Severe issue in build 49

You are here

Severe issue in build 49

11 posts / 0 new
Last post
albertom
albertom's picture
Severe issue in build 49

I spent all day making the build 49 working with a partner (Kingfisher) who uses GIS/PsHttpClientAdapter with AS2 version 1.2.

I can successfully receive any message, but I receive this error when sending (using both 3DES or none).

[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound transmission is a MDN [KingFisher - GranitoForte].
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN is the answer to AS2 message "mendelson_opensource_AS2-1465820802956-1@granitoforte_EDT-KITS-EASIER-PROD".
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN state is [processed/Error: authentication-failed].
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN details received from KingFisher: "Your message could not be processed."
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN is signed (SHA-1).
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Using certificate "EDT-Kingfisher PROD" to verify inbound MDN signature.
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Digital signature of inbound MDN has been verified successful.

Reverting to build 47 saved my ass.

I am waiting for their log to see what was wrong. In the meanwhile I suggest everyone to stay on 47.

Fabrice
Fabrice's picture

Hi

I am facing the same issue with the same partner.
I can't find build 47 anymore.
Does anyone have a download link to provide ?
Thanks

albertom
albertom's picture

Hello Fabrice,
I have it, but I don't want to post a public link here. PM are not available in this forum, anyway, I found you on linkedin, please accept my connection.

Fabrice
Fabrice's picture

Hello Alberto.

I just accepted your connection on linkedin

Fabrice
Fabrice's picture

I compared the message header from build 47 with the one from build 49.
The field "disposition-notification-options" is lacking in build 49 which explains the problem.

service
service's picture

Hello,

that is not the problem.

Please have a look at https://tools.ietf.org/html/rfc6211, without the Algorithm Identifier Protection Attribute the CMS is vulnerable to algorithm substitution attacks.

Other AS2 programs may have problems with this (see https://www-01.ibm.com/support/docview.wss?uid=swg1IT14005, returns a MDN with [processed/Error: authentication-failed]) but in our understanding it makes sense to implement this feature.

Regards

andrazfr
andrazfr's picture

Hello Alberto,

Could you please share the setup of build 47 (you can add me at LinkedIN - Andraž Franjko).

I am facing the same issue with build 49, but I wouldn't like to go back to build 39 which I was using before the update.

service
service's picture

Hello,

please ask your partner to update his AS2 software - that's the better way.

Regards

Fabrice
Fabrice's picture

Hello,

Thanks for the feedback. Nevertheless asking our partners to update or change their as2 software does not seem a viable option.
Could not you add an option to mendelson allowing to disable this feature?

Regards

msn2wolf
msn2wolf's picture

OpenAS2 has that option on their configuration files. I attempted to implement the same feature on Mendelson Opensource AS2 by adding the option in the database and the partner configuration screen. Still testing.

albertom
albertom's picture

msn2wolf, did you make it work?