Get/Post tsNet error in Windows 7
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Get/Post tsNet error in Windows 7
I have a simple stack in 9.6.9-rc-2 that does GET and POST to
https://api.getmaintainx.com/v1/
and the standalone works just fine in OSX/monterey and Windows 10, but it fails on Windows 7 with the error
tsneterr: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
It fails with the same message when directly calling the equivalent tsNet routine in Livecode.
I had thought that the tsNet library is based on OpenSSL and is separate from Windows TLS and cipher support. Indeed, the Livecode browser widget, which I think is based on Chromium, works fine to the MaintainX web portal work request in Windows 7, so at least Chromium seems to be taking care of TLS business.
Even so, just in case Livecode is somehow asking Windows 7 to handle the TLS, I still can't get it to work, despite having the correct updates and registry settings for TLS 1.2, and what looks like the correct ciphers and priority (I'm not a cryptography expert.)
The site accepts TLS 1.2 and 1.3 with the ciphers listed in the report:
https://www.ssllabs.com/ssltest/analyze ... =on&latest
You do need a JSON web token added to the header with something like
set the httpHeaders to "Authorization: Bearer" && myKey
but even so, you can still see this problem with just
get url "https://api.getmaintainx.com/v1/assets"
which should return
"{"error":"Empty token"}
but fails in Windows 7 during the TLS handshake before ever checking the header for your JSON web token.
Any ideas? As I said, I have the right service pack and registry settings in Windows for TLS 1.2. I *think* I have the required ciphers in the registry list.
			
			
									
									https://api.getmaintainx.com/v1/
and the standalone works just fine in OSX/monterey and Windows 10, but it fails on Windows 7 with the error
tsneterr: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
It fails with the same message when directly calling the equivalent tsNet routine in Livecode.
I had thought that the tsNet library is based on OpenSSL and is separate from Windows TLS and cipher support. Indeed, the Livecode browser widget, which I think is based on Chromium, works fine to the MaintainX web portal work request in Windows 7, so at least Chromium seems to be taking care of TLS business.
Even so, just in case Livecode is somehow asking Windows 7 to handle the TLS, I still can't get it to work, despite having the correct updates and registry settings for TLS 1.2, and what looks like the correct ciphers and priority (I'm not a cryptography expert.)
The site accepts TLS 1.2 and 1.3 with the ciphers listed in the report:
https://www.ssllabs.com/ssltest/analyze ... =on&latest
You do need a JSON web token added to the header with something like
set the httpHeaders to "Authorization: Bearer" && myKey
but even so, you can still see this problem with just
get url "https://api.getmaintainx.com/v1/assets"
which should return
"{"error":"Empty token"}
but fails in Windows 7 during the TLS handshake before ever checking the header for your JSON web token.
Any ideas? As I said, I have the right service pack and registry settings in Windows for TLS 1.2. I *think* I have the required ciphers in the registry list.
Research Engineer
McDonald Observatory, Texas
						McDonald Observatory, Texas
Re: Get/Post tsNet error in Windows 7
PS just found the link in the Dictionary to Tech Strategies, so I asked them too.
			
			
									
									Research Engineer
McDonald Observatory, Texas
						McDonald Observatory, Texas
Re: Get/Post tsNet error in Windows 7
Answer from Livcode: tsNet uses the built-in Windows Schannel service and not OpenSSL, as it does for Linux and Android. This means you're stuck in Windows 7 and Windows 8 (in 6 days!), with the ciphers that came with your operating system, including service pack updates. In my case, Windows 7 has
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
but I need
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
to connect to the MaintainX server, which Windows 7 doesn't have. Frustratingly, Windows does have
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.
Hopefully tsNet can be modified to use openSSL as an option for Windows users to escape Microsoft's planned obsolescence. Maybe the EU can fix this?
			
			
									
									
						TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
but I need
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
to connect to the MaintainX server, which Windows 7 doesn't have. Frustratingly, Windows does have
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.
Hopefully tsNet can be modified to use openSSL as an option for Windows users to escape Microsoft's planned obsolescence. Maybe the EU can fix this?
Re: Get/Post tsNet error in Windows 7
Since you mention planned obsolescence, I take it you're aware that mainstream support from Microsoft for Windows 7 ended eight years ago.
If you're going to insist on using Windows 7 then may you might try *not* using tsNet and using libUrl instead to see if that gets around the Schannel dependency.
			
