Re: PicoLisp SSL Problem

[Thorsten]

Alexander Burger  writes:

Hi Alex,

>https://wiki.picolisp.com

I tried it on the wiki with firefox 10, first firefox complains about
the self-signed certificate, and then doesn't connect after a security
exception has been defined.

But I have no idea, what the problem may be, unfortunately.

Cheers,
Thorsten

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi Henrik,

> Could it be that they come with new default settings/behavior making
> them simply reject sites using self signed certs?

Thats quite possible. However, I tried to inspect the settings with them
on the phone, but nothing showed up.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Jon Kleiser]

Hi Alex,

I had no problem connecting to https://wiki.picolisp.com when using 
Safari 5.1.2 on my Mac, but with Firefox 10.0.1 and Chrome 17.0.963.46 I 
got "connection was reset" and got no further.


/Jon


On 2/15/12 8:00 AM, Alexander Burger wrote:

Hi all,

since Firefox 10 (Windows) is out, some of my customers complain that
they can't access their PicoLisp applications via SSL any longer. At
least one also reports the same for Safari.

They can't access even the application's start page. The browser refuses
to connect.

I've already generated new (self-signed) certificates, but this didn't
help. Could it be 'httpGate'?

Does anybody have an idea? I can't reproduce the problem here, and the
browser's error messages are not helpful at all.

The problem might be reproduced also on the demo app

https://app.7fach.de

or also on the Wiki

https://wiki.picolisp.com

though the latter is not covered by the certificate's Common Name (as it
is for "*.7fach.de").

Why does this happen only with new browsers? I suspect something might
be wrong with 'httpGate', though it worked during the last 10 years
without problems.

Cheers,
- Alex


--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[dexen deVries]

On Wednesday 15 of February 2012 14:45:00 you wrote:
> Could it be that they come with new default settings/behavior making
> them simply reject sites using self signed certs?

There are two problems at once:
1) the cert is self-signed, but you can add exception for it and that's OK
2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but 
bare `7fach.de' is not, and neither is `wiki.picolisp.com'

Perhaps strangely, in case of wildcard certificates, the important part is the 
`Certificate Subject Alt Name' field. For example, one of my websites has:

DNS Name: *.example.pl
DNS Name: example.pl

that is, both *.DOMAIN.pl and DOMAIN.pl

You can put several records here, so both *.7fach.de, 7fach.de, picolisp.com 
and *.picolisp.com are covered.


Cheers,
-- 
dexen deVries

[[[↓][→]]]

Already many of the mutants disguised as human beings are walking the streets 
of Earth's cities.
 -- Music Instructor, ``Electro City''
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
> On Wednesday 15 of February 2012 14:45:00 you wrote:
> > Could it be that they come with new default settings/behavior making
> > them simply reject sites using self signed certs?
> 
> There are two problems at once:
> 1) the cert is self-signed, but you can add exception for it and that's OK
> 2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but 
> bare `7fach.de' is not, and neither is `wiki.picolisp.com'

Now Thorsten and I made an experiment. I 'strace'd 'httpGate' while he
tried to connect.

What I could see was that 'httpGate' does an accept() on the connection,
but nothing else.

So this means, that the certificate isn't sent at all!

The problem must be somewhere with the OpenSSL library or how it is
called by 'httpGate'.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Henrik Sarvell]

"So this means, that the certificate isn't sent at all!"

So earlier versions of for instance FF accepts this fact but with
version 10 it's a no go?



On Wed, Feb 15, 2012 at 3:47 PM, Alexander Burger  wrote:
> On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
>> On Wednesday 15 of February 2012 14:45:00 you wrote:
>> > Could it be that they come with new default settings/behavior making
>> > them simply reject sites using self signed certs?
>>
>> There are two problems at once:
>> 1) the cert is self-signed, but you can add exception for it and that's OK
>> 2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but
>> bare `7fach.de' is not, and neither is `wiki.picolisp.com'
>
> Now Thorsten and I made an experiment. I 'strace'd 'httpGate' while he
> tried to connect.
>
> What I could see was that 'httpGate' does an accept() on the connection,
> but nothing else.
>
> So this means, that the certificate isn't sent at all!
>
> The problem must be somewhere with the OpenSSL library or how it is
> called by 'httpGate'.
>
> Cheers,
> - Alex
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
> 
> Perhaps strangely, in case of wildcard certificates, the important part is 
> the 
> `Certificate Subject Alt Name' field. For example, one of my websites has:
> 
> DNS Name: *.example.pl
> DNS Name: example.pl
> 
> that is, both *.DOMAIN.pl and DOMAIN.pl
> 
> You can put several records here, so both *.7fach.de, 7fach.de, picolisp.com 
> and *.picolisp.com are covered.

