Printable View
I'm currently working on a pure VB6 based WinHttpRequest replacement class based on TLS 1.3 support in VbAsyncSocket project. This will be a source-compatible replacement class that will bring TLS 1.3 (and legacy TLS 1.2) support on all Windows back to NT4.
I'm using this thread to gather requirements kind of :-))
cheers,
</wqw>
Oh wow, that is awesome! I've put myself on the watch list for when that wrapper is implemented. I suppose making a custom dll using your library would be trivial so this could be used in VBA for example (in my case Access 97) without having to use the source class modules and re-write whatever incompatibilities exist. Very very cool!
Last thing from the previous post: In the interim, if I want to try using the Win 7 dlls on this vista installation, do you know what other dependencies I'd need to bring over other than winhttp.dll? It's okay if you don't. Thanks again, and great posts!
I didn't try this hack on the Vista VM here (I was speaking only hypothetically) but might try it later if time permits.Quote:
Originally Posted by Montclair
cheers,
</wqw>
Please show me your declaration of "IMXMLServer".Quote:
Originally Posted by Montclair
Thank you!
That's a typo from old code I removed. Anywhere you see IMXMLServer, it should be XMLServer, which is declared right there. For example, if using Winhttp, it's this:Quote:
Originally Posted by tmighty2
converted from when I was using MSXML object, which was this:Code:Set XMLServer = CreateObject("WinHttp.WinHttpRequest.5.1")
I've updated the original post to remove the typos.Code:Set XMLServer = CreateObject("Msxml2.ServerXMLHTTP.6.0")
As a side note, I've actually re-written the connection routine to detect the version of Windows that's running, and use whatever object will get me TLS 1.2 based on my tests. It was rather trivial to do this, and I got my code working to get TLS 1.2 on XP, Vista, 7, and 10.
Btw, VbAsyncSocket effort has a pure VB6 implementation for both TLS 1.2 and TLS 1.3 client and server-side support complete with no dependancy on SSPI/Schannel (or openssl) so this should work the same on any Windows since NT4.
cheers,
</wqw>
You finished it?! Awesome! Could you post example code that replaces what I've provided here?Quote:
Originally Posted by wqweto
Better late than never.
Just committed the first cut of cHttpRequest class that is a source-compatible WinHttpRequest replacement class which should allow accessing web APIs and web sites using TLS 1.3 using VB6 on everything down to NT 4.0 (incl. XP, Vista and Win7).
It's not 100% complete yes (e.g. no client certificates are implemented) but on your howsmyssl.com test above prints this:
Edit: Client certificates are implemented as of commit 342c4b0.Quote:
Content-Length: 925
Access-Control-Allow-Origin: *
Connection: close
Content-Type: application/json
Date: Tue, 09 Nov 2021 11:39:00 GMT
Strict-Transport-Security: max-age=631138519; includeSubdomains; preload
{
given_cipher_suites: [
"TLS_AES_128_GCM_SHA256",
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
],
ephemeral_keys_supported: true,
session_ticket_supported: false,
tls_compression_supported: false,
unknown_cipher_suite_supported: false,
beast_vuln: false,
able_to_detect_n_minus_one_splitting: false,
insecure_cipher_suites: { },
tls_version: "TLS 1.3",
rating: "Probably Okay"
}
Edit 2: Everything but SetAutoLogonPolicy method is re-implemented now, incl. http/https proxies support.
In addition cHttpRequest class supports gzip decompression on Win10 and newer which is missing in the original WinHttpRequest object.
cheers,
</wqw>
Assuming this works, major kudos to you! I'm going to give it a shot today, as I'm having difficulty getting the XP machines to connect to a particular API today, and my original TLS program is also failing on them. I'll be thrilled to get away from Microsoft's API. I'll report back after I do some testing. Thank you!!Quote:
Originally Posted by wqweto
The only code samples that works for me are \test\BareboneTls\Project1 and \test\BareboneTls\Project3
None of the samples in \test\Secure work and all come back with errors.
Project2 comes back with: "Error: The message received was unexpected or badly formatted. Handshake failure."
I assume that fails since it uses the native encryption stuff.
