Severe issue in build 49

I spent all day making the build 49 working with a partner (Kingfisher) who uses GIS/PsHttpClientAdapter with AS2 version 1.2.

I can successfully receive any message, but I receive this error when sending (using both 3DES or none).


[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound transmission is a MDN [KingFisher - GranitoForte].
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN is the answer to AS2 message "mendelson_opensource_AS2-1465820802956-1@granitoforte_EDT-KITS-EASIER-PROD".
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN state is [processed/Error: authentication-failed].
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN details received from KingFisher: "Your message could not be processed."
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Inbound MDN is signed (SHA-1).
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Using certificate "EDT-Kingfisher PROD" to verify inbound MDN signature.
[Jun 13, 2016 2:26:44 PM] MOKOsi11505615549b55ba5node1EDT0KITS0EASIER0PROD@kitssb2bi1.grenoble.edt.fr: Digital signature of inbound MDN has been verified successful.

Reverting to build 47 saved my ass.

I am waiting for their log to see what was wrong. In the meanwhile I suggest everyone to stay on 47.

Forum
AS2

Comments

Permalink

Hi

I am facing the same issue with the same partner.
I can't find build 47 anymore.
Does anyone have a download link to provide ?
Thanks

Permalink

Hello Fabrice,
I have it, but I don't want to post a public link here. PM are not available in this forum, anyway, I found you on linkedin, please accept my connection.

Permalink

I compared the message header from build 47 with the one from build 49.
The field "disposition-notification-options" is lacking in build 49 which explains the problem.

Profile picture for user service
Permalink

Hello,

that is not the problem.

Please have a look at https://tools.ietf.org/html/rfc6211, without the Algorithm Identifier Protection Attribute the CMS is vulnerable to algorithm substitution attacks.

Other AS2 programs may have problems with this (see https://www-01.ibm.com/support/docview.wss?uid=swg1IT14005, returns a MDN with [processed/Error: authentication-failed]) but in our understanding it makes sense to implement this feature.

Regards

Permalink

Hello Alberto,

Could you please share the setup of build 47 (you can add me at LinkedIN - Andraž Franjko).

I am facing the same issue with build 49, but I wouldn't like to go back to build 39 which I was using before the update.

Profile picture for user service
Permalink

Hello,

please ask your partner to update his AS2 software - that's the better way.

Regards

Permalink

Hello,

Thanks for the feedback. Nevertheless asking our partners to update or change their as2 software does not seem a viable option.
Could not you add an option to mendelson allowing to disable this feature?

Regards

Permalink

OpenAS2 has that option on their configuration files. I attempted to implement the same feature on Mendelson Opensource AS2 by adding the option in the database and the partner configuration screen. Still testing.