched.] DOO> by the way, will be even more demonstrative certutil-f-urlfetch-verify [FilenameOfCertificate] - there it should be visually visible, where stumbles. Stumbles nothing, fulfills instantly.

8

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> stumbles Nothing, fulfills instantly. More low to you still  links to switch-off of check of the status of the client certificate on IIS' (for example: https://blogs.msdn.microsoft.com/kausha … k-on-iis/) - try it in the debug purposes. An interior I feel that the problem in status check - for is procedure synchronous, long and invisible to the user.

9

Re: SSL handshake brakes

S> In what here there can be a business? What is possible ? Except already mentioned certificate revocation check (which result, strictly speaking, it should be cached), also can take place  or an error at attempt reverse DNS lookup. It is necessary to check up both on the client, and on the server that has been correctly adjusted DNS, and CN in the certificate had the same domain name which is returned at reverse DNS lookup.

10

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> More low to you still  links to switch-off of check of the status of the client certificate on IIS' (for example: https://blogs.msdn.microsoft.com/kausha … k-on-iis/) - try it in the debug purposes. The client certificate is checked not on IIS, and on the remote machine - there the Apache, Tomket, and other zhava/linuks. DOO> the Interior I feel that the problem in status check - for is procedure synchronous, long and invisible to the user. Meanwhile it was possible to narrow a zone  by start of our web application from under the administrator instead of pool identity. From this I do an output that a problem - in any singularities of a configuration  the user. Most likely, there any proxy settings show in .

11

Re: SSL handshake brakes

Hello, SkyDance, you wrote: S>> In what here there can be a business? What is possible ? SD> Except already mentioned certificate revocation check (which result, strictly speaking, it should be cached), also can take place  or an error at attempt reverse DNS lookup. It is necessary to check up both on the client, and on the server that has been correctly adjusted DNS, and CN in the certificate had the same domain name which is returned at reverse DNS lookup. Well, here at us CN it is made by GUID th because it leaves automatically, and at the moment of generation neither IP nor hostname for communications it is unknown. Communications go on internal IP, therefore reverse DNS lookup do not work. By the way, whence it can undertake? I never saw, that https the infrastructure fooled about type "and let's up, we find what name of a site for https://192.186.50.173 /". Like in such cases for the hair dryer-shuja it would be necessary to write out the certificate on CN=192.186.50.173, is not present?

12

Re: SSL handshake brakes

Hello, Sinclair, you wrote: DOO>> the Interior I feel that the problem in status check - for is procedure synchronous, long and invisible to the user. S> meanwhile it was possible to narrow a zone  by start of our web application from under the administrator instead of pool identity. S> From this I do an output that a problem - in any singularities of a configuration  the user. S> most likely, there any proxy settings show in . Launch on behalf of the user pool identity (IWAM_ *, ) the console and precisely also try to cause verify.

13

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> Launch on behalf of the user pool identity (IWAM_ *, ) the console and precisely also try to cause verify. I hesitate to ask - and how "to launch the console" on behalf of the virtual user? It is generated IIS th, and nobody knows its password.

14

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> I Hesitate to ask - and how "to launch the console" on behalf of the virtual user? It is generated IIS th, and nobody knows its password. ... Somehow all strongly changed in 7th ...  shows that the most simple method - to write the web application which launches the console...

15

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> Gugling shows that the most simple method - to write the web application which launches the console... Aha. Still it is necessary to teach to show it the console to the interactive user, and through the terminal (the server costs somewhere whether in Italy whether in Spain). And without interactivity at us application already is - just what we debug. Meanwhile checked up re-creation of a pool from zero, in hope that that user simply copied any out-of-date adjustments. Did not help. There is still an idea to create the user manually and to include it in the necessary group - all the same to drive application under the administrator somehow .

16

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> Hello, DOOM, you wrote: DOO>> Gugling shows that the most simple method - to write the web application which launches the console... S> Aha. Still it is necessary to teach to show it the console to the interactive user, and through the terminal (the server costs somewhere whether in Italy whether in Spain). Something is explicit at you with breaking of Web servers not so Install on the server utility NetCat (it goes as a part of the distribution kit nmap: https://nmap.org/download.html, but all life it was self-sufficient  which is simply copied on the necessary machine and works). Force web application to execute a command: ncat-lv <any unengaged port number>-e cmd.exe - as far as I understand, this most difficult because of adjustments of safety by 7th  (and above). Now you can though a telnet though the same  to cling on the server, on the port specified by you and to get in cmd.exe, launched on behalf of the necessary user. If you on the server have an access on RDP it is better to open port  to 127.0.0.1 address (a command will be ncat-lv 127.0.0.1 <port number>-e cmd.exe) and to cling from a console session (it better, as access generally without any protection - neither passwords, nor enciphering). S> There is still an idea to create the user manually and to include it in the necessary group - all the same to drive application under the administrator somehow . Too a variant.