Project1 and Project3 come back with:
"Error: The revocation status of the certificate or one of the certificates in the certificate chain is unknown"
Here's the debug window log:
699.060 [INFO] Listening on 127.0.0.1:10443 [Form1.Form_Load]
700.855 [INFO] IpAddress=34.71.45.200 [Form1.m_oSocket_OnResolve]
701.029 [INFO] Using ECDHE-ECDSA-CHACHA20-POLY1305 from www.howsmyssl.com [mdTlsThunks.pvTlsParseHandshakeServerHello]
701.029 [INFO] With exchange group X25519 [mdTlsThunks.pvTlsParseHandshake]
701.034 [INFO] Valid ECDSA_SECP256R1_SHA256 signature [mdTlsThunks.pvTlsSignatureVerify]
701.169 [ERROR] The revocation status of the certificate or one of the certificates in the certificate chain is unknown &H80040000 [Form1.m_oSocket_OnError, cTlsSocket.pvHandleReceive, cTlsSocket.pvPkiCertValidate]
I'm getting similar errors with test\Basic\ projects.
Edit - Fix Found: I spent several hours trying to figure this out and located \lib\ISRG_Root_X1.cer in the project. Double clicking on it told me it was untrusted and there were options to install the certificate. Doing that resolved the problems above.
You may want to put that in the README.MD for the project to save people a lot of effort trying to figure out why the code doesn't work.
It would be nice to not have to use that file at all (a lot of this is above my knowledge level so IDK if that's even possible).
I'll do more testing and report back with some sample code if I can generate something that works and is less complex than what I see in the samples.
Wow, dude -- this thing is great! This is basically a drop in replacement for winhttp, changing Option to Option_ and Method to Method_. I'm getting TLS1.3 to howmyssl in Windows XP now. Great job!
I also uninstalled that \lib\ISRG_Root_X1.cer from the PCs certificates. It isn't necessary to get a TLS connection in my original TLS program. I basically made 3 edits and the original program works. It is necessary and must be installed as a trusted certificate to get your samples working though.
I'm impressed. This was super easy. Just for anyone else reading this, it's this simple to use:
Code:Dim objhttp As cHttpRequest
Set objhttp = New cHttpRequest
objhttp.Open_ "GET", "https://howsmyssl.com/a/check", False
objhttp.SetRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"
objhttp.SetRequestHeader "Accept-Encoding", "gzip"
objhttp.Send
Debug.Print objhttp.GetAllResponseHeaders
Debug.Print objhttp.ResponseText
I'm running into some kind of parsing error when loading an XML document from an API call using VbAsyncSocket's cHttpRequest. It's duplicating the first 3389 to 3390 bytes, at least in this test URL. I sent you a PM on this.
Edit: I'm getting all kinds of errors with this, unfortunately. Incomplete files, empty responses, etc. I think it's mostly incomplete responses. I tried this, for example, and only get either 7143 or 8192 bytes:
If I connect to that using WinHttp, I get a response length of 19571. You should be able to duplicate the issue with this code.Code:Dim objhttp As cHttpRequest
Set objhttp = New cHttpRequest
With objhttp
'Allow redirects
.Option_(WinHttpRequestOption_EnableRedirects) = True
'Enable Https To Http Redirects
.Option_(WinHttpRequestOption_EnableHttpsToHttpRedirects) = True
'Enable Http 1.1
.Option_(WinHttpRequestOption_EnableHttp1_1) = True
'Ignore all certificate errors
.Option_(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_Ignore_All
'Allow 15 seconds for everything to do what it has to do
.SetTimeouts 15000, 15000, 15000, 15000
.Open_ "GET", "https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html", False
.SetRequestHeader "User-Agent", "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0"
.SetRequestHeader "Content-type", "text/html"
.Send
Debug.Print "RESPONSE LENGTH: "; Len(.ResponseText)
Debug.Print "RESPONSE: "; .ResponseText
End With
Set objhttp = Nothing
Yes, this issue must be fixed in commit b4c25fa.
The root certificate for Let's Encrypt CA is missing on XP and it's used as trust anchor for 5-10% of the active TLS certificates nowadays.
There are other root certificates which are missing from XP's root certificate store as the OS is not maintained for quite some time now.
cheers,
</wqw>
Not sure where to continue this -- here or on Github.
Getting Subscript out of Range raised in cHttpReuest's Send subroutine. m_vLastError(1) = cHttpRequest.pvRecvBody
Tracing the code, the error is being generated in pvArrayWriteBlob, with this line being the offender:
This happening with a call to the API that I PM'd you about.Code:Call CopyMemory(baArray(lPos), ByVal lPtr, lSize)
lpos = -1, which is causing the error
lptr = 83849144
lsize = 4096
EDIT: Issues fixed
ALL of the issues I reported appear to be fixed by wqweto in the June 4 2022 commits on Github. Thanks, wqweto!
