Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
makhonin
Explorer

Could not establish secure channel for SSL/TLS over web service (R80.10)

Iam trying connect over powershell (invoke-webrequest) but got that error:

Could not establish secure channel for SSL/TLS over web service

that instruction is not helping https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

windows 10 1809 x64

how to use web api?

0 Kudos
10 Replies
makhonin
Explorer

trying use curl

report:
--insecure -XPOST "https://172.21.2.6/web_api/login" -d "{\"user\": \"secret\", \"password\": \"secret\"}" -H "Content-Type: application/json" -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 172.21.2.6:443...
* TCP_NODELAY set
* Connected to 172.21.2.6 (172.21.2.6) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: OU=Domain Control Validated; OU=COMODO SSL Wildcard; CN=*.secret.secret
* start date: Jan 18 00:00:00 2017 GMT
* expire date: Apr 17 23:59:59 2020 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST /web_api/login HTTP/1.1
> Host: 172.21.2.6
> User-Agent: curl/7.65.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 2
>
* upload completely sent off: 2 out of 2 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Date: Thu, 06 Jun 2019 08:30:21 GMT
< Server: CPWS
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json
< X-UA-Compatible: IE=EmulateIE8
< X-Forwarded-Host-Port: 443
< Connection: close
< Transfer-Encoding: chunked
<
{
"code" : "generic_err_invalid_syntax",
"message" : "Login request message processing failed"
}* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
Note: Unnecessary use of -X or --request, POST is already inferred.
* Closing connection -1
curl: (3) URL using bad/illegal format or missing URL
0 Kudos
G_W_Albrecht
Legend
Legend

Can you explain what you try to achieve ?  sk121353 is for SmartConsole / SmartDashboard only...

CCSE CCTE CCSM SMB Specialist
0 Kudos
makhonin
Explorer

I am trying to login over web services and get token

0 Kudos
PhoneBoy
Admin
Admin

If you could post the exact errors you're seeing, it will help us help you.
The most likely cause is that Powershell isn't trusting the CA certificate used by the API endpoint.
There's usually an option to ignore this check, or you can add the relevant certificate authority to the local certificate store so the check works correctly.
0 Kudos
makhonin
Explorer

i have same error over standard app curl, please look up i already posted error:

"code" : "generic_err_invalid_syntax",
"message" : "Login request message processing failed"

p.s my password have symbols _ and !
0 Kudos
Joshua_Hatter
Employee
Employee

I've tested on R80.20 in the lab with passwords containing both ! and _, and they work fine. Do you have an SR opened up, please do and I can follow up on it. We will need several log files. 

 

Also if you could install fiddler to be sure the payload is appropriate as it leaves your machine, we do not log the payload in our log file as it contains passwords. 

 

 

0 Kudos
Joshua_Hatter
Employee
Employee

I was able to reproduce your message over curl. Are you escaping the special characters inside the payload? I think it's possible it's not leaving as you expect and fiddler or some other sniffing method will reveal the issue. I was able to get it to work by using single quote on the outside of data section.

[Expert@Hatter-FW1-R8020:0]# curl_cli -kv -X POST "https://172.25.132.200/web_api/login" -d '{"user": "bang", "password": "vpn123\!"}' -H "Content-Type: application/json"
{
"code" : "generic_err_invalid_syntax",
"message" : "Login request message processing failed"
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

 

 

[Expert@Hatter-FW1-R8020:0]# curl_cli -kv -X POST "https://172.25.132.200/web_api/login" -d '{"user": "bang", "password": "vpn123!"}' -H "Content-Type: application/json"
<
{
"uid" : "d3ba6f52-6816-4f61-8052-42b05a568d25",
"sid" : "ipZYub8AVGK6JQkJQjtd4CHXTAShVHuShG2DanGyAQo",
"url" : "https://172.25.132.200:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1560183081877,
"iso-8601" : "2019-06-10T11:11-0500"
},
"api-server-version" : "1.3"
* Connection #0 to host 172.25.132.200 left intact

0 Kudos
makhonin
Explorer

just tried as your code, changed only part of name and part of pass

&"C:\Windows\SysWOW64\curl.exe" -kv -X POST "https://172.21.2.6/web_api/login" -d '{"user": "name-admin", "password": "pass__"}' -H "Content-Type: application/json"

Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 172.21.2.6...
* TCP_NODELAY set
* Connected to 172.21.2.6 (172.21.2.6) port 443 (#0)
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 147 bytes...
* schannel: sent initial handshake data: sent 147 bytes
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5120 length 5120
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 2/3)
* schannel: encrypted data got 384
* schannel: encrypted data buffer: offset 5504 length 6144
* schannel: sending next handshake data: sending 318 bytes...
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 2/3)
* schannel: encrypted data got 51
* schannel: encrypted data buffer: offset 51 length 6144
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with 172.21.2.6 port 443 (step 3/3)
* schannel: stored credential handle in session cache
> POST /web_api/login HTTP/1.1
> Host: 172.21.2.6
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 40
>
* upload completely sent off: 40 out of 40 bytes
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 387
* schannel: encrypted data buffer: offset 387 length 103424
* schannel: decrypted data length: 358
* schannel: decrypted data added: 358
* schannel: decrypted data cached: offset 358 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 358 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 358
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 400 Bad Request
< Date: Tue, 11 Jun 2019 05:40:17 GMT
< Server: CPWS
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json
< X-UA-Compatible: IE=EmulateIE8
< X-Forwarded-Host-Port: 443
< Connection: close
< Transfer-Encoding: chunked
<
{
"code" : "generic_err_invalid_syntax",
"message" : "Login request message processing failed"
}* Closing connection 0
* schannel: shutting down SSL/TLS connection with 172.21.2.6 port 443
* schannel: clear security context handle

0 Kudos
makhonin
Explorer

Any ideas?

That server worked on self signed certificated, on another http:// server everything is ok

0 Kudos
makhonin
Explorer

any ideas? please help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events