Error in connection to REST service

Started by Mogens Christensen, May 05, 2021, 12:08:10 AM

Previous topic - Next topic

Mogens Christensen

Hi!

In a Winbatch program i use this object WinHttp.WinHttpRequest.5.1,  sending changes to a ServiceNow REST service


The provider has changed TLS to mTLS, after that then program ends with this error message

http.send(request)
(281) GOSUB Error handler

WIL ERROR SUPPRESSED =>1261 (COM/CLR: Exception)

rc = IntControl(1000,8,0,0,0)
(281) VALUE INT => 0

status_txt = http.statusText
(281) VALUE INT => 0

TERMINAL WIL ERROR=>1261 (COM/CLR: Exception)

;;;END OF JOB;;;

---------- Begin structure stack dump ----------
  1 for                33 FOR a = 1 TO antal BY 1          ServNowDB2upd.wbt
  2 gosub              63 http.send(request)               ServNowDB2upd.wbt
-------- End structure stack dump --------

---------- Begin WWWBATCH.INI dump ----------
[COM & CLR Sub-system]
Function=InvokeMember
ErrorCode=9 (0x80020009)
ErrorDesc=Exception occurred.

Are ther other HTTP objects thats supports mTLS

Any help is appreciated
THANKS

td

Mutual Transport Layer Security is usually more server to server or IOT related. I don't believe that Windows COM Automation-based HTTP protocol objects support it. You could check out the System.Net.Http .Net class as WinBatch supports .Net via its CLR hosting subsystem. However,  I don't see anything that indicates that the class does support mTLS but that could be because I just didn't look hard enough.

https://docs.microsoft.com/en-us/dotnet/api/system.net.http.httpclient?view=netframework-4.8

I will have to do a little more checking into the subject as this is not something that has come up before.

[edit] There are some indications that it is possible to perform mTLS client/server negotiations and data transfers using the above mentioned dotNet class. Still needs more research though.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

Here is a very crude example that sets up an mTLS connection to a site of your choice. Don't know if it actually works but it might give someone some ideas.

Code (winbatch) Select
ObjectClrOption("useany", "System")
ObjectClrOption("useany", "System.Net")
ObjectClrOption("useany", "System.Net.Http")
ObjectClrOption("useany", "System.Net.Http.WebRequest")

Uri = "https://www.sitethatretunrshtml.com"  ; Your URL goes here.
objUri = ObjectClrNew('System.Uri', Uri)
Encoding = ObjectClrNew( 'System.Text.Encoding' )
WebRequest = ObjectClrNew('System.Net.WebRequest')

;  Need TSL
objSvcManager = ObjectClrNew('System.Net.ServicePointManager')
; Require TLS1.2.
; https://docs.microsoft.com/en-us/dotnet/api/system.net.securityprotocoltype?view=netframework-4.8
protocols = ObjectClrType("System.Net.SecurityProtocolType",3072)   ;  TLS 1.2
objSvcManager.SecurityProtocol = protocols

; Create and configure a mTLS request handler for the client
; https://docs.microsoft.com/en-us/dotnet/api/system.net.http.webrequesthandler?view=netframework-4.8
strCert = 'C:\Temp\client\client.pfx'
objCert = ObjectClrNew('System.Security.Cryptography.X509Certificates.X509Certificate', strCert, 'passwordhere')
objReqHandler = ObjectClrNew('System.Net.Http.WebRequestHandler')
objReqHandler.ClientCertificates.Add(objCert)

; https://docs.microsoft.com/en-us/dotnet/api/system.net.security.authenticationlevel?view=net-5.0
Required = 2   ; Magic number.
Required = ObjectClrType('System.Net.Security.AuthenticationLevel', Required)
objReqHandler.AuthenticationLevel =  Required

objHttpClient = ObjectClrNew('System.Net.Http.HttpClient', objReqHandler)
objResponse = objHttpClient.GetAsync(Uri)
objResult = objResponse.Result()

; Crude sychronization loop...
for i = 1 to 10
   TimeDelay(1)
   Code = objResult.StatusCode
   if Code == 200 then break
next

Terminate(Code != 200, 'mTLS Get Request', 'Failed with status code: ':Code)

; Bunch of assumptions here but it may return more or less what you would expect.
objHttpContent = objResult.Content()
objStrTask = objHttpContent.ReadAsStringAsync()
strHtml = objStrTask.Result()

Message('HTML Dump', strHtml)
exit


You can use the Windoze 10 WLS to create a client certificate using openSSL.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

stanl

Tony,


Nice work. I would bet the certificate is the key. I'm not sure and not that knowledgeable, but it seems like the client/server certs have to have something in common. Anyway, willing to try with Amazon


https://aws.amazon.com/about-aws/whats-new/2020/09/amazon-api-gateway-supports-mutual-tls-authentication/




td

It is certainly possible for a server to require a client certificate that is issued and signed by a certificate authority with a well-known root certificate but it is not necessary.  It is my understanding the mTLS servers often accept simple self-signed certificates because public key/private key encryption is pretty good. Either way, the "trick" to making the above work is selecting the correct HTTP headers and verbs to comply with the server's protocol expectations. The classes used in the example have methods to support just about anything a server might require but the synchronization might be a bit hard to implement because WIL CLR cannot support delegates. Don't think it is impossible or requires a lot of scripting just that the "how" is not always obvious.

There are numerous examples showing how to create self-signed certificates using either WLS or MSFT's traditional command-line tools.  (Personally prefer the WLS approach using OpenSSL but to each their own.)

Anyway, let us know what you come up with.  I suspect this is going to become an even more important protocol for WinBatch to support down the road.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

As a follow-up, a very quick review of AWS documentation suggests that mTLS enabled REST APIs built on AWS require AWS issued client certificates. Again this is based on a very quick review so I could be completely off base.
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade