locked
The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate? RRS feed

  • Question

  • Trying to start any conference (IM, AppShare, Video, Voice) get the message in Communicator 2007 R2:
    An error occurred while trying to start the conference.

    Server (OSC 2007 R2, Win2008 R2) Log:

    TL_ERROR(TF_CONNECTION) [0]1FF4.120C::07/29/2009-18:30:01.187.00008824 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: Receive operation on the connection failed
    Local-IP: 192.168.0.116:18849
    Peer-IP: 192.168.0.116:5062
    Peer-FQDN: vm-cwin2008r2.domain.local
    Connection-ID: 0x4300
    Transport: TLS
    Result-Code: 0x80072745 WSAECONNABORTED
    $$end_record


    TL_ERROR(TF_CONNECTION) [0]1FF4.1694::07/29/2009-22:07:47.130.0000aeae (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
    Local-IP: 192.168.0.116:27670
    Peer-IP: 192.168.0.116:5062
    Peer-FQDN: vm-cwin2008r2.domain.local
    Connection-ID: 0xAB03
    Transport: TLS
    $$end_record

    Is there a problem with certificate?
    Certificate was issued by standalone CA located on the same server as OSC.
    Wednesday, July 29, 2009 10:34 PM

Answers

  • [OSC Server on Win2008 R2]

    This might be the problem.  At present, there is no supported scenarios for deploying OCS 2007 R2 on Server R2.  I haven't tried it, so I can't answer authoritatively if this is the problem.

    Can you reproduce the problem on Windows Server 2008?  If so, then we'll have some things to look at, like a complete debug session with SIPStack and S4 in OCSLogger.


    Rick OCS UA
    Wednesday, September 2, 2009 3:29 PM

All replies

  • Hi Pinzc

    Do you have a second NON-OCS-Server-machine with the Communicator Client to test the connection?
    What error message do you get from this machine?

    In aspect of using a local CA for getting certificates for OCS there are in my opinion four things you have to pay attention on:

    1. Verify that the Root-CA Certificate is in the trusted store of the client

    2. For OCS Certificates use a certificate with both Server and Client Authentication.

    3. Use an Entreprise version for the CA, because of the possibility to change Templates for the certificates and automatic deployment possibilities.

    4. For SAN Certificate usage:
        Activate the possibility to request SAN certificates with this CA
        net stop certsvc
        certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
        net start certsvc

    Cheers
    Werner
    Thursday, July 30, 2009 6:32 AM
  • Hello, Werner

    I've described simtoms in another thread
    http://social.microsoft.com/Forums/en-US/communicationsserversetup/thread/0b728ffc-04e0-4d57-8a35-44d4f8127070

    Vista (windows 7, server 2008 R2 the same result) client's Event Log after trying to start IM chat:

    A SIP request made by Communicator failed in an unexpected manner (status code 80ef01f8). More information is contained in the following technical data:
     
       RequestUri:   sip:cahek@domain.local;gruu;opaque=app:conf:chat:id:24D8969F251FD847BCEE171453F45DFC
    From:         sip:cahek@domain.local;tag=f35e242872
    To:           sip:cahek@domain.local;gruu;opaque=app:conf:chat:id:24D8969F251FD847BCEE171453F45DFC;tag=C90B627E6A1ED0F3BA0C88625C0EA54A
    Call-ID:      c19c9efce2cf44e591c0b7a5fe64ff2d
    Content-type: application/sdp;call-type=im

    v=0
    o=- 0 0 IN IP4 192.168.0.111
    s=session
    c=IN IP4 192.168.0.111
    t=0 0
    m=message 5060 sip null
    a=accept-types:text/plain multipart/alternative image/gif text/rtf text/html application/x-ms-ink application/ms-imdn+xml text/x-msmsgsinvite

    On the OSC Server CA:
    1. The CA on OCS Server is Domain Standalone therefor Clients download CA-Root certificate automatically (if they didn't they could not connect with TLS)
    2. OSC sertificate has Enhanced key Usage: Server Authentication, Client Authentication
    3. I do I assume..
    4. I did, but nothing changed, the problem remains.. (

    I dont understand why OSC server tries to negotiate with itself?

