Dealing with SEC_I_RENEGOTIATE and TLS1_ALERT_NO_RENEGOTIATION in SChannel | ansaurus

tags:

schannel
ssl

views:

221

answers:

2

+2 Q:

Dealing with SEC_I_RENEGOTIATE and TLS1_ALERT_NO_RENEGOTIATION in SChannel

I'm working with SChannel at the moment for an async (IOCP) based server and I've got most things working fine but I'm having a problem with renegotiation. Specifically, when peer A sends peer B a request to renegotiate and peer B responds with an TLS1 'NO RENEGOTIATION' alert how does peer A continue? I seem to have an invalid context at the point where I get the SEC_I_NO_RENEGOTIATION response and this prevents me from being able to continue to use the stream...

Updated I've done some more testing and it doesn't seem to be an invalid context but I do get SEC_E_ENCRYPT_FAILURE from the next call to Encrypt...

Is a request to renegotiate actually denyable? Or is 'NO RENEGOTIATION' alert simply an informative error message which now means that the connection is useless? If so, why is it commented as being a 'warning' rather than an 'error'?? Nope; the TLS RFC (5246) clearly states that its up to the peer to decide if we can continue after a no renegotiation alert...

Updated It doesn't make any difference if I send the TLS alert using ApplyControlToken() or if I send it using EncryptMessage() with SECQOP_WRAP_OOB_DATA...

A:

May be this will help you http://www.codeproject.com/KB/IP/sslsocket.aspx

ju 2009-05-25 08:32:58

Looks like it's just a simple wrapper around the platform sdk example code. :(

Len Holgate 2009-05-30 09:49:14

A:

There was a HOTFIX issued for this a while back for Intel AMT based hardware. Essentially, the root certificate was stored as an SHA-1 hash instead of caching the entire certificate. SSPI passes all certificates EXCEPT the root, expecting the root to have this certificate for trust-chain verification. When the full root didn't exist, SSPI was forcing a re-negotiate.

The hotfix updates schannel on Win 2003 systems with Intel AMT installed.

Check out this KB: http://support.microsoft.com/kb/942841

Kurt Johnson 2009-09-21 18:50:27

Yet the situation I describe is on both Vista and Windows 7 and doesn't in any way include Intel AMT stuff ... I fail to see how this is relevant, but then perhaps I just don't understand?

Len Holgate 2009-09-21 20:21:03

No, you failed to mention that. You're right it isn't relevant for your situation. Perhaps, it will help someone else.

Kurt Johnson 2009-09-22 18:24:24

related questions

Why is access denied when installing SSL cert on IIS 5?

What does a PHP developer need to know about https / secure socket layer connections?

Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?

Coding Dojo with IE and SSL

Enforce SSL in code in an ashx handler

How to connect to PostgreSQL from .NET using TLS with both client and server authentication?

HELP SSL GURUs!!! ... Problems with SSL Connection

What's a clean/simple way to ensure the security of a page?

How to specify accepted certificates for Client Authentication in .NET SslStream

SharePoint stream file for preview

Problem with Oracle Application Server SSL Certificates

Is there a limit with the number of SSL connections?

Testing HTTPS files with MAMP

Cheapest SSL certificates

Limiting traffic to SSL version of page only

How do I support SSL Client Certificate authentication?

Why can't I connect to my CAS server with Perl's AuthCAS?

Is there a way to make Firefox ignore invalid ssl-certificates?

How do I create a self signed SSL certificate to use while testing a web app.

Can a proxy server cache SSL GETs? If not, would response body encryption suffice?

HTTPS in IIS 5.1

How do you redirect HTTPS to HTTP?

Debugging: IE6 + SSL + AJAX + post form = 404 error

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

Options for Google Maps over SSL