			
									
									If you're going to insist on using Windows 7 then may you might try *not* using tsNet and using libUrl instead to see if that gets around the Schannel dependency.
PowerDebug http://powerdebug.ahsoftware.net
PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
						PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
Re: Get/Post tsNet error in Windows 7
Of course I understand that Windows 7 is unsupported. I don't know how to add new cipher suites to Microsoft's Schannel facility, thus making my instrument controller increasingly unusable as more secure versions of TLS become mandatory. For scientific instrument control, you spend a lot of time and money making it work - that means meeting a specification for functionality and reliability - and then you deploy it. Operating system upgrades are inimical to doing science and engineering in this context. Upgrading from 32-bit Windows 7 would mean rewriting and recompiling drivers and applications, finding new bugs and reliability problems, and it would take weeks to months and thousands of dollars. Trying to find out if I can keep Windows 7 if at all possible is just smart, not "insisting."
OpenSSL may be a way out, and Livecode already uses it for Linux and Android. Hopefully there will soon be a version in the 9-series with an OpenSSL option for Windows and OS X. Maybe there already is. I'm asking.
I'm intrigued about you asking if I have investigated libURL: please show me how libURL can do TLS 1. 2/1. 3 transactions with modern cipher suites. That would solve everything and I would be indebted!
I sure have learned a lot more about ciphers and Schannel in the last few days than I bargained for. The beauty of so many things, like Livecode, is that they just work without having to understand the details. And when they suddenly don't work, it's painful.
-John
			
			
									
									
						OpenSSL may be a way out, and Livecode already uses it for Linux and Android. Hopefully there will soon be a version in the 9-series with an OpenSSL option for Windows and OS X. Maybe there already is. I'm asking.
I'm intrigued about you asking if I have investigated libURL: please show me how libURL can do TLS 1. 2/1. 3 transactions with modern cipher suites. That would solve everything and I would be indebted!
I sure have learned a lot more about ciphers and Schannel in the last few days than I bargained for. The beauty of so many things, like Livecode, is that they just work without having to understand the details. And when they suddenly don't work, it's painful.
-John
Re: Get/Post tsNet error in Windows 7
Well, the reason I suggested libUrl instead is that tsNet is using Microsoft's Schannel rather than OpenSSL, and possibly libUrl is going straight to OpenSSL. YMMV. I don't see a reference to Schannel in the socket code base, although on mobile platforms the certificate checks bypass OpenSSL.
You can enable TLS 1.2 on Windows 7 by editing the registry, but I see you've already done that. What you can't do, though, is add a new cipher suite to the Schannel code. It's an operating system feature rather than anything in LiveCode or any other third-party additions - additional registry entries will just be ignored if they're not supported, thus the push to upgrade your operating system.
If you use something like Wireshark to examine the initial handshake protocol you'll see what crypto suites are requested and accepted. But really if tsNet is using Microsoft's Schannel on Windows then your options are pretty limited.
			
			
									
									You can enable TLS 1.2 on Windows 7 by editing the registry, but I see you've already done that. What you can't do, though, is add a new cipher suite to the Schannel code. It's an operating system feature rather than anything in LiveCode or any other third-party additions - additional registry entries will just be ignored if they're not supported, thus the push to upgrade your operating system.
If you use something like Wireshark to examine the initial handshake protocol you'll see what crypto suites are requested and accepted. But really if tsNet is using Microsoft's Schannel on Windows then your options are pretty limited.
PowerDebug http://powerdebug.ahsoftware.net
PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
						PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
Re: Get/Post tsNet error in Windows 7
I'm still intrigued by your suggestion that I could somehow bypass tsNet and use the OpenSSL library. I don't need the neat asynchronous ability of tsNet for this: just the regular blocking libURL is fine. However, it looks like a "get url" with the https address I used in the first post to maintainX is using tsNet because I get a tsNet error. Windows 7 Schannel just doesn't have the cipher to reach this site. OpenSSL has the right ciphers.
			
			
									
									
						Re: Get/Post tsNet error in Windows 7
I think if you remove the tsNet library from memory the fallback is to use just straight libUrl without the tsNet extension.
I just tried it here and it throws an error the first time through (not sure why) but works after that.
			
