Re: SSL Communication problem, FNE C SDK

AHorstmann · ‎Mar 03, 2021

Hi everyone,

I have a customer reporting this problem:

ERROR: talking to server: [1,7e3,b,0[74000008,3c,10060221]] Generic communications error.
[1,7e3,b,0[75000001,60,3001025c]] General data transfer failure. SSL peer certificate or SSH remote key was not OK

I have searched this forum and found this post:
https://community.flexera.com/t5/FlexNet-Embedded-Forum/Failing-to-setup-SSL-Communication-within-FNE-C-SDK/m-p/126028

It seems a similar case, but it isn't. This is a cloud FNE server, not a local one, and using the same client software on my own machine, I can activate the same license just fine.

So there must something on the client side that's causing this, any pointers as to what it might be?

The client tells me Port 443 is open and they even set up an "any" exception to their firewall, they also tested a completely different internet connection (smartphone hotspot), all to no avail.

Many thanks,

Ansgar

AHorstmann · ‎Mar 10, 2021

Hi everyone,

the customer has done some great research and was able to solve this problem, but to be frank, I'm not a TLS/SSL expert and I don't fully understand it, so maybe you can help me.

I will post the customer's original reply in German, and a translation below.

Original reply:

...
ich habe die Software und das Lizenzierungssystem jetzt mal mit procmon und wireshark durchleuchtet:

Die Software versucht ihre Lizenzierung über einen Webserver auf einer EC2-Instanz vorzunehmen - und zwar per HTTPS (löblich!). Dazu verbindet sie sich in diesem Fall zu ec2-52-49-0-37.eu-west-1.compute.amazonaws.com - das dort abgerufene Zertifikat enthält aber nur die Gültigkeit für die Sites *.flexnetoperations.eu und *.compliance.flexnetoperations.eu. Da das sauber programmiert wurde (sic!) wird damit die Verbindung abgelehnt.... also ich würde behaupten, der Anbieter der Lizenzierungssoftware hat da einen fehlenden CNAME-Eintrag im DNS und sie sollten die Sicherheit ihrer Clienteinstellungen prüfen: So ein Zertifikat sollte eigentlich nicht automatisch akzeptiert werden....

Also die Lösung ist relativ einfach wenn man von Anfang an die Fehlermeldung richtig gelesen hätte:

Zertifikat herunterladen und installieren, dann klappt auch die Registrierung, ABER das sollte Flexera in Ordnung bringen 😉

My translation to English:

...
I have examined the software and the licensing system using procmon and wireshark:

The software tries to fetch license information from a webserver on a EC2 instance - via HTTPS (commendable!). To that end, it connects in this case to ec2-52-49-0-37.eu-west-1.compute.amazonaws.com - but the certificate fetched from there is only valid for the sites *.flexnetoperations.eu and *.compliance.flexnetoperations.eu. Since it was programmed correctly (sic!), this leads to the connection being denied... so I would assume that the licensing software provider has a missing CNAME record in the DNS and they should check the security of their client settings: Such a certificate shouldn't be accepted automatically....

So the solution is rather easy if I had read the error message right from the beginning:

Download and install the certificate, then the registration works, BUT Flexera should fix this 😉

As I wrote earlier, I'm not really sure about his suggested fix, and I don't understand how, if this is a general problem, it doesn't cause issues with other clients as well. So any help would be appreciated.

Thanks,
Ansgar

jberthold · ‎Mar 10, 2021

Hi @AHorstmann ,

If you could kindly log this as a support ticket it would be greatly appreciated.

Thx,

Jim

Ravikiran · ‎May 05, 2021

Hi,

I faced same error, while working with C-SDK at client side. It got resolved by setting the appropriate certificate provided by Flexera.

FlcCommSetSSLCertificatePath(commInterface, "flexNet/thirdparty/ssl_certs/DigiCertGlobalRootCA.pem", error);

Please try using DigiCertGlobalRootCA.pem certificate.

Regards,

RaviKiran