Thanks Dexen. Yes, I know about the subject alternate names, but didn't
go deeper into them yet. However, this is probably not the current
connection problem.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
> What I could see was that 'httpGate' does an accept() on the connection,
> but nothing else.
> 
> So this means, that the certificate isn't sent at all!

Forget that. I traced the wrong process :(

The certificate is probably indeed sent.

- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi Henrik,

> "So this means, that the certificate isn't sent at all!"
> 
> So earlier versions of for instance FF accepts this fact but with
> version 10 it's a no go?

Sorry, I've just noticed my error (see my other post). I'm not sure what
actually happens.

Question to those who can reproduce the problem: Can you actually see
the parameters of the certificate? If so, it must have been downloaded
(and rejected).

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[dexen deVries]

On Wednesday 15 of February 2012 11:12:32 you wrote:
> On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
> > What I could see was that 'httpGate' does an accept() on the connection,
> > but nothing else.
> > 
> > So this means, that the certificate isn't sent at all!
> 
> Forget that. I traced the wrong process :(
> 
> The certificate is probably indeed sent.

output from tcpdump and Konqueror suggests the cert is sent alright.

there's that `ssldump' tool that dumps content of HTTPS session, could help.

-- 
dexen deVries

[[[↓][→]]]

Already many of the mutants disguised as human beings are walking the streets 
of Earth's cities.
 -- Music Instructor, ``Electro City''
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Henrik Sarvell]

When I install Tamper (google "firefox addon tamper") in FF 10 and
access the https version of the wiki Tamper reports the request as
"pending".

This seems to indicate that nothing is returned from the server, ie
that FF 10 sends something that breaks the SSL handling (and more)
server side.




On Wed, Feb 15, 2012 at 5:15 PM, Alexander Burger  wrote:
> Hi Henrik,
>
>> "So this means, that the certificate isn't sent at all!"
>>
>> So earlier versions of for instance FF accepts this fact but with
>> version 10 it's a no go?
>
> Sorry, I've just noticed my error (see my other post). I'm not sure what
> actually happens.
>
> Question to those who can reproduce the problem: Can you actually see
> the parameters of the certificate? If so, it must have been downloaded
> (and rejected).
>
> Cheers,
> - Alex
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Henrik Sarvell]

Yes, if FF blocks the result before Tamper gets to access it then what
I said above is not correct, that is the big caveat.


On Wed, Feb 15, 2012 at 5:43 PM, dexen deVries  wrote:
> On Wednesday 15 of February 2012 11:12:32 you wrote:
>> On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
>> > What I could see was that 'httpGate' does an accept() on the connection,
>> > but nothing else.
>> >
>> > So this means, that the certificate isn't sent at all!
>>
>> Forget that. I traced the wrong process :(
>>
>> The certificate is probably indeed sent.
>
> output from tcpdump and Konqueror suggests the cert is sent alright.
>
> there's that `ssldump' tool that dumps content of HTTPS session, could help.
>
> --
> dexen deVries
>
> [[[↓][→]]]
>
> Already many of the mutants disguised as human beings are walking the streets
> of Earth's cities.
>  -- Music Instructor, ``Electro City''
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Randall Dow]

Look at this:

http://forums.mozillazine.org/viewtopic.php?f=38&t=2416901

--
Rand



On Feb 15, 2012, at 11:52 AM, Henrik Sarvell wrote:

> Yes, if FF blocks the result before Tamper gets to access it then what
> I said above is not correct, that is the big caveat.
> 
> 
> On Wed, Feb 15, 2012 at 5:43 PM, dexen deVries  
> wrote:
>> On Wednesday 15 of February 2012 11:12:32 you wrote:
>>> On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
 What I could see was that 'httpGate' does an accept() on the connection,
 but nothing else.
 
 So this means, that the certificate isn't sent at all!
>>> 
>>> Forget that. I traced the wrong process :(
>>> 
>>> The certificate is probably indeed sent.
>> 
>> output from tcpdump and Konqueror suggests the cert is sent alright.
>> 
>> there's that `ssldump' tool that dumps content of HTTPS session, could help.
>> 
>> --
>> dexen deVries
>> 
>> [[[↓][→]]]
>> 
>> Already many of the mutants disguised as human beings are walking the 
>> streets
>> of Earth's cities.
>>  -- Music Instructor, ``Electro City''
>> --
>> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi Randall,

> http://forums.mozillazine.org/viewtopic.php?f=38&t=2416901

Thanks. But ... does this really address the same problem? I don't know
whether a web filter is involved in the problematic cases.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Henrik Sarvell]

From: https://bugzilla.mozilla.org/show_bug.cgi?id=702111

"FF 9:
- continues by sending *TWO* SSLRecords with application data, 32
bytes, then 304 bytes
- server closes the connection"

This is completely different behavior from version 8:

"FF 8:
- continues by sending a single SSLRecord with application data, 368 bytes
- server responds with a single SSLRecord with application data, 352 bytes"



On Wed, Feb 15, 2012 at 6:12 PM, Randall Dow  wrote:
> Look at this:
>
> http://forums.mozillazine.org/viewtopic.php?f=38&t=2416901
>
> --
> Rand
>
>
>
> On Feb 15, 2012, at 11:52 AM, Henrik Sarvell wrote:
>
>> Yes, if FF blocks the result before Tamper gets to access it then what
>> I said above is not correct, that is the big caveat.
>>
>>
>> On Wed, Feb 15, 2012 at 5:43 PM, dexen deVries  
>> wrote:
>>> On Wednesday 15 of February 2012 11:12:32 you wrote:
 On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
> What I could see was that 'httpGate' does an accept() on the connection,
> but nothing else.
>
> So this means, that the certificate isn't sent at all!

 Forget that. I traced the wrong process :(

 The certificate is probably indeed sent.
>>>
>>> output from tcpdump and Konqueror suggests the cert is sent alright.
>>>
>>> there's that `ssldump' tool that dumps content of HTTPS session, could help.
>>>
>>> --
>>> dexen deVries
>>>
>>> [[[↓][→]]]
>>>
>>> Already many of the mutants disguised as human beings are walking the 
>>> streets
>>> of Earth's cities.
>>>  -- Music Instructor, ``Electro City''
>>> --
>>> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
>> --
>> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
>
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Henrik Sarvell]

I think the discussion on the aforementioned bugzilla page relates to
issues that have nothing to do with web filters and such.

The browser behavior has changed it seems.


On Wed, Feb 15, 2012 at 6:32 PM, Alexander Burger  wrote:
> Hi Randall,
>
>> http://forums.mozillazine.org/viewtopic.php?f=38&t=2416901
>
> Thanks. But ... does this really address the same problem? I don't know
> whether a web filter is involved in the problematic cases.
>
> Cheers,
> - Alex
> --
> UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

On Wed, Feb 15, 2012 at 06:46:05PM +0700, Henrik Sarvell wrote:
> I think the discussion on the aforementioned bugzilla page relates to
> issues that have nothing to do with web filters and such.
> 
> The browser behavior has changed it seems.

I'm wondering whether it might have to do with the different SSL/TLS
versions (line 177 in "src/httpGate.c")

  if (!(ctx = SSL_CTX_new(SSLv23_server_method())) ||

or the lack of a CA certificate (because it is self-signed), i.e.
because a call to SSL_CTX_load_verify_locations() is missing.

- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[José Romero]

On Wed, 15 Feb 2012 08:00:10 +0100
Alexander Burger  wrote:

> Hi all,
> 
> since Firefox 10 (Windows) is out, some of my customers complain that
> they can't access their PicoLisp applications via SSL any longer. At
> least one also reports the same for Safari.
> 
> They can't access even the application's start page. The browser
> refuses to connect.
> 
> I've already generated new (self-signed) certificates, but this didn't
> help. Could it be 'httpGate'?
> 
> Does anybody have an idea? I can't reproduce the problem here, and the
> browser's error messages are not helpful at all.
> 
> The problem might be reproduced also on the demo app
> 
>https://app.7fach.de
> 
> or also on the Wiki
> 
>https://wiki.picolisp.com
> 
> though the latter is not covered by the certificate's Common Name (as
> it is for "*.7fach.de").
> 
> Why does this happen only with new browsers? I suspect something might
> be wrong with 'httpGate', though it worked during the last 10 years
> without problems.
> 
> Cheers,
> - Alex

I have checked both with FF10 and chromium and could see a problem in
both. In FF, it got an unhelpful "connection reset" error, while
chromium had me skipping the certificate twice before it worked. It all
points to a protocol error, either the browsers are now doing something
nonstandard or you cut some corner (or relied on something nonstandard
clients used to do) when you implemented the proxy originally and they
came back to haunt you.
Perhaps there is a light reverse proxy like tinyproxy or something like
that you could put in front of httpgate to temporarily solve the
problem by now?

