Intermittent SEC_E_INVALID_TOKEN (0x80090308) when performing SSH requests

0

I'm currently working with a client (a government institution) to automate some data gathering, and I've written some python scripts to gather data from a REST API. The client is behind a corporate firewall, which traps malicious traffic (viruses, EXE-files etc.), and they have a self-signed root CA certificate MITM setup, which may (or may not) be relevant.

I can get my script to run, but every now and then any ssh request from Python or curl throws a SEC_E_INVALID_TOKEN (0x80090308) error. As this happens with curl I don't believe the core issue has to do with the way my Python script is hitting the REST API, so for the purpose of this question my focus is on getting this to work with curl. Here's an example of the output when running curl against postman-echo.com:

C:\>curl -v "https://postman-echo.com/get?foo1=bar1&foo2=bar2" --ssl-no-revoke
*   Trying 52.205.69.90...
* TCP_NODELAY set
* Connected to postman-echo.com (52.205.69.90) port 443 (#0)
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: sending initial handshake data: sending 172 bytes...
* schannel: sent initial handshake data: sent 172 bytes
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 950
* schannel: encrypted data buffer: offset 950 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
* Closing connection 0
* schannel: shutting down SSL/TLS connection with postman-echo.com port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

For some reason, opening/refreshing any HTTPS page in Chrome or Internet Explorer (for example https://en.wikipedia.org) 'fixes' the issue for a period of time (about 15-20 minutes), and the same request succeeds:

C:\>curl -v "https://postman-echo.com/get?foo1=bar1&foo2=bar2" --ssl-no-revoke
*   Trying 52.205.69.90...
* TCP_NODELAY set
* Connected to postman-echo.com (52.205.69.90) port 443 (#0)
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: sending initial handshake data: sending 172 bytes...
* schannel: sent initial handshake data: sent 172 bytes
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 2372
* schannel: encrypted data buffer: offset 2372 length 4096
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 379
* schannel: encrypted data buffer: offset 379 length 4096
* schannel: sending next handshake data: sending 158 bytes...
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 2/3)
* schannel: encrypted data got 258
* schannel: encrypted data buffer: offset 258 length 4096
* schannel: SSL/TLS handshake complete
* schannel: SSL/TLS connection with postman-echo.com port 443 (step 3/3)
* schannel: stored credential handle in session cache
> GET /get?foo1=bar1&foo2=bar2 HTTP/1.1
> Host: postman-echo.com
> User-Agent: curl/7.55.1
> Accept: */*
>
* schannel: client wants to read 102400 bytes
* schannel: encdata_buffer resized 103424
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: encrypted data got 692
* schannel: encrypted data buffer: offset 692 length 103424
* schannel: decrypted data length: 367
* schannel: decrypted data added: 367
* schannel: decrypted data cached: offset 367 length 102400
* schannel: encrypted data length: 296
* schannel: encrypted data cached: offset 296 length 103424
* schannel: decrypted data length: 267
* schannel: decrypted data added: 267
* schannel: decrypted data cached: offset 634 length 102400
* schannel: encrypted data buffer: offset 0 length 103424
* schannel: decrypted data buffer: offset 634 length 102400
* schannel: schannel_recv cleanup
* schannel: decrypted data returned 634
* schannel: decrypted data buffer: offset 0 length 102400
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Date: Tue, 11 Jun 2019 14:41:35 GMT
< ETag: W/"10b-bqF3nfSuAfjsSY6h8GyvTWVSS1o"
< Server: nginx
< set-cookie: sails.sid=s%3A3IRHG8EjQ8nmP28zAPeiCq4r6N39xt4D.NVeHhJ3pg1XfHs4c3CiM3H%2FNcf%2FRwrK7u5eOgofeOaE; Path=/; HttpOnly
< Vary: Accept-Encoding
< Content-Length: 267
< Age: 0
< Via: HTTPS/1.1 [cache]
<
{"args":{"foo1":"bar1","foo2":"bar2"},"headers":{"x-forwarded-proto":"https","host":"postman-echo.com","accept":"*/*","user-agent":"curl/7.55.1","via":"HTTPS/1.1 na-cachec01 0A650164","x-forwarded-port":"443"},"url":"https://postman-echo.com/get?foo1=bar1&foo2=bar2"}* Connection #0 to host postman-echo.com left intact

This is of course not very satisfactory, as I'm unable to automate the process (I have 'fixed' it by pausing on error, asking the user to refresh a webpage in a browser, but this is not sustainable in the long term).

I need to have some notion about what's going on to be able to escalate this further within the organisation, and at the moment I really have no idea, so any help would be appreciated.

I've found these these questions relating to the same error code, which have not been resolved, and thus aren't helping unfortunately.

Edit: Found this with exactly the same issue, but also no resolution.

windows-10
ssh
curl
asked on Super User Jun 18, 2019 by Johan Kåhrström • edited Jun 18, 2019 by Johan Kåhrström

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0