Re: PicoLisp SSL Problem (SOLVED)

2012-03-20 Thread Alexander Burger
Hi all,

On Wed, Feb 15, 2012 at 08:00:10AM +0100, Alexander Burger wrote:
 since Firefox 10 (Windows) is out, some of my customers complain that
 they can't access their PicoLisp applications via SSL any longer.

Now, after installing Firefox 10 (Debian wheezy) myself, I could
reproduce the problem. I traced it down and finally found the reason!

It has not directly to do with SSL. Neither the certificate or BEAST
issues!

It has to do with the way Firefox 10 writes the stream of HTTP
transaction data to the server. If the connection is via SSL, Firefox
seems to send for each block of data always first a single byte, and
then the rest. That is, SSL_read() must be called twice, yielding first
a single character (e.g. 'P' if the transaction is POST), and then the
rest of the HTTP header (200 - 300 bytes).

I don't know why this is the case. Perhaps a bug in Firefox? At least it
is rather inefficient.

In any case, it made 'httpGate' choke, because 'httpGate' did a kind of
deep inspection of the data stream to rewrite URLs for HTTP/1.1
Keep-Alive transactions.

So I removed this stream monitoring from 'httpGate', and handle it on
the Lisp level in lib/http.l. This is more appropriate anyway;
probably it was bad design to have 'httpGate' handle it in this way.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Alexander Burger
On Wed, Feb 15, 2012 at 09:44:01PM +0100, Alexander Burger wrote:
 Meanwhile, I'm wondering whether the observed problems might have
 anything to do with the fact that PicoLisp (and httpGate) run in IPv6
 hybrid mapped addresses mode. Perhaps some browsers suddenly can't cope
 with that? Just an idea ...

No, that's not the reason.

We tested with the old IPv6 version (before October 2011), and Firefox
refuses to connect here too.

I've also asked in #firefox, without results :(
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Thorsten
Thorsten quintf...@googlemail.com writes:

 Alexander Burger a...@software-lab.de writes:

 On Wed, Feb 15, 2012 at 09:44:01PM +0100, Alexander Burger wrote:

One more try. 

from:
http://code.google.com/p/chromium/issues/detail?id=98101#c31

 Comment 8 by a...@chromium.org, Oct 12, 2011 
,
|Yes, requests will be in multiple records from now on. See
|http://www.imperialviolet.org/2011/09/23/chromeandbeast.html Firefox
|will make this change an in upcoming release and Microsoft are expected
|to do the same.
`

again, just ignore it if its completely off-topic ...
cheers
Thorsten

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Alexander Burger
Hi Thorsten,

 (from http://www.gossamer-threads.com/lists/nsp/foundry/33310)

Yes, it looks indeed suspiciously similar.

Unfortunately, I still don't know how to fix it ;-)

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Alexander Burger
Hi Thorsten,

 http://code.google.com/p/chromium/issues/detail?id=98101#c31
 
  Comment 8 by a...@chromium.org, Oct 12, 2011 
 ,
 |Yes, requests will be in multiple records from now on. See

I have no idea what multiple records mean in this context

 |http://www.imperialviolet.org/2011/09/23/chromeandbeast.html Firefox

So we are back to the BEAST issue (also mentioned by Randall in this
thread a few days ago).

Clueless,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Joe Bogner
More info on BEAST and a recent Microsoft security update that was pushed
out for it:

http://technet.microsoft.com/en-us/security/bulletin/ms12-006

http://www.securitynewsdaily.com/1077-beast-hack.html

My bet is that the update is what caused it to break.

On Thu, Feb 16, 2012 at 9:01 AM, Joe Bogner joebog...@gmail.com wrote:

 You can see some interesting analysis on the certificate here:
 https://www.ssllabs.com/ssldb/analyze.html?d=https://app.7fach.de

 It mentions being vulnerable to BEAST and offers this link
 https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
  .
 I haven't read through it.

 Have you tried using a signed certificate and/or adding the root cert to
 the trusted list? However, it looks like the BEAST issue is regardless of
 the cert. I suspect that's the cause.

