TLS Handshake Failure in Xojo HttpSecureSocket Request

Hi, all. I apologize in advance, as I’m not a networking expert. On November 6th, 2019 there was some change on the CloudFlare end which caused all previously-working requests in our desktop software to fail with a network disconnected error.

Our software is built using the Xojo framework, and the error occurs when using the HttpSecureSocket class. We receive error 102. In examining packets sent via WireShark, it appears we’re getting a fatal Handshake Failure. Unfortunately, I don’t have a clear picture of what the TLS handshake looked like prior to November 6th.

While we have found a different method for downloading files which plays nicely with CloudFlare, we can only offer this for customers who update their software to our latest version. For legacy customers, we’ve had to circumvent CloudFlare entirely, which has caused a $20 CloudFlare bill to translate to $12,000 when access Amazon S3 directly. We tried putting up an Amazon CloudFront distribution in front of it as a stop-gap, but our Xojo framework ran into issues with that for different reasons, so it’s a no-go.

Has anyone else seen a chance which occurred on or around November 6th which caused a TLS handshake failure, and do you have any recommendations for resolving it?

We currently have the weakest level of encryption enabled in the caching back-end, and allow connections back to TLSv1.0.

Thank you!

:wave: @user6453,

Without knowing the exact error, my best guess is either going to be the minimum TLS level specified on the SSL/TLS tab is the issue or you need a cert with non-SNI support (business plan plus upload your own cert should take care of the SNI thing).

— OG

Thanks, Oliver!

I suppose there’s no real way to test if that would resolve it before taking the plunge and upgrading, unless I could find several examples of companies who are on our basic tier versus companies who are on the business tier and then test whether we can make requests to download the files in those various scenarios. We may have to take the plunge, although I have half a mind to just port things over to CloudFront anyway and reduce the number of discrete companies we have to interact with. Maybe I can just plead with a couple million people to please update their software to the latest version–ha!

The only interesting thing of note is that our Xojo code attempts to connect via TLSv1.2 and then, during the negotiation with CloudFlare, the request is downgraded to TLSv1.0. Either way, we have 1.0 support enabled so it should work with both requests.

I’ll keep digging. I like the thought on uploading our own cert–thanks again!

This topic was automatically closed after 30 days. New replies are no longer allowed.