URLRequest TLS/SSL handshake problem

Share icon

Sat, 03/23/2024 - 02:14 pm

Hi,

I'm trying to access a server using URLRequest and I'm getting this from the operation's diagnostic:

Trying *IP address*...
  TCP_NODELAY set
  Connected to server-address (*IP address*) port 443 (#0)
  schannel: SSL/TLS connection with server-address port 443 (step 1/3)
  schannel: checking server certificate revocation
  schannel: ALPN, offering http/1.1
  schannel: sending initial handshake data: sending 203 bytes...
  schannel: sent initial handshake data: sent 203 bytes
  schannel: SSL/TLS connection with server-address port 443 (step 2/3)
  schannel: failed to receive handshake, need more data
  schannel: SSL/TLS connection with server-address port 443 (step 2/3)
  schannel: encrypted data got 2145
  schannel: encrypted data buffer: offset 2145 length 4096
  schannel: next InitializeSecurityContext failed: CRYPT_E_REVOKED (0x80092010) - Certificado revogado.
  Closing connection 0
  schannel: shutting down SSL/TLS connection with server-address port 443
  schannel: clear security context handle
  URLRequest Error: A problem occurred somewhere in the SSL/TLS handshake.

From what I got, there's a problem with the certificate used in the handshake, maybe it is invalid? There's some way to ignore this? I tried to add a header with the 'rejectUnauthorized' key, like I read somewhere, but it seems to have no effect. It should return an array string with many variable names in it. If I try to access it from a browser, it opens the array string in the browser without problem.

My simple code as follows:

Function URLtest()
    string url = "server-address/variables/getAll?limit=-1"
    string header = "rejectUnauthorized: false;"
    URLRequest /V=2 method=GET, url=url, headers=header
End

 

Thanks!

I don't think you can workaround the revoked certificate.

Do you know a bit of details behind SSL/TLS? To make it really simple a certificate is a kind of passport for a website. And the one you are trying to access was revoked, which usually means that someone got access to the certficate which shouldn't and it was made invalid.

Does the server offer http access? If yes, I would try that instead.

Reproduction recipe with an expired domain:

Urlrequest/V=2/Z url="https://expired.badssl.com/"

If you need to use https, contact wavemetrics support. It should be possible to add a flag to UrlRequest to allow for insecure TLS connections.

The commandline curl executable has --insecure which sets CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST to 0.

 

March 25, 2024 at 05:33 am - Permalink