			
									
									Code: Select all
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"PowerDebug http://powerdebug.ahsoftware.net
PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
						PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
Re: Get/Post tsNet error in Windows 7
No access to my Windows7 machine here, but on OS X trying
 the "get" statement below then doesn't seem to do anything, with an empty result. Is there something else I need to do?
			
			
									
									
						Code: Select all
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"Code: Select all
on mouseup
   set the httpHeaders to "Authorization: Bearer" && field MXKey
   get field "MXurl" & "assets" 
   get url it
   if the result is empty then
      put it into field MXreturn
   else
      put the result into field MXreturn
   end if
end mouseupRe: Get/Post tsNet error in Windows 7
Oops. Forgot one line
			
			
									
									Code: Select all
libUrlSetDriver ""
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"PowerDebug http://powerdebug.ahsoftware.net
PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
						PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
Re: Get/Post tsNet error in Windows 7
You sir are a bonafide genius. THANKS!!!! I just had to remember to build the standalone with the internet and SSL library, and it works in Windows 7 (I got into work with VPN/RealVNC). I've read that tsNet has lots of advantages that the blocking "get url" doesn't have, but what I need right now is something that works.
If Livecode can build tsNet with OpenSSL and provide that as an option instead of Windows Schannel, that would be super and the best of both worlds. I'll post this in the bug report tomorrow.
Again, thanks so much for helping me at this evening. I wouldn't have figured out those mumbles in a million years. When you're out in Far West Texas, let me give you the VIP tour of McDonald Observatory.
-John
			
			
									
									
						If Livecode can build tsNet with OpenSSL and provide that as an option instead of Windows Schannel, that would be super and the best of both worlds. I'll post this in the bug report tomorrow.
Again, thanks so much for helping me at this evening. I wouldn't have figured out those mumbles in a million years. When you're out in Far West Texas, let me give you the VIP tour of McDonald Observatory.
-John
Re: Get/Post tsNet error in Windows 7
Ooooo... would love to take you up on that tour someday.
Glad this worked out for you. I obviously don't have access to the internals of the tsNet external, so I can't say much about the Schannel/OpenSSL thing.
But seriously... do think about a longer-term strategy of upgrading that OS when you get a chance.
			
			
									
									Glad this worked out for you. I obviously don't have access to the internals of the tsNet external, so I can't say much about the Schannel/OpenSSL thing.
But seriously... do think about a longer-term strategy of upgrading that OS when you get a chance.
PowerDebug http://powerdebug.ahsoftware.net
PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
						PowerTools http://www.ahsoftware.net/PowerTools/PowerTools.irev
Re: Get/Post tsNet error in Windows 7
Here's the reply I made on bug report 24057
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello Panos and Charles,
Mwieder on the forum kindly provided a workaround that I tested last night:
libUrlSetDriver ""
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"
This removes tsNet and falls back to the built-in capability for "get URL ...", albeit within the old limitations that prevent another "get" from being accepted until the pending "get" finishes. which is not a problem for me. I did trace the tsNet error for sure to websites that conform to best practices with TLS 1. 2/1. 3 using ciphers not available in Schannel in older versions of Windows.
I think it would be nice if tsNet had a runtime option to use OpenSSL in Windows and OS X to address the issue of Livecode users who must, for customer reasons, deploy on older operating systems that are either missing TLS 1. 2/1. 3 or the required cipher suites. However, with mwieder's workaround, this is isn't a big issue for me now.
Sincerely,
John
			
			
									
									
						~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello Panos and Charles,
Mwieder on the forum kindly provided a workaround that I tested last night:
libUrlSetDriver ""
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"
This removes tsNet and falls back to the built-in capability for "get URL ...", albeit within the old limitations that prevent another "get" from being accepted until the pending "get" finishes. which is not a problem for me. I did trace the tsNet error for sure to websites that conform to best practices with TLS 1. 2/1. 3 using ciphers not available in Schannel in older versions of Windows.
I think it would be nice if tsNet had a runtime option to use OpenSSL in Windows and OS X to address the issue of Livecode users who must, for customer reasons, deploy on older operating systems that are either missing TLS 1. 2/1. 3 or the required cipher suites. However, with mwieder's workaround, this is isn't a big issue for me now.
Sincerely,
John
