Project

General

Profile

Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers

Added by Daniel Trick 3 months ago

Hello.

We recently started getting reports from our customers that the eID authentication via Open eCard software (version 1.2.4) fails on our service with error message "Es konnte keine Verbindung zum eID-Server aufgebaut werden" (i.e. connection to eID-Server could not be established). Apparently only some customers are affected, and I have not been able to reproduce the problem at all, thus far. At this point we are uncertain whether this is a problem of the eID-Server, a bug in the Open eCard software, or something else.

I have requested logs from the affected customers and this appears to be the relevant part:

2018-09-20 20:38:52,435 [PAOS] ERROR o.o.c.tls.ClientCertPSKTlsClient:234 - TLS error received.
2018-09-20 20:38:52,441 [PAOS] ERROR o.o.c.tls.ClientCertPSKTlsClient:235 - TLS(FATAL): Unexpected message [unexpected_message=10] --> Unknown error.
2018-09-20 20:38:52,611 [Thread-6] ERROR o.o.binding.tctoken.TCTokenHandler:402 - org.openecard.transport.paos.PAOSConnectionException: Es konnte keine Verbindung zum eID-Server aufgebaut werden.
java.util.concurrent.ExecutionException: org.openecard.transport.paos.PAOSConnectionException: Es konnte keine Verbindung zum eID-Server aufgebaut werden.
    at java.util.concurrent.FutureTask.report(FutureTask.java:122)
    at java.util.concurrent.FutureTask.get(FutureTask.java:192)
    at org.openecard.binding.tctoken.TCTokenHandler.waitForTask(TCTokenHandler.java:397)
    at org.openecard.binding.tctoken.TCTokenHandler.processBinding(TCTokenHandler.java:202)
    at org.openecard.binding.tctoken.TCTokenHandler.handleActivate(TCTokenHandler.java:323)
    at org.openecard.binding.tctoken.ActivationAction.processTcTokenOrActivationObject(ActivationAction.java:376)
    at org.openecard.binding.tctoken.ActivationAction.processRequest(ActivationAction.java:244)
    at org.openecard.binding.tctoken.ActivationAction.checkRequestParameters(ActivationAction.java:224)
    at org.openecard.binding.tctoken.ActivationAction.execute(ActivationAction.java:111)
    at org.openecard.addon.bind.AppPluginActionProxy.execute(AppPluginActionProxy.java:55)
    at org.openecard.control.binding.http.handler.HttpAppPluginActionHandler.handle(HttpAppPluginActionHandler.java:111)
    at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:437)
    at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:342)
    at org.openecard.control.binding.http.HttpService$1.run(HttpService.java:131)
Caused by: org.openecard.transport.paos.PAOSConnectionException: Failed to establish a connection to the eID-Server.
    at org.openecard.transport.paos.PAOS.openHttpStream(PAOS.java:410)
    at org.openecard.transport.paos.PAOS.sendStartPAOS(PAOS.java:298)
    at org.openecard.binding.tctoken.PAOSTask.call(PAOSTask.java:97)
    at org.openecard.binding.tctoken.PAOSTask.call(PAOSTask.java:48)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Internal TLS error, this could be an attack
    at org.openecard.bouncycastle.crypto.tls.TlsProtocol.processAlert(TlsProtocol.java:398)
    at org.openecard.bouncycastle.crypto.tls.TlsProtocol.processRecord(TlsProtocol.java:251)
    at org.openecard.bouncycastle.crypto.tls.RecordStream.readRecord(RecordStream.java:174)
    at org.openecard.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:511)
    at org.openecard.bouncycastle.crypto.tls.TlsProtocol.blockForHandshake(TlsProtocol.java:183)
    at org.openecard.bouncycastle.crypto.tls.TlsClientProtocol.connect(TlsClientProtocol.java:107)
    at org.openecard.binding.tctoken.TlsConnectionHandler.createTlsConnection(TlsConnectionHandler.java:236)
    at org.openecard.binding.tctoken.TlsConnectionHandler.createTlsConnection(TlsConnectionHandler.java:223)
    at org.openecard.transport.paos.PAOS.openHttpStream(PAOS.java:405)
    ... 5 common frames omitted

So there is an "Internal TLS error, this could be an attack" exception when trying to connect to the eID-Server!

