1

I have a VBScript program that retrieves a web page from a server not under my control. The URL looks something like https://someserver.xxx/index.html. I use this code to create the object that does the page getting:

Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")

When I wrote my program it had no problem retrieving this page. Recently, the web server serving this page went through an upgrade. Now my program can no longer fetch the page.

Some clues:

Clue 1. I can fetch the web page if I use a browser (I tried Firefox, IE, and Chrome).

Clue 2. The VBScript code yields this error:

The message received was unexpected or badly formatted.

Clue 3. I can fetch the web page from the command line in certain cases but not in others:

curl --sslv3 -v -k 'https://someserver.xxx/index.html' # WORKS!
curl --sslv2 -v -k 'https://someserver.xxx/index.html' # WORKS!
curl -v -k 'https://someserver.xxx/index.html'         # FAILS
curl --tlsv1 -v -k 'https://someserver.xxx/index.html' # FAILS

In the case where I do not specify a protocol I get this error: 

* SSLv3, TLS handshake, Client hello (1):
* error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
* Closing connection #0

In the case where I specify --tlsv1 I get this error:

* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
* Closing connection #0

A. Does anyone have any suggestions or ideas on what might be going on at the web server end (I am unable to talk to the admins of the web server to find out what they changed).

B. Is there a way I can change my VBScript code to work around this issue? Can the SSL version be forced?

user35042
  • 2,681
  • 12
  • 34
  • 60
  • Perhaps it is related to the use of TLS? what you need is a packet logger (windows equivalent of wireshark) to confirm. – hookenz Dec 02 '10 at 21:33
  • If you can tell us the actual server, we can replicate the problem and look at the packet traces. Otherwise, we're going to have to guess. – David Schwartz Mar 13 '12 at 09:01
  • @matt the windows equivalent of wireshark is wireshark :) – Grant Jun 16 '12 at 04:19

2 Answers2

1

VB apparently doesn't understand/decode the full TLS protocol; in this case a TLS Alert (i.e. message type 0x15).

I'm certainly not a VB programmer, but I believe you can set a property (which I learned by consulting http://www.chilkatsoft.com/refdoc/vbnetSocketRef.html): SslProtocol as String "SSL 3.0"

Tom Marthenal
  • 2,116
  • 7
  • 25
  • 37
Charles Leu
  • 11
  • 1
0

It looks like they downgraded security in their upgrade. TLS security appears not to work. This may be the result of a patch on your side checking defaulting to or verifying TLS security. You should be able to identify the security being used in the browser after you have fetched a page. I would try contacting hostmaster@someserver.xxx, as they probably don't intend to be non-compliant with TLS security.

If VBScript is using the Internet Explorer setting, you could try disabling all TLS ciphers in IE. This should force VBScript to negotiate to an SSLv3 or SSLv2 cipher. I would start with disabling 3DES as there was(is) a Windows problems when connecting to servers using a secure implementation.

BillThor
  • 27,737
  • 3
  • 37
  • 69