Cheers,
José
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi José,

> points to a protocol error, either the browsers are now doing something
> nonstandard or you cut some corner (or relied on something nonstandard
> clients used to do) when you implemented the proxy originally and they
> came back to haunt you.

Yeah, that's what I'm suspecting too. But what?


> Perhaps there is a light reverse proxy like tinyproxy or something like
> that you could put in front of httpgate to temporarily solve the
> problem by now?

Thanks. 'tinyproxy' looks indeed nice.

However, I think it is quite difficult to get it run in front of
'httpGate', because 'httpGate' would then run in plain (non-SSL) mode
and would not do the proper URL rewriting necessary for the server. In
effect, the connection would then run unencrypted after the first page.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Tamas Herman]

beware of tinyproxy.
i used it for a while 2-3yrs ago as a regular web proxy
but it was very unstable.
just put an nginx in reverse proxy mode in front of pil.

-- 
  tom

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Tomas Hlavaty]

Hi Alex,

you could try nginx as Tamas suggested and see if you get the same
problem.

Tamas Herman  writes:
> just put an nginx in reverse proxy mode in front of pil.

A sample configuration is at
.  It should
work same as httpGate passing the right parameters iirc.

Cheers,

Tomas
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi Tomas,

> you could try nginx as Tamas suggested and see if you get the same
> problem.
> 
> Tamas Herman  writes:
> > just put an nginx in reverse proxy mode in front of pil.

Yes, but as I tried to explain in my previous mail, it won't work with
the application server. It depends on 'httpGate' rewriting parts of the
HTTP header, and inserting certain PicoLisp-specific "new" headers,
which would not work if 'httpGate' believes to work unencrypted.


> A sample configuration is at
> .  It should
> work same as httpGate passing the right parameters iirc.

Perhaps, if it were running stand-alone. But not with the whole
app-server machinery.


Meanwhile, I'm wondering whether the observed problems might have
anything to do with the fact that PicoLisp (and httpGate) run in IPv6
hybrid mapped addresses mode. Perhaps some browsers suddenly can't cope
with that? Just an idea ...

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Tomas Hlavaty]

Hi Alex,

> Yes, but as I tried to explain in my previous mail, it won't work with
> the application server. It depends on 'httpGate' rewriting parts of
> the HTTP header, and inserting certain PicoLisp-specific "new"
> headers, which would not work if 'httpGate' believes to work
> unencrypted.  Perhaps, if it were running stand-alone. But not with
> the whole app-server machinery.

>> A sample configuration is at
>> .  It should
>> work same as httpGate passing the right parameters iirc.

as described on that web page, you can configure nginx to set the
headers exactly like httpGate!  I used it instead of httpGate
successfully.  See that part where it says:

proxy_set_header  Host $host;
proxy_set_header  Gate "$scheme $remote_addr";
proxy_passhttp://127.0.0.1:1234;

Also:

  if ($request_filename ~* /([0-9]+)/?(.*)) {
set $gate   http://127.0.0.1:$1/$2$is_args$args;
  }
  proxy_set_header  Host $host;
  proxy_set_header  Gate "$scheme $remote_addr";
  proxy_pass$gate;

etc.  That's what httpGate does.

> Meanwhile, I'm wondering whether the observed problems might have
> anything to do with the fact that PicoLisp (and httpGate) run in IPv6
> hybrid mapped addresses mode. Perhaps some browsers suddenly can't
> cope with that? Just an idea ...

That could well be, but I suppose you could easily check that;-)

Cheers,

Tomas
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

Re: PicoLisp SSL Problem

[Alexander Burger]

Hi Tomas,

> as described on that web page, you can configure nginx to set the
> headers exactly like httpGate!  I used it instead of httpGate

OK, thanks. Good to know.

However, I need to solve the original problem, not have a quick and
dirty fix. I can't risk to change a production system where more than 30
people in three countries work on.

For the moment, the problem is alleviated as all users either

   - didn't install the new version of FF yet
   - reverted to an older version of FF
   - or use IE or Safari for now

(Safari works, as opposed to what I understood initially).

Thanks anyway!

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe