| April 7, 2009 12:00 AM PDT | |
Troubleshooting the IMR_RES_TLS_CONNECTION_FAILED error in mutual TLS
This article expands on the author’s previous blog post titled “Tips to check if the SCS, the DTK or your app doesn’t connect to an AMT Enterprise machine” . It includes some specific steps to troubleshoot this error message. This article is written by Javier Andres Caceres Alvis. Javier works as a Software Engineer for Aranda Software (ISV enabling for Intel AMT).
The Manageability DTK and other applications that use SOL and IDER-R capabilities utilize the functionality exposed by the Redirection Library. This library is included in the imrsdk.dll file and is the one in charge of establishing a TCP (port 16994) or TLS (port 16995) connection, so if you’re sure you’ve checked all the possible error sources mention in the post above followingnext steps will help.
Picture 1. Key values.
Verify that your SSL client and server certificates contain the keys shown in picture 1; these values must be 1.3.6.1.5.5.7.3.2 and 2.16.840.1.113741.1.2.1, or both (no matter if you used a customized template or a standard one). If your client application still has the same error, please find the imrsdk.ini file (which must be in the same folder that imrsdk.dll), open it and set the debug level to “2”:
[COMMON]
Debug_Level=2
Storage_Enabled=0
With Debug_Level=2 you will get a log file that specifies what the concrete error is. In this example, I got these entries in my log.txt found it to be due to a duplicated certificate in my store:
LOG STARTED Fri Mar 13 11:09:37 2009
NETMGR: added UDP socket to read socks: 1456
NETMGR: Signal socket created: 1500
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
LOG ENDED Fri Mar 13 11:13:07 2009
Picture 2. Duplicate certificate.
As shown in picture 2, in this example, the same certificate appeared twice in “Trust root certification Authorities“; To know which one to delete navigate to the IAMT machine’s WebUI, find the issuer certificates’ serial number (Picture 3), delete the bad one and the DTK will work fine.
Picture 3. Issuer certificate’s serial number.
Don’t forget that the DTK takes ALL the trusted root certificates to a *.pem file called “Trusted Root Certificates.pem” the first time is started, so if you changed something in your environment please delete this file and start the application again.
This article expands on the author’s previous blog post titled “Tips to check if the SCS, the DTK or your app doesn’t connect to an AMT Enterprise machine” . It includes some specific steps to troubleshoot this error message. This article is written by Javier Andres Caceres Alvis. Javier works as a Software Engineer for Aranda Software (ISV enabling for Intel AMT).
The Manageability DTK and other applications that use SOL and IDER-R capabilities utilize the functionality exposed by the Redirection Library. This library is included in the imrsdk.dll file and is the one in charge of establishing a TCP (port 16994) or TLS (port 16995) connection, so if you’re sure you’ve checked all the possible error sources mention in the post above followingnext steps will help.
Picture 1. Key values.
Verify that your SSL client and server certificates contain the keys shown in picture 1; these values must be 1.3.6.1.5.5.7.3.2 and 2.16.840.1.113741.1.2.1, or both (no matter if you used a customized template or a standard one). If your client application still has the same error, please find the imrsdk.ini file (which must be in the same folder that imrsdk.dll), open it and set the debug level to “2”:
[COMMON]
Debug_Level=2
Storage_Enabled=0
With Debug_Level=2 you will get a log file that specifies what the concrete error is. In this example, I got these entries in my log.txt found it to be due to a duplicated certificate in my store:
LOG STARTED Fri Mar 13 11:09:37 2009
NETMGR: added UDP socket to read socks: 1456
NETMGR: Signal socket created: 1500
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
LOG ENDED Fri Mar 13 11:13:07 2009
Picture 2. Duplicate certificate.
As shown in picture 2, in this example, the same certificate appeared twice in “Trust root certification Authorities“; To know which one to delete navigate to the IAMT machine’s WebUI, find the issuer certificates’ serial number (Picture 3), delete the bad one and the DTK will work fine.
Picture 3. Issuer certificate’s serial number.
Don’t forget that the DTK takes ALL the trusted root certificates to a *.pem file called “Trusted Root Certificates.pem” the first time is started, so if you changed something in your environment please delete this file and start the application again.
For more complete information about compiler optimizations, see our Optimization Notice.
Comments (2) 
| September 3, 2009 12:38 PM PDT
javierandrescaceres
|
Hello Arles, That's a new issue. Could you solve it? It looks like a validation problem (maybe ot it expired or CA is not trusted). Thanks, |
Trackbacks (0)
Leave a comment 
To obtain technical support, please go to Software Support.
Author
javierandrescaceres
|
Arles Rodriguez
170
It was mi mistake
LOG STARTED Tue Jun 30 12:37:38 2009
NETMGR: Signal socket created: 2336
SSLSocket::connect: func SSL3_GET_SERVER_CERTIFICATE, reason certificate verify failed
SSLSocket::connect: func SSL3_GET_SERVER_CERTIFICATE, reason certificate verify failed
LOG ENDED Tue Jun 30 12:37:49 2009
Making some work with certs and Remote Control in AMT device works perfectly.
Nice article. :-)