Windows CE 6.0 TLS problem

Question

I have a problem with using a SSL socket against TLS1 with RC4/MD5 on Windows CE 6.0 R3
Socket is defined as SSL using usual setsockopt SO_SECURE option (followed the example in http://msdn.microsoft.com/en-us/library/ms911704.aspx)
The symptom is, that the connection can be established only once to remote site with those TLS1/RC4-MD5 SSL parameter, and every other connect fails with 10022.

This situation lasts until the Winsock library is not unloaded by WSACleanup .

Our certification validation hook returns only OK state, so actually no validation is done on the remote certificate.

When I go against openssl based TLS1 server, everything's working fine.

Do you have any suggestions ?

Answer 1

Hello,

Could you please show us codes in your project?Or would you please upload a sample project to skydriver?

It is not necessary that you send out the whole of your project. We just need a simplest sample to reproduce the problem. You can remove any confidential information or business details from it.

Best regards,
Jesse

---

Jesse Jiang [MSFT]
MSDN Community Support | Feedback to us

Answer 2

Of course, below is the test code I have used (I am calling this in a loop with some delay between calls). As I wrote before it will work the first time and never again (it fails on connect). Only restarting the application (or calling WSACleanup and the again WSAStartup will help so far..)

int CALLBACK SSLValidateCertificateHook(DWORD  dwType, LPVOID pvArg, DWORD  dwChainLen, LPBLOB pCertChain, DWORD dwFlags)         
{
        return SSL_ERR_OKAY;
}

void makeConnection(char* ipAddress, int port)
{
	char pingrequest[] = 
	{
		"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><pingrequest><authentication></authentication><transmittertype></transmittertype><transmittercode></transmittercode><transmittertime></transmittertime></pingrequest>" 
	};
	char message[256];
	int resultCode;

	/* Create */
	SOCKET clientSocket = INVALID_SOCKET;
	if ((clientSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET)
	{
		printf("Allocating TCP socket failed - Error : %d\r\n", GetLastError());

		return;
	}

	/* Set up secure socket */
	DWORD dwParam = SO_SEC_SSL;
	if (setsockopt(clientSocket, SOL_SOCKET, SO_SECURE, (LPCSTR)&dwParam, sizeof(dwParam))) 
	{
		printf("Set socket option failed - Error %d\r\n", WSAGetLastError());
	}

	SSLVALIDATECERTHOOK validateHook;
	validateHook.HookFunc = SSLValidateCertificateHook;
	validateHook.pvArg = (PVOID)clientSocket;

	if (WSAIoctl(clientSocket, SO_SSL_SET_VALIDATE_CERT_HOOK, &validateHook, sizeof(SSLVALIDATECERTHOOK), 
		NULL, 0, NULL, NULL, NULL)) {
			printf("Validate cert hook error - Error %d\r\n", WSAGetLastError());
	}
	
	SSLPROTOCOLS protocolsToUse;
	protocolsToUse.dwCount = 1;
	protocolsToUse.ProtocolList[0].dwFlags = 0;
	protocolsToUse.ProtocolList[0].dwVersion = 0;
	protocolsToUse.ProtocolList[0].dwProtocol = SSL_PROTOCOL_TLS1;

	int tmpSize = sizeof(protocolsToUse);

	if (WSAIoctl(clientSocket, SO_SSL_SET_PROTOCOLS, (LPVOID)&protocolsToUse, sizeof(protocolsToUse), NULL, 0, NULL, NULL, NULL ) == SOCKET_ERROR)
	{
		printf("SO_SSL_SET_PROTOCOLS failed\n");
	}
	
	/* Connect */
	int result = -1;
	SOCKADDR_IN destination_sin;        // Server socket address
	
	// check valid ip address + port
	// Fill out the server socket's address information.
	destination_sin.sin_family = AF_INET;
	destination_sin.sin_port = htons(port);    
	destination_sin.sin_addr.s_addr = inet_addr(ipAddress);

	int res = connect(clientSocket, (PSOCKADDR)&destination_sin, sizeof(destination_sin));

	// Establish a connection to the server socket.
	if (res == SOCKET_ERROR) {
		int rc = WSAGetLastError();
		printf("Socket connect error: %d\n", rc);
		return;
	}
	else
	{
		printf("Connected OK\n");
		// show SSLCONNECTIONINFO
		SSLCONNECTIONINFO SSLConnectionInfo;
		DWORD dwBytes = 0;
		int sockerror = WSAIoctl(clientSocket, SO_SSL_GET_CONNECTION_INFO,
			NULL, 0, &SSLConnectionInfo, sizeof(SSLConnectionInfo), &dwBytes, NULL,NULL);
		if (sockerror == SOCKET_ERROR) 
		{
			// error logging
			return;
		}
	}

	uint localIPBytes;
	int localPort;
	
	SOCKADDR_IN localEndpoint;
	int len = sizeof(SOCKADDR_IN);

	int sockErrr = getsockname(clientSocket,(PSOCKADDR)&localEndpoint,&len);
	localIPBytes = localEndpoint.sin_addr.s_addr;
	localPort = ntohs(localEndpoint.sin_port);
	if (sockErrr == SOCKET_ERROR)
	{
		int lastError = WSAGetLastError();
		printf("getsockname: %d\n", lastError);
	}
	
	if (res == SOCKET_ERROR)
		return;

	localIPBytes = 0;
	localPort = 0;

	/* Send */
	int writeBytes = send(clientSocket, pingrequest , strlen(pingrequest), 0);

	/* Receive */
	int readBytes = recv(clientSocket, message, 256, 0);
	if (readBytes > 0)
	{
		message[readBytes] = 0;
		printf("Received:\n%s\n", message);
	}

	/* Close */
	int shutdownResult = shutdown(clientSocket, SD_BOTH);
	printf("shutdown res: %d\n", shutdownResult);
	
	int closeResult = closesocket(clientSocket);
	printf("close res: %d\n", closeResult);
}