Home 
username password  
Welcome, Guest.
Your IP: 18.97.14.83
2025-01-26 11:54:16 
 Public Support
 HTTPS Listener dies on RTC Web Server
Bottom
 
Total posts: 22
 Author HTTPS Listener dies on RTC Web Server
Stephen Mott

2021-08-27 17:43:36
Registered user
I recently managed to get a proper SSL license for our server (free using CertBot), so I put it live and all appeared to work fine, but a few hours later it went into a not responding mode Chrome gives ERR_CONNECTION_CLOSED.

So initial thought was it was the way I'd implemented the SSL code, so I switched it to use the rtcSSecTest example and GetServerCryptPlugin, again works fine, loads the certificate, but again at some random time afterwards just dies.

Next I thought it might be the NexusDB memory manager the server uses, I've a vague memory of it initially causing problems on Win32 years back, but nope, no change.

I then enabled RTC_DEBUG to see if that would give any clues, which it does, they just don't make any sense to me, the log shows:

2021-08-26 21:52:12.327; TRtcSocketServerProvider CryptPlugin.DataReceivedEx Exception! EAssertionFailed: Assertion failure (S:\_StreamSec\Source\StreamSecII.pas, line 7869)
2021-08-26 21:52:12.346; TRtcSocketServerProvider CryptPlugin.BeforeDisconnect Exception! EAccessViolation: Access violation at address 0000000000B161CA in module 'Gateway.exe'. Read of address 0000000000000000


Which is StreamSec failing on InternalFindPrivateKey, but why I've no idea...

This is all on Win64, Delphi 10.2, RTCSDK v9.02, StreamSec Tools 2.1.9.243.

Had a few problems getting through here too, glad to see you're still around, but looks like your site doesn't like Macs, couldn't get to this forum at all and Mac mail is saying your signature certificate has been revoked, though even though I'm here from a PC now it's not recognizing I've got a license for 2.3, so I can't check I've got the latest version?

Steve..
Henrick Wibell Hellström

2021-08-27 20:27:59
Registered user
This assertion is an indication of other issues. The execution only reaches that point in the code, if the server attempts to fetch a private key for either a nil-certificate or a certificate that was not pre-fetched by the initial TLSSetupServer call.

Before anything else: Upgrade to version 2.3. You do have access to ST 2.3, but another one of your update subscriptions has expired. If the problem persists even after this upgrade, please continue with the following:

Firstly, please check that the assertion does not occur after an attempt to shutdown the server. Sometimes, when closing a server while it is under heavy load, there might be straggling connections that have been suppressed by other connections, and are executed only when everything else starts to shut down. If this happens and the TStreamSecII component has already been destroyed, this, or some other, exception might be triggered as a result of dangling pointers. (The problem is marked as fixed, but who knows; check it anyway.)

Secondly, check that client certificate authentication is disabled. It is disabled by default, but you might have enabled it using a call to ClientCertificateAuthentication(True,True). This feature should be disabled due to known exploits of other TLS implementations.

Thirdly, also check that your code doesn't call UseOnlyStandardCipherSuites(False). The non-standard cipher suites are only useful if both the client and the server use the same TLS implementation, and sometimes, when the remote peer assigns a completely different cipher suite to the same private identifier, unpredictable things might occur.

Fourthly, make sure the ExpectOldBrowsers flag is set to False (default is False). Ideally, you should also set EnableLegacyTLS to False, but that will only work as expected if you upgrade to StreamSec Tools 4.0.
Stephen Mott

2021-08-31 16:57:28
Registered user
Hi Henrick,

Thanks for the reply, I tried the login you sent me to do the upgrade, but that one is the same as the one from back in 2015, but that was superseded by the one I bought in 2019 for the PKC tools upgrade, which was also to get this SSL stuff working. I did however find my original downloads, I have:

ST_2.3.1.273.zip
StreamSec_PKC_Tools.4.0.1.322.zip

The readme (StreamSec Tools 2.1.9.243) confused me on the version I was on.

But when I unzipped them and compared to what I'm currently running there were some small differences, which I'll recompile and retest today and I'll check when I get the Assertion.

I don't call ClientCertificateAuthentication(), it's in the rtcSSecTest.pas but defaults to false, false. Same with UseOnlyStandardCipherSuites, but this is defaulted to true and ExpectOldBrowsers set to False.

Well I extracted ST_2.3.1.273.zip, overlayed StreamSec_PKC_Tools.4.0.1.322.zip, and now it won't compile, its complaining about SecUtils.pas:

function FindHashClass(Alg: THashAlgorithm): THashClass;
begin
  case Alg of
    {$IFDEF SHA1}     haSHA1:      Result := TSHA1;      {$ENDIF}
    {$IFDEF SHA256}   haSHA224:    Result := TSHA224;    {$ENDIF}
    {$IFDEF SHA256}   haSHA256:    Result := TSHA256;    {$ENDIF}
    {$IFDEF SHA512}   haSHA384:    Result := TSHA384;    {$ENDIF}
    {$IFDEF SHA512}   haSHA512:    Result := TSHA512;    {$ENDIF}
    {$IFDEF RIPEMD160}haRipeMD160: Result := TRipeMD160; {$ENDIF}
    {$IFDEF MD5}      haMD5:       Result := TMD5;       {$ENDIF}
    {$IFDEF MD2}      haMD2:       Result := TMD2;       {$ENDIF}
  else
    Result := nil;
  end;
end;

[dcc64 Error] SecUtils.pas(924): E2029 Expression expected but 'ELSE' found

You seem to have moved these defines down into the CertMgr and Editors ver.inc's? Should I be pulling these defines into my project now?

Steve..
Stephen Mott

2021-08-31 17:25:16
Registered user
Well I tried just defining all the ones that said "Used by TLS / SSL", which got round that one, but now it won't compile SHA1Compress_x64.inc saying lBuffer and lLoopCounter are undefined, I'll wait on advice before going any further down this rabbit hole, I must be missing something obvious..
Henrick Wibell Hellström

2021-08-31 18:32:49
Registered user
> Well I extracted ST_2.3.1.273.zip, overlayed StreamSec_PKC_Tools.4.0.1.322.zip, and now it won't compile

Unfortunately, you can't do that. Both contain a file "ver.inc", which, in the case of ST 2.3, contains the defines that can be used to include or exclude individual hash algorithms. These defines are not present in the 4.0 version of "ver.inc", since ST 4.0 uses a different system for modularity.

Consequently, ST 2.3 and ST 4.0/PKC Tools 4.0 MUST be placed in separate file locations. They can both be used in the same project, though, because the $INCLUDE directive always checks in the same file directory as the parent file, before using the environment path.
Stephen Mott

2021-08-31 19:43:45
Registered user
Ah, OK turns that was just me being an idiot this time round, I did as you said and then compared to the Zip I'd made of the original and noticed a PKC40 directory under the root, so I re-extracted and WinMerge'd them and they are identical. So are ST_2.3.1.273.zip and StreamSec_PKC_Tools.4.0.1.322.zip the latest versions or do I need to do some sort of upgrade now?

Steve..
Henrick Wibell Hellström

2021-08-31 20:09:56
Registered user
You have access to ST_2.3.1.276.zip, so I see no reason for you not to upgrade to that version. The StreamSec_PKC_Tools.4.0.1.322.zip archive does not need an update.

Let me know if the issue you reported initially still persists.
Stephen Mott

2021-08-31 20:20:46
Registered user
That's sort of what I mean all I see is a Buy option for 2.3 see : http://ingot.cloud/img/SSEC.png
Henrick Wibell Hellström

2021-08-31 21:31:12
Registered user
You must be looking at the wrong account.
Stephen Mott

2021-08-31 23:59:46
Registered user
There's something very strange going on, from this PC VM I can login from the one with the password ending in "584KC", which lets me in but doesn't show any downloads, if I try the one ending in "X2PQU" from here, it just gives a login error.

If I try from my Mac (any or iPad), it can't even connect to your forum, I just get ERR_CONNECTION_CLOSED, even tried from a 4G connection.

If I try the "X2PQU" from our web server host, it lets me in, so at least I can grab them OK now, I'll let you know if it fixes the problem..

Also the initial support email I send is still sending me back message has been delayed:


The address to which the message has not yet been delivered is:

 support@streamsec.se
   host cp-www01.ballou.se [91.189.41.81]
   Delay reason: SMTP error from remote mail server after RCPT TO:<support@streamsec.se>:
   451 Temporarily unable to process your email. Please try again later.