    Text: Receive operation on the connection failed
    Local-IP: 192.168.0.116:18849
    Peer-IP: 192.168.0.116:5062

    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?

    Local-IP: 192.168.0.116:27670
    Peer-IP: 192.168.0.116:5062

    Thursday, July 30, 2009 7:54 AM
  • You may have an incorrect DNS configuration if you have a host attempting to sonnect to itself. Or have you installed the OC client locally on the server?
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, July 30, 2009 1:04 PM
    Moderator
  • Hello Prinzc

    As Jeff and me already asked ...

    Explain your scenario detailed

    Do you have MOC with 2 accounts on 2 different machines which are both NOT the OCS server itself?
    ... and .... did you do a look into the Trusted Root Store if the root ca certificate is implemented on all these servers and clients?

    Cheers
    Werner
    Thursday, July 30, 2009 1:46 PM

  • I dont know what could be wrong with DNS.

    1) i have a few machines with  (Vista, Windows 7, XP clients) with MOC 2007 R2 intalled and OSC Server on Win2008 R2 (VMware 6.5 Workstation)

    2) i have MOC 2007 R2 installed on OSC locally BUT i dont run test it is NOT RUNNING (i even uninstalled it now).

    3) If i'm right if there wouldn't be root CA cert in Trusted Root Store on client they coundn't sign in on TLS, right? No other certificates needed on client?

    After i restart OSC server.

    I try to start IM conversation with 2 contacts in the list. In client's Event Log i've got the same error: A SIP request made by Communicator failed in an unexpected manner..

    OSC Server Snooper Log:

    And than the same errors

    TL_ERROR(TF_CONNECTION) [0]12B8.1F2C::07/30/2009-14:22:58.177.00000038 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: Receive operation on the connection failed
    Local-IP: 192.168.0.116:2578
    Peer-IP: 192.168.0.116:5062
    Peer-FQDN: vm-cwin2008r2.domain.local
    Connection-ID: 0xE02
    Transport: TLS
    Result-Code: 0x80072746 WSAECONNRESET
    $$end_record


    TL_ERROR(TF_CONNECTION) [0]0F70.11BC::07/30/2009-19:03:52.289.0000002a (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
    LogType: connection
    Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?
    Local-IP: 192.168.0.20:55594
    Peer-IP: 192.168.0.20:5062
    Peer-FQDN: vm-cwin2008r2.ecotrust.local
    Connection-ID: 0x1B01
    Transport: TLS
    $$end_record

    So, its abnormal that Local-IP and Peer-IP are tha same?
    Thursday, July 30, 2009 7:05 PM
  • i've installed Network traffic analyzer
    it shows that IP packages to and from port 5062

    1) appears only on loopback (Dest=Source=OSC IP)
    2) packages generated by Process System (PID=0)
    3) package's IP and TCP checksums are incorrect

    It seems there is some network or system problem :(
    Thursday, July 30, 2009 9:15 PM
  • Hello Prinzc

    how do you have configured networking between your clients (physical?) and your virtual OCS server?
    Bridged?

    Cheers
    Werner
    Friday, July 31, 2009 7:52 AM
  • there are phisical and virtual clients. There is one network adapter on OCS server configured bridged.
    I'have closed MOC on other virtual clients on Host, and MOC on Host OS. Tried only with other phisical clients. Problem remains.
    • Edited by prinzc Friday, July 31, 2009 8:22 AM
    Friday, July 31, 2009 8:22 AM
  • [OSC Server on Win2008 R2]

    This might be the problem.  At present, there is no supported scenarios for deploying OCS 2007 R2 on Server R2.  I haven't tried it, so I can't answer authoritatively if this is the problem.

    Can you reproduce the problem on Windows Server 2008?  If so, then we'll have some things to look at, like a complete debug session with SIPStack and S4 in OCSLogger.


    Rick OCS UA
    Wednesday, September 2, 2009 3:29 PM
  • Do you see any SChannel errors on your Servers in the "System" Log?
    Friday, September 18, 2009 4:38 PM