17

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> Something is explicit at you with breaking of Web servers not so Yes here as always all rests that between me and children of 5 boundaries of zones of responsibility responsible for the machine: DOO> Install on the server utility NetCat (it goes as a part of the distribution kit nmap: https://nmap.org/download.html, but all life it was self-sufficient  which is simply copied on the necessary machine and works). 1. Setting (including copying) on the server of the customer of a software demands approval which occupies from 1 till 6 weeks. DOO> force web application to execute a command: ncat-lv <any unengaged port number>-e cmd.exe - as far as I understand, this most difficult because of adjustments of safety by 7th  (and above). 2. It to us needs to be collected   our application, and to ask of resolution to tear it on production the server. Here approval workflow much faster since it is a question of the new version, instead of about a new software so it is possible it will be laid down for 1-2 weeks. 2.1. Fortunately, how much I remember, at us there full trust so at least there is a chance to start process. To us there for a long time already dig a brain on a subject "and what for to you such trust shifted to the Left" and when dig out are too will be no-no. DOO> Now you can though a telnet though the same  to cling on the server, on the port specified by you and to get in cmd.exe, launched on behalf of the necessary user. 3. If us burn that offered "fix" opens the access channel there will be an escalation of epic force. Despite of technical details - you must have had approved it with our security team first. DOO> If you on the server have an access on RDP it is better to open port  to 127.0.0.1 address (a command there will be ncat-lv 127.0.0.1 <a port number>-e cmd.exe) and to cling from a console session (it better, as access generally without any protection - neither passwords, nor enciphering). 4. Yes, such variant can , but he demands the coordination with security team us and the client. I.e. from 3 till 6 weeks. And the result is not guaranteed - the position security team consists in "us never punish for prohibitions, unlike resolutions", therefore they prefer to refuse doubtful cases at once, than to understand and potentially  results of incident. S>> there is still an idea to create the user manually and to include it in the necessary group - all the same to drive application under the administrator somehow . DOO> Too a variant. Well here in an amicable way it is all at all our operation. The problem is watched locally, and should dare maintenance service. In life, unfortunately, it appears that all these "the certificated administrators" even cannot close approach to a solution of a problem. But can roll on us type complaints "partner application  brakes, because its authors -  freaks".

18

Re: SSL handshake brakes

Hello, Sinclair, you wrote: S> 1. S> 2. S> 2.1. S> 3. S> 4. Well still the variant at such level of responsibility and thus obligations on support is to coordinate selection  a landscape where the copy  opened for any changes But this a question not so technical will be twisted, than could - helped.

19

Re: SSL handshake brakes

Hello, DOOM, you wrote: DOO> But this the question not so technical, than could - helped. Thanks for support! staging at us too is. A problem that on it is not played back! Generally, this all here here nearby-crypto an infrastructure in Windows  . It is possible to break it in one million methods, and then neither to diagnose, nor it is impossible to repair. At the same clients almost authorization in Microsoft Cloud Last time did not fly up. Already and so, and  - it is entered username and the password, already certainly correct - on the contrary, . And from other machine all worked. I then found a method  authorization process in Microsoft Office Sign-In Assistant (it, between us,  .) Also it was clarified that in Windows there is a method to assign different  a proxy for browsers and for . . Mind I will not put, for what all it is necessary, but the fact - netsh winhttp import proxy=ie and so on. And there also , the infection such, uses cunning, at first always trying direct (probably to bypass any of types MITM of attacks), then a proxy from winhttp, and then already that proxy which all see in Control Panel-> Internet Options-> Connection. And any malicious intention (because casually it is impossible) as a proxy for winhttp specified any , answering on all 502. As a result login through the browser worked, and through  - is not present. Here it was headbang so headbang. Microsoft support surrendered long before netsh - they recommended simply to throw out the server "time from other machine all works".