Steve..
Stephen Mott

2021-09-01 00:03:02
Registered user
Oh and the extend licence button against PKC Tools 4.0, doesn't do anything (on the web host that I've just downloaded the zips from) points to https://support.streamsec.net/forum/?cmd=packages&sid=B2CBB1B36C6E4CA6B1A385FB9F8DE8F7
Henrick Wibell Hellström

2021-09-01 04:50:00
Registered user
Those issues are completely unrelated. The reason you have trouble logging in to your original account, might be because you misspell your username - there was a missing "i" in the email address you entered when you placed your second order.

The Safari issue seems to be related to an incompatibility in the current TLS settings. I'll try to fix this ASAP.

The streamsec.se email server is managed by another ISP on an entirely different network. The SMTP error you see appears to be a temporary problem. Have you tried sending another email?
Stephen Mott

2021-09-01 14:20:59
Registered user
Well according to the registration emails the one with the misspelled email is the "584KC" one which works OK, its the first one from 2015 that doesn't work, well here, it works on my hosted server? I'll try sending another email..
Henrick Wibell Hellström

2021-09-01 14:32:16
Registered user
You have to look closer. The first one uses your correct email. The second one uses the same email albeit with a typo. If you are using the username with the typo to access your original account, it will not work. If you use your correct email it will work. I have checked.
Stephen Mott

2021-09-01 16:25:47
Registered user
Ah, yea sorry that's way to small for me to make out without zooming in nowadays..
Stephen Mott

2021-09-01 17:24:32
Registered user
Well I installed ST_2.3.1.276 rebuilt the server, but while browsing the site locally I've just got:


2021-09-01 16:17:29.305; TRtcSocketServerProvider CryptPlugin.DataReceivedEx Exception! EAssertionFailed: Assertion failure (S:\_StreamSec\Source\StreamSecII.pas, line 7869)
2021-09-01 16:17:29.320; TRtcSocketServerProvider CryptPlugin.BeforeDisconnect Exception! EAccessViolation: Access violation at address 0000000000B2520A in module 'Gateway.exe'. Read of address 0000000000000000


This wasn't while shutting down, server is still up and running..

Steve..
Stephen Mott

2021-09-01 20:05:26
Registered user
I set a break before the assert and this is the stack trace in case it gives any clues:

