Troubleshooting the IMR_RES_TLS_CONNECTION_FAILED error in mutual TLS

Hello everybody!, well I’ve seen some guys getting the IMR_RES_TLS_CONNECTION_FAILED on their clients apps, so I thought it could be a good idea to expand my first post called “Tips to check if the SCS, the DTK or your app doesn’t connect to an AMT Enterprise machine” to include some specific steps to troubleshoot this error message.

 

Ok, the DTK and other applications that use SOL and IDE-R capabilities consume the functionality exposed by the Redirection Library. This library is included in the imrsdk.dll file and is the one in charge of establishing a TCP (port 16994) or TLS (port 16995) connection, so if you’re sure you’ve check all the possible error sources I talked in my first post then it’s a good time to take the next steps.


Picture 1. Key values.

 

First that all, please verify that your SSL client and server certificates contains the keys shown in picture 1; these values must be 1.3.6.1.5.5.7.3.2 and 2.16.840.1.113741.1.2.1, or both (no matter if you used a customized template or a standard one). If your client application is still having the same error, please find the imrsdk.ini file (which must be in the same folder that imrsdk.dll), open it and set the debug level to “2”:
[COMMON]
Debug_Level=2
Storage_Enabled=0

 

With Debug_Level=2 you will get a log file that specifies what the concrete error is; in my case I got these entries in my log.txt:
LOG STARTED Fri Mar 13 11:09:37 2009
NETMGR: added UDP socket to read socks: 1456
NETMGR: Signal socket created: 1500
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
SSLSocket::connect: failed to set certificate chain file file
SSLSocket::connect: func X509_STORE_add_cert, reason cert already in hash table
LOG ENDED Fri Mar 13 11:13:07 2009

 

With those entries and looking at the code, I thought that error was due a duplicated certificate in my store, so I checked it and eureka!!!:

 
Picture 2. Duplicate certificate.

 

As shown in picture 2, for some reason the same certificate was twice in my “Trust root certification Authorities“; I thought I should go ahead and delete one of them, but which one?; so I navigate to the IAMT machine’s WebUI, I viewed the issuer certificates’ serial number (Picture 3), I deleted the bad one and the DTK worked fine.
 
Picture 3. Issuer certificate’s serial number.

 

Don’t forget that the DTK takes ALL the trusted root certificates to a *.pem file called “Trusted Root Certificates.pem” the first time is started, so if you changed something in your environment please delete this file and start the application again. Maybe your error message is because another stuff, but with this log you can isolate your issue.

 

I hope this helps you!. If you got another log entry solved this is a good place to comment it

 

=)

 

Javier Andres Caceres Alvis
Categorías:
Para obtener más información sobre las optimizaciones del compilador, consulte el aviso sobre la optimización.