Problem using https with wildcard certs

Problem using https with wildcard certs SearchSearch
Author Message
Dave McCormack
New member
Username: Davemcafee

Post Number: 1
Registered: 04-2013
Posted on Monday, April 08, 2013 - 04:02 pm:   

We've configured NowSMS on the 2-Way tab to forward SMSes to a HTTPS URL. It works just fine if the server has a 'normal' SSL cert but it fails if the server has a wildcard SSL cert (*.example.com). The SMSDEBUG.log file shows SSL_Connect failing after 60 seconds with error 0. We can hit the same URL just fine from a browser. It seems to be the OpenSSL client library within NowSMS that is having the problem. Our NowSMS version is 12.6.something. Has anyone else experienced this? Unfortunately, we have to rely on wildcard certs in production for operational reasons. Thanks for any help!
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 4367
Registered: 08-2008
Posted on Monday, April 08, 2013 - 05:05 pm:   

Hi Dave,

That is very strange, as I don't think we are doing any server certificate verification ... only using SSL/TLS for encryption.

We did recently update the version of the OpenSSL library being used, and applied a code fix to address an issue where we were encountering a very occasional issue with an HTTPS SMSC hanging.

Try the updated version at http://www.nowsms.com/download/nowsms20130401.zip to see if that resolves the issue.

--
Des
NowSMS Support
Dave McCormack
New member
Username: Davemcafee

Post Number: 2
Registered: 04-2013
Posted on Monday, April 29, 2013 - 12:26 pm:   

Hi Des,

Due to operational reasons, we haven't been able to deploy the newer version of NowSMS to which you linked.

However, he have identified what is causing the problem, so I thought I would report this back to you.

It seems that when connecting to a server that supports SSL3 and TLS1 but not SSL2, OpenSSL 0.9.8 can correctly negotiate the protocol version to use but OpenSSL 1.0.1 cannot. With 1.0.1, you have to explicitly set the protocol version to SSL3 or TLS1.

To see what I'm talking about, use the Linux/Mac/Cygwin command prompt and run the following:

openssl version

This will tell you the OpenSSL library version number. Then run the following against a server that doesn't support SSL2:

openssl s_client -connect <server>:443

This fails if the OpenSSL library is v1.0.1 but succeeds for v0.9.8. Don't be fooled by the initial message on the first line saying "CONNECTED". This just indicates that the TCP connection has been established but wait 60 seconds and you'll get an error message that the SSL session establishment has timed out. If you then run the following it will work fine:

openssl s_client -ssl3 -connect <server>:443

The solution, I believe, is to make it possible to make it possible for NowSMS to be similarly configured.

Regards,

Dave.
Des - NowSMS Support
Board Administrator
Username: Desosms

Post Number: 4450
Registered: 08-2008
Posted on Monday, April 29, 2013 - 03:30 pm:   

Hi Dave,

I can confirm that the updated version reflects that change. In addition to other changes, we removed SSL2 support, as it should be considered obsolete.

I'll go ahead and package the DLL into a separate ZIP, as it should be compatible with all recent versions.

http://www.nowsms.com/download/smsssl20130301.zip

--
Des
NowSMS Support