 I can't connect with IE8 or Chrome on Windows so it might be that some
 windows update came along and updated my underlying SSL stack. I can't
 confirm though whether it worked previously.

 On Thu, Feb 16, 2012 at 8:46 AM, Alexander Burger a...@software-lab.dewrote:

 Hi Thorsten,

  http://code.google.com/p/chromium/issues/detail?id=98101#c31
 
   Comment 8 by a...@chromium.org, Oct 12, 2011
 
 ,
  |Yes, requests will be in multiple records from now on. See

 I have no idea what multiple records mean in this context

  |http://www.imperialviolet.org/2011/09/23/chromeandbeast.html Firefox

 So we are back to the BEAST issue (also mentioned by Randall in this
 thread a few days ago).

 Clueless,
 - Alex
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe





Re: PicoLisp SSL Problem

2012-02-16 Thread Joe Bogner
You can see some interesting analysis on the certificate here:
https://www.ssllabs.com/ssldb/analyze.html?d=https://app.7fach.de

It mentions being vulnerable to BEAST and offers this link
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls


Re: PicoLisp SSL Problem

2012-02-16 Thread Alexander Burger
Hi Joe,

 My bet is that the update is what caused it to break.

Looks so ineed!


The link from your previous mail is interesting:

   https://www.ssllabs.com/ssldb/analyze.html?d=https://app.7fach.de

If I understand the diagnosis right

  Protocols
  TLS 1.2   No
  TLS 1.1   No
  TLS 1.0   Yes
  SSL 3.0   Yes
  SSL 2.0+ upgrade support  Yes
  SSL 2.0   INSECUREYes

Then SSL 2.0 is a major problem.


To test it, I changed src/httpGate.c

   177c177
  if (!(ctx = SSL_CTX_new(SSLv23_server_method())) ||
   ---
  if (!(ctx = SSL_CTX_new(SSLv3_server_method())) ||

to use only SSL version 3 (not allowing 2, if I understand it right).


With that, https://app.7fach.de works for me (FF 3.5.15, w3m, chromium)
as good as ever. However, The ssllabs.com analyzer tells me:

   Assessment failed: Connection reset

   Common Error Messages

• Connect timed out - server did not respond to our connection request
• No route to host - unable to reach the server
• Unable to connect to server - failed to connect to the server
• Unrecognized SSL message, plaintext connection? - the server responded 
with plain-text HTTP on HTTPS port

   Known Issues

• Could not generate DH keypair - due to a known problem with the 
underlying SSL library (Sun's JSSE implementation)
  we are unable to assess the sites that only offer DHE handshakes stronger 
than 1024 bits.

How is THAT do understand? Can't it access SSLv3?

MoreAndMoreConfused,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Alexander Burger
On Thu, Feb 16, 2012 at 09:01:53AM -0500, Joe Bogner wrote:
 It mentions being vulnerable to BEAST and offers this link
 https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

This says:

   In terms of mitigation, I expect this problem will be largely
   addressed on the client side, despite a potential compatibility
   problem that may cause some TLS sites to stop working. The only
   reliable way to defend against BEAST is to prioritise RC4 cipher
   suites, as proposed by PhoneFactor.

   Just as an example, here's one way to do the above in Apache:

   SSLHonorCipherOrder On
   SSLCipherSuite RC4-SHA:HIGH:!ADH

Without real comprehension, I inserted into src/httpGate.c

   SSL_CTX_set_cipher_list(ctx, RC4-SHA:HIGH:!ADH)

so that the total change is now:

   177c177
  if (!(ctx = SSL_CTX_new(SSLv23_server_method())) ||
   ---
  if (!(ctx = SSL_CTX_new(SSLv3_server_method())) ||
   180c180,181
  !SSL_CTX_check_private_key(ctx) 
) {
   ---
   !SSL_CTX_check_private_key(ctx) ||
   !SSL_CTX_set_cipher_list(ctx, RC4-SHA:HIGH:!ADH) ) {

I don't know if this helps, though (as I can't reproduce the problem).
The ssllabs.com analyzer still complains, though.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-16 Thread Thorsten
Alexander Burger a...@software-lab.de writes:

 I don't know if this helps, though (as I can't reproduce the problem).
 The ssllabs.com analyzer still complains, though.