I also managed to get network dumps from two of the affected customers (see attachments). These show that the eID-Server will send a fatal "Unexpected Message" (10) alert right after the "Server Hello Done" message. This does not happen in my own test.

We will be grateful for any help!

Best Regards
Daniel


Replies (6)

RE: Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers - Added by Detlef Hühnlein 3 months ago

It is very likely that this is a problem at the server side. There are some
Services/eID-Servers (e.g. in Nuremberg and Berlin) which are known to be in a bad shape.
It would be very helpful to get the full log which reveals at which server the problem occurs. Furthermore,
you should know that v1.2.4 is about to be replaced by v1.3.0. The current
release candidate is available at https://files.ecsec.de/index.php/s/citYSG498fRrH3b.
It would be good to see the full log and/or get the info whether the problem
also occurs with the current RC.

RE: Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers - Added by Daniel Trick 3 months ago

Detlef Hühnlein wrote:

It is very likely that this is a problem at the server side. There are some
Services/eID-Servers (e.g. in Nuremberg and Berlin) which are known to be in a bad shape.
It would be very helpful to get the full log which reveals at which server the problem occurs. Furthermore,

Thanks for reply!

The eID-Server on which the problem occurs for the customer is the MTG one, located at Darmstadt:
tlspsk.eidas.mtg.de

(is the full log still needed?)

you should know that v1.2.4 is about to be replaced by v1.3.0. The current
release candidate is available at https://files.ecsec.de/index.php/s/citYSG498fRrH3b.
It would be good to see the full log and/or get the info whether the problem
also occurs with the current RC.

Okay, I can ask the customer to try with the new RC version.

Unfortunately, the above link results in "Error: The requested share does not exist anymore" for me. Would you kindly check?

Best Regards
Daniel

RE: Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers - Added by Daniel Trick 3 months ago

Thank you for the link to the new version!

I asked an affected customer to try with the new version. Unfortunately, the problem is still the same (see attachment).


We have also contacted the provider of the eID-Server and they say that the problem is almost certainly caused by a duplicate "Client Hello" message sent by the client.

Indeed, we can see the duplicate "Client Hello" in all network dumps provided by the effected customers. We don't see this in our own tests though.

The question is now: Why does this happen? Is this a problem in the Open eCard software (or the TLS implementation that it uses) or is it caused by something else?

We will be grateful for any help!

Best Regards
Daniel

RE: Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers - Added by Tobias Wich 3 months ago

As we are also not able to reproduce the issue, there must be something different with the setup. Is a proxy involved at the client's setup?

RE: Open eCard fails with error "Es konnte keine Verbindung zum eID-Server aufgebaut werden" for some customers - Added by Daniel Trick 3 months ago

Tobias Wich wrote:

As we are also not able to reproduce the issue, there must be something different with the setup. Is a proxy involved at the client's setup?

I got information from one of the affected customer that he is not using a proxy server. However, according to his report, he has "Kaspersky Total Secuirty" installed.

Hence we tried installing "Kaspersky Free" on one of our test machines – and now we get the "Es konnte keine Verbindung zum eID-Server aufgebaut werden" error on that machine as well!

2018-09-25 16:03:11,107+02 [Thread-8] ERROR o.o.binding.tctoken.TCTokenHandler:355 - java.util.concurrent.ExecutionException: org.openecard.transport.paos.PAOSConnectionException: Es konnte keine Verbindung zum eID-Server aufgebaut werden.
org.openecard.transport.paos.PAOSException: java.util.concurrent.ExecutionException: org.openecard.transport.paos.PAOSConnectionException: Es konnte keine Verbindung zum eID-Server aufgebaut werden.
    ...
Caused by: java.util.concurrent.ExecutionException: org.openecard.transport.paos.PAOSConnectionException: Es konnte keine Verbindung zum eID-Server aufgebaut werden.
    ...
Caused by: org.openecard.transport.paos.PAOSConnectionException: Failed to establish a connection to the eID-Server.
    ....
Caused by: java.net.SocketException: Software caused connection abort: socket write error

Adding java.exe to the "Trusted Applications" in Kaspersky options and activating the "Do not scan all traffic" check box fixes the issue for me. Activating "Do not scan encrypted traffic" did not fix it.

So, after all, the problem seems the be caused by a serious bug in Kaspersky network scanning code... (though I'll have to check back with the other affected customers too)

Best Regards
Daniel

kaspersky_free.png (83.3 KB)

    (1-6/6)