I'm very happy to report that I was able to create a DLL from wqweto's project, without typing a line of code, and rolled this out to my VBA applications that were using WinHTTP. I only had to make very minimal changes to them and it works flawlessly. This project of yours is a lifesaver! +1000
Any chance you can share the dll? Thanks!
Quote:
Originally Posted by Montclair
Just published a compiled DLL under HRR-1.0 tag under releases in the repo, this is not Montclair's DLL but a separate compilation.
The single public multi-use class is named HttpRequest.cHttpRequest and this VBScript will use TLS 1.3 all the way down to ancient NT 4.0:
Code:Const WinHttpRequestOption_SslErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
With CreateObject("HttpRequest.cHttpRequest")
.Open_ "GET", "https://www.howsmyssl.com/a/check"
.Option_(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_UnknownCA
.Send
WScript.echo Replace(.ResponseText, ",", vbCrLf)
End With
cheers,Quote:
Originally Posted by Immediate Window
</wqw>
Nice work, wqweto! Thanks for this!
OMG thank you so much for this!
I have a VBS script that works great on newer Windows but not on XP because the server I'm POSTing to requires TLS 1.2+.
I registered the DLL and it began to work right away.
First the script sends a GET and successfully gets a reply, no problem.
Then the script sends a POST or a DELETE
and when it is successful, which would be a code 204 with no other content, I eventually get a Timeout 80072ee2.
I check the server - the intended action is successful, but the script waits and then errors.
But, when the POST or DELETE successfully reaches the server, and the responds with an error e.g. 403 or 422, because my request is not possible for the server to execute at the moment, the script has no problem immediately telling me so. No timeout problem for 403s or 422s, which do contain JSON.
Is it possible the DLL isn't handling 204, because it expects 200?
Or is it confused because there is no content?
Is there a way I can get around this?
Thanks again, let me know anything to try. I'm a noob on github so I thought I'd ask here. :)
For some reason I don't see an edit button, so I'll add here:
FYI The first (GET) request that works perfectly is receiving a 200, with data, as a reply.
Could be a problem if 204 does not send Content-Length header.Quote:
Originally Posted by therentabrain
Do you reuse the request object or create a fresh instance on each request?
Edit: Try latest 1.0.2 release for fixed status 204 handling
cheers,
</wqw>
Amazingness - it works beautifully <3 <3
FTR, I tried both making a new instance and reusing the existing one with the previous DLL, and had the same timeout results.
And now I tried both ways and it worked fine both times. :)
So fwiw it works great in VBScript to retrieve a value from one API, get the values out of a JSON array which comes in called 'data', and then plug it into another API:
(For anyone else poking at it in VBScript, hope this will give some useful clues)
Code:Option Explicit
const apioauth = "myoauth"
const clientid = "myclientid"
Dim URL, userid
Const WinHttpRequestOption_SslErrorIgnoreFlags = 4
Const SslErrorFlag_UnknownCA = 256
With createObject("HttpRequest.cHttpRequest")
URL = "https://xxxxxx/variable=" & WScript.Arguments(1)
.open_ "GET",URL,false
.Option_(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_UnknownCA
.setRequestHeader "Client-Id", clientid
.setRequestHeader "Authorization", "Bearer " & apioauth
.send
msgbox "response: " & .responseText
Dim y, html : Set html = CreateObject("htmlfile")
Dim w : Set w = html.parentWindow
w.execScript "var json=" & .responseText & ";var e=new Enumerator(json.data);", "JScript"
While Not w.e.atEnd()
Set y = w.e.item()
userid=y.id
w.e.moveNext
Wend
URL = "https://xxxxx"
If WScript.Arguments(0) = 1 Then
.open_ "POST",URL,false
Else
.open_ "DELETE",URL,false
End If
.Option_(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_UnknownCA
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Authorization", "Bearer " & apioauth
.setRequestHeader "Client-ID", clientid
.send "var=value&var=" & userid
msgbox "response: " & .responseText
End With
(Of course a Const OAuth is like a jumbo shrimp, it might be a thing but eh? ... it's just for testing)
Vladimir, can I contact you about a VB question? Are you available for some consulting? I have an image upload function that is giving an error when I'm using SSL from Amazon, but works fine when using SSL installed on my own server.