StreamSecII.TPrivateKeyRing.InternalFindPrivateKey($13BA3040,49,'',nil,0,krSession)
StreamSecII.TPrivateKeyRing.InternalFindPrivateKey($13BA3040,49,nil,0,[krSession])
StreamSecII.TPrivateKeyRing.AddKey($13BF13D0,krSession,0)
StreamSecII.TSsPrivateKeyRingComponent.AddTLSMasterSecret(???,???)
StreamSecII.TStreamSecII.DoTLSChangeCipherSpec($1A8E5DA0)
TlsLayer.TTLS_ContentLayer.DoChangeCipherSpec(???)
TlsLayer.TTLS_RecordLayer.ChangeCipherSpec(False)
TlsLayer.TTLS_RecordLayer.SaveFragmentToStream($13B980C0,$13B9B390,-1,rtChangeCipherSpec)
TlsLayer.TTLS_ContentLayer.EncodeChangeCipherSpec($D254984,$13B9B390)
TlsLayer.TTLS_HandshakeProtocol.HandleClientFinished(nil,12,$13B9B390)
TlsLayer.TTLS_HandshakeProtocol.Add(nil,12,$13B9B390)
TlsLayer.TTLS_ContentLayer.HandleHandshake($13B9B390)
TlsLayer.TTLS_ContentLayer.DecodeData($13B9BAE0,$13B9D1C0,$13B9B390)
rtcSSecPlugin.TRtcSSecPlugin.DataReceivedEx($10786D50,(22, 3, 1, 1, 6, 16, 0, 1, 2, 1, 0, 80, 129, 237, 144, 153, 210, 161, 13, 196, 217, 220, 20, 164, 23, 50, 141, 147, 180, 251, 82, 36, 37, 130, 152, 111, 181, 160, 154, 150, 59, 20, 27, 15, 127, 117, 73, 43, 117, 31, 137, 186, 114, 215, 152, 64, 216, 42, 42, 239, 128, 9, 195, 197, 216, 47, 122, 239, 5, 76, 92, 138, 203, 4, 132, 95, 92, 232, 8, 159, 215, 247, 221, 134, 146, 88, 61, 41, 211, 100, 55, 10, 80, 131, 20, 247, 9, 236, 200, 118, 186, 1, 77, 170, 64, 55, 235, 47, 218, 230, 247, 214, 18, 61, 164, 83, 246, 216, 190, 57, 51, 74, 137, 133, 134, 166, 102, 31, 99, 183, 235, 69, 215, 69, 157, 196, 230, 203, 11, 158, 129, 7, 164, 70, 172, 95, 30, 30, 111, 160, 237, 122, 90, 114, 237, 232, 7, 136, 181, 229, 132, 243, 125, 146, 236, 222, 139, 19, 13, 225, 81, 239, 181, 92, 75, 90, 9, 171, 56, 32, 76, 119, 1, 226, 227, 123, 151, 98, 147, 194, 199, 203, 234, 201, 173, 68, 161, 229, 223, 169, 15, 80, 2, 116, 131, 77, 30, 12, 241, 39, 167, 4, 97, 143, 235, 159, 254, 214, 110, 21, 82, 39, 136, 9, 106, 22, 169, 85, 111, 242, 144, 15, 152, 22, 63, 242, 141, 70, 57, 244, 234, 111, 108, 197, 253, 214, 104, 98, 210, 73, 92, 48, 30, 89, 160, 152, 80, 183, 234, 118, 26, 10, 186, 67, 66, 156, 189, 20, 3, 1, 0, 1, 1, 22, 3, 1, 0, 48, 241, 124, 250, 124, 43, 17, 232, 101, 194, 0, 189, 77, 169, 54, 43, 52, 125, 130, 52, 149, 1, 248, 216, 159, 243, 82, 109, 11, 237, 78, 30, 215, 185, 128, 81, 156, 16, 68, 202, 28, 63, 145, 35, 170, 199, 133, 83, 185),(),())
rtcSocketSrvProv.TRtcSocketServerProvider.ReadEx
rtcSocketHttpSrvProv.TRtcSocketHttpServerProvider.TriggerDataReceived
rtcSocketSrvProv.TRtcSocketServerProvider.wsOnDataReceived($D2561D0,0)
rtcSockBase.TRtcSocketBase.On_DataReceived(0)
rtcWinSocket.TRtcWinSocket.DoRead(0)
rtcWinSocket.TRtcWinSocket.DoMessage(2,0)
rtcSocketSrvProv.TRtcSocketClientThread.RunJob
rtcThrPool.TRtcWorkerThread.Execute
System.Classes.ThreadProc($102E8880)
System.ThreadWrapper($10835A60)
:00007FFA7A1E7034 ; C:\WINDOWS\System32\KERNEL32.DLL
:00007FFA7BE82651 ; <UNKNOWN>


Steve..
Henrick Wibell Hellström

2021-09-01 23:31:53
Registered user
That information might actually help. Try editing rtcSSecTest.GetServerCryptPlugin


          Options.RequestClientCertificate := Server_RequestClientCertificateAuthentication;
          Options.RequireClientCertificate := Server_RequireClientCertificateAuthentication;

          LeanSessionManagement := True; // <-- Insert this

          TLSSetupServer;
Stephen Mott

2021-09-02 15:47:13
Registered user
So far hasn't died, it's usually dead in the morning, but was fine today, so I've kicked off another stress test..

Steve..
Stephen Mott

2021-09-03 14:23:17
Registered user
I think we can call this fixed, has stood up to everything I've chucked at it. Out of interest what should you do if LeanSessionManagement is false, or should it never be false?

BTW the second support email I sent came back, and this site was briefly accessible from a mac but now isn't again..

Steve..
Henrick Wibell Hellström

2021-09-03 16:24:15
Registered user
The default value (LeanSessionManagement = false) stems back from a time when most clients didn't implement HTTP persistent connections. Nowadays most do, so there is rarely (or never) a reason to not set it to true.
Stephen Mott

2021-09-03 16:38:09
Registered user
Ah, OK makes sense..
Top

:: Written with and Powered by the RealThinClient SDK and StreamSec Tools 4.0::
Copyright (c) Danijel Tkalcec, StreamSec HB