Get/Post tsNet error in Windows 7

Deploying to Windows? Utilizing VB Script execution? This is the place to ask Windows-specific questions.

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

Post Reply
jwkuehne
Posts: 37
Joined: Wed Nov 28, 2007 3:12 am

Get/Post tsNet error in Windows 7

Post by jwkuehne » Tue Jan 03, 2023 9:32 pm

I have a simple stack in 9.6.9-rc-2 that does GET and POST to

https://api.getmaintainx.com/v1/

and the standalone works just fine in OSX/monterey and Windows 10, but it fails on Windows 7 with the error

tsneterr: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

It fails with the same message when directly calling the equivalent tsNet routine in Livecode.

I had thought that the tsNet library is based on OpenSSL and is separate from Windows TLS and cipher support. Indeed, the Livecode browser widget, which I think is based on Chromium, works fine to the MaintainX web portal work request in Windows 7, so at least Chromium seems to be taking care of TLS business.

Even so, just in case Livecode is somehow asking Windows 7 to handle the TLS, I still can't get it to work, despite having the correct updates and registry settings for TLS 1.2, and what looks like the correct ciphers and priority (I'm not a cryptography expert.)

The site accepts TLS 1.2 and 1.3 with the ciphers listed in the report:

https://www.ssllabs.com/ssltest/analyze ... =on&latest

You do need a JSON web token added to the header with something like

set the httpHeaders to "Authorization: Bearer" && myKey

but even so, you can still see this problem with just

get url "https://api.getmaintainx.com/v1/assets"

which should return

"{"error":"Empty token"}

but fails in Windows 7 during the TLS handshake before ever checking the header for your JSON web token.

Any ideas? As I said, I have the right service pack and registry settings in Windows for TLS 1.2. I *think* I have the required ciphers in the registry list.
Research Engineer
McDonald Observatory, Texas

jwkuehne
Posts: 37
Joined: Wed Nov 28, 2007 3:12 am

Re: Get/Post tsNet error in Windows 7

Post by jwkuehne » Tue Jan 03, 2023 9:41 pm

PS just found the link in the Dictionary to Tech Strategies, so I asked them too.
Research Engineer
McDonald Observatory, Texas

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Wed Jan 04, 2023 7:07 pm

Answer from Livcode: tsNet uses the built-in Windows Schannel service and not OpenSSL, as it does for Linux and Android. This means you're stuck in Windows 7 and Windows 8 (in 6 days!), with the ciphers that came with your operating system, including service pack updates. In my case, Windows 7 has

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

but I need

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

to connect to the MaintainX server, which Windows 7 doesn't have. Frustratingly, Windows does have

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.

Hopefully tsNet can be modified to use openSSL as an option for Windows users to escape Microsoft's planned obsolescence. Maybe the EU can fix this?

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3582
Joined: Mon Jan 22, 2007 7:36 am
Contact:

Re: Get/Post tsNet error in Windows 7

Post by mwieder » Wed Jan 04, 2023 10:15 pm

Since you mention planned obsolescence, I take it you're aware that mainstream support from Microsoft for Windows 7 ended eight years ago.

If you're going to insist on using Windows 7 then may you might try *not* using tsNet and using libUrl instead to see if that gets around the Schannel dependency.

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Thu Jan 05, 2023 5:22 pm

Of course I understand that Windows 7 is unsupported. I don't know how to add new cipher suites to Microsoft's Schannel facility, thus making my instrument controller increasingly unusable as more secure versions of TLS become mandatory. For scientific instrument control, you spend a lot of time and money making it work - that means meeting a specification for functionality and reliability - and then you deploy it. Operating system upgrades are inimical to doing science and engineering in this context. Upgrading from 32-bit Windows 7 would mean rewriting and recompiling drivers and applications, finding new bugs and reliability problems, and it would take weeks to months and thousands of dollars. Trying to find out if I can keep Windows 7 if at all possible is just smart, not "insisting."

OpenSSL may be a way out, and Livecode already uses it for Linux and Android. Hopefully there will soon be a version in the 9-series with an OpenSSL option for Windows and OS X. Maybe there already is. I'm asking.

I'm intrigued about you asking if I have investigated libURL: please show me how libURL can do TLS 1. 2/1. 3 transactions with modern cipher suites. That would solve everything and I would be indebted!

I sure have learned a lot more about ciphers and Schannel in the last few days than I bargained for. The beauty of so many things, like Livecode, is that they just work without having to understand the details. And when they suddenly don't work, it's painful.

-John

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3582
Joined: Mon Jan 22, 2007 7:36 am
Contact:

Re: Get/Post tsNet error in Windows 7

Post by mwieder » Thu Jan 05, 2023 6:02 pm

Well, the reason I suggested libUrl instead is that tsNet is using Microsoft's Schannel rather than OpenSSL, and possibly libUrl is going straight to OpenSSL. YMMV. I don't see a reference to Schannel in the socket code base, although on mobile platforms the certificate checks bypass OpenSSL.

You can enable TLS 1.2 on Windows 7 by editing the registry, but I see you've already done that. What you can't do, though, is add a new cipher suite to the Schannel code. It's an operating system feature rather than anything in LiveCode or any other third-party additions - additional registry entries will just be ignored if they're not supported, thus the push to upgrade your operating system.

If you use something like Wireshark to examine the initial handshake protocol you'll see what crypto suites are requested and accepted. But really if tsNet is using Microsoft's Schannel on Windows then your options are pretty limited.

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Fri Jan 06, 2023 2:37 am

I'm still intrigued by your suggestion that I could somehow bypass tsNet and use the OpenSSL library. I don't need the neat asynchronous ability of tsNet for this: just the regular blocking libURL is fine. However, it looks like a "get url" with the https address I used in the first post to maintainX is using tsNet because I get a tsNet error. Windows 7 Schannel just doesn't have the cipher to reach this site. OpenSSL has the right ciphers.

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3582
Joined: Mon Jan 22, 2007 7:36 am
Contact:

Re: Get/Post tsNet error in Windows 7

Post by mwieder » Fri Jan 06, 2023 3:01 am

I think if you remove the tsNet library from memory the fallback is to use just straight libUrl without the tsNet extension.

Code: Select all

set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"
I just tried it here and it throws an error the first time through (not sure why) but works after that.

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Fri Jan 06, 2023 3:13 am

No access to my Windows7 machine here, but on OS X trying

Code: Select all

set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"
the "get" statement below then doesn't seem to do anything, with an empty result. Is there something else I need to do?

Code: Select all

on mouseup
   set the httpHeaders to "Authorization: Bearer" && field MXKey
   get field "MXurl" & "assets" 
   get url it
   if the result is empty then
      put it into field MXreturn
   else
      put the result into field MXreturn
   end if
end mouseup

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3582
Joined: Mon Jan 22, 2007 7:36 am
Contact:

Re: Get/Post tsNet error in Windows 7

Post by mwieder » Fri Jan 06, 2023 3:23 am

Oops. Forgot one line

Code: Select all

libUrlSetDriver ""
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Fri Jan 06, 2023 4:09 am

You sir are a bonafide genius. THANKS!!!! I just had to remember to build the standalone with the internet and SSL library, and it works in Windows 7 (I got into work with VPN/RealVNC). I've read that tsNet has lots of advantages that the blocking "get url" doesn't have, but what I need right now is something that works.

If Livecode can build tsNet with OpenSSL and provide that as an option instead of Windows Schannel, that would be super and the best of both worlds. I'll post this in the bug report tomorrow.

Again, thanks so much for helping me at this evening. I wouldn't have figured out those mumbles in a million years. When you're out in Far West Texas, let me give you the VIP tour of McDonald Observatory.

-John

mwieder
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 3582
Joined: Mon Jan 22, 2007 7:36 am
Contact:

Re: Get/Post tsNet error in Windows 7

Post by mwieder » Fri Jan 06, 2023 4:15 am

Ooooo... would love to take you up on that tour someday.
Glad this worked out for you. I obviously don't have access to the internals of the tsNet external, so I can't say much about the Schannel/OpenSSL thing.
But seriously... do think about a longer-term strategy of upgrading that OS when you get a chance.

jkuehne
Posts: 6
Joined: Fri Dec 16, 2022 10:44 pm

Re: Get/Post tsNet error in Windows 7

Post by jkuehne » Fri Jan 06, 2023 3:12 pm

Here's the reply I made on bug report 24057

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hello Panos and Charles,

Mwieder on the forum kindly provided a workaround that I tested last night:

libUrlSetDriver ""
set the behavior of stack "revLibURL" to empty
delete stack "tsNetLibUrl"

This removes tsNet and falls back to the built-in capability for "get URL ...", albeit within the old limitations that prevent another "get" from being accepted until the pending "get" finishes. which is not a problem for me. I did trace the tsNet error for sure to websites that conform to best practices with TLS 1. 2/1. 3 using ciphers not available in Schannel in older versions of Windows.

I think it would be nice if tsNet had a runtime option to use OpenSSL in Windows and OS X to address the issue of Livecode users who must, for customer reasons, deploy on older operating systems that are either missing TLS 1. 2/1. 3 or the required cipher suites. However, with mwieder's workaround, this is isn't a big issue for me now.

Sincerely,
John

Post Reply