I was trying to send an AS2 payload to a trading partner over HTTPS. Normally, I rely on AS2’s built-in security but this particular partner requires me to use HTTPS as well.
When I attempt to send a message it fails immediately with an event in the log indicating: “The underlying connection was closed: An unexpected error occurred on a send.” I had tested HTTPS communication between two BizTalk instances and it worked fine but the client is not using BizTalk. In fact, their solution was based on webMethods which uses Apache as the web server.
Potential Causes / Solutions:
There are several things that could be the issue in HTTPs communication:
1. Apache does not support TLS … only SSL3.0
By default, newer Microsoft operating systems attempt to communicate with TLS first then allow the client and server to renegotiate (renego) to a common cipher/protocol. According to this article and this article I could disable the SCHANNEL client from trying to use TLS and default to SSL3 instead. However, after making these changes and restarting nothing changed.
2. The target server is expecting something … else.
My next thought was that simply there was something missing in our communication. It was obviously something to do with HTTPS and not AS2 since the communication was failing immediately on the HTTPS send port vs. an AS2 communication issue. But I was unsure how to test this. After a bit of searching I came across a recommendation for Wfetch.
Wfetch is a tool by Microsoft that is used to diagnose HTTP(S) communications against any web server (IIS included, of course). Still suspecting that it was a cipher/protocol issue I first tried to communicate with plain old HTTPS:
As you can see there was some sort of error that was returned: “An unknown error occurred while processing the certificate.” Hmmm … maybe something to do with not being able to negotiate a protocol. So I changed the protocol to use TLS 3 and ran the test again.
Now I get a different, more specific error about not being able to negotiate a common cipher. So at least that proves that TLS won’t work. After changing the protocol to SSL3 I got the same error as above … something about a certificate.
Then it occurred to me that the server requires a client certificate for authentication! Using Wfetch I selected a certificate out of my Personal certificate store (which was a fully trusted certificate from a CA) and I finally succeeded!
To solve this in BizTalk all I needed to do is somehow add a client certificate to the outbound HTTPS requests for this partner. In the HTTP configuration of my send adapter, there is an authentication tab where I just pasted in the thumbprint of my client certificate and everything is working just fine. The servers are able to renego down to SSL3 so I didn’t even have to disable TLS.