I tried the 7fach and the wiki urls again you gave me (FF10), and
unfortunately see the same errorpage as before. 

Cheers,
 - Thorsten

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Thorsten
Alexander Burger a...@software-lab.de writes:

Hi Alex,

https://wiki.picolisp.com

I tried it on the wiki with firefox 10, first firefox complains about
the self-signed certificate, and then doesn't connect after a security
exception has been defined.

But I have no idea, what the problem may be, unfortunately.

Cheers,
Thorsten

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
Hi Henrik,

 Could it be that they come with new default settings/behavior making
 them simply reject sites using self signed certs?

Thats quite possible. However, I tried to inspect the settings with them
on the phone, but nothing showed up.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Jon Kleiser

Hi Alex,

I had no problem connecting to https://wiki.picolisp.com when using 
Safari 5.1.2 on my Mac, but with Firefox 10.0.1 and Chrome 17.0.963.46 I 
got connection was reset and got no further.


/Jon


On 2/15/12 8:00 AM, Alexander Burger wrote:

Hi all,

since Firefox 10 (Windows) is out, some of my customers complain that
they can't access their PicoLisp applications via SSL any longer. At
least one also reports the same for Safari.

They can't access even the application's start page. The browser refuses
to connect.

I've already generated new (self-signed) certificates, but this didn't
help. Could it be 'httpGate'?

Does anybody have an idea? I can't reproduce the problem here, and the
browser's error messages are not helpful at all.

The problem might be reproduced also on the demo app

https://app.7fach.de

or also on the Wiki

https://wiki.picolisp.com

though the latter is not covered by the certificate's Common Name (as it
is for *.7fach.de).

Why does this happen only with new browsers? I suspect something might
be wrong with 'httpGate', though it worked during the last 10 years
without problems.

Cheers,
- Alex


--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread dexen deVries
On Wednesday 15 of February 2012 14:45:00 you wrote:
 Could it be that they come with new default settings/behavior making
 them simply reject sites using self signed certs?

There are two problems at once:
1) the cert is self-signed, but you can add exception for it and that's OK
2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but 
bare `7fach.de' is not, and neither is `wiki.picolisp.com'

Perhaps strangely, in case of wildcard certificates, the important part is the 
`Certificate Subject Alt Name' field. For example, one of my websites has:

DNS Name: *.example.pl
DNS Name: example.pl

that is, both *.DOMAIN.pl and DOMAIN.pl

You can put several records here, so both *.7fach.de, 7fach.de, picolisp.com 
and *.picolisp.com are covered.


Cheers,
-- 
dexen deVries

[[[↓][→]]]

Already many of the mutants disguised as human beings are walking the streets 
of Earth's cities.
 -- Music Instructor, ``Electro City''
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
 On Wednesday 15 of February 2012 14:45:00 you wrote:
  Could it be that they come with new default settings/behavior making
  them simply reject sites using self signed certs?
 
 There are two problems at once:
 1) the cert is self-signed, but you can add exception for it and that's OK
 2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but 
 bare `7fach.de' is not, and neither is `wiki.picolisp.com'

Now Thorsten and I made an experiment. I 'strace'd 'httpGate' while he
tried to connect.

What I could see was that 'httpGate' does an accept() on the connection,
but nothing else.

So this means, that the certificate isn't sent at all!

The problem must be somewhere with the OpenSSL library or how it is
called by 'httpGate'.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Henrik Sarvell
So this means, that the certificate isn't sent at all!

So earlier versions of for instance FF accepts this fact but with
version 10 it's a no go?



On Wed, Feb 15, 2012 at 3:47 PM, Alexander Burger a...@software-lab.de wrote:
 On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
 On Wednesday 15 of February 2012 14:45:00 you wrote:
  Could it be that they come with new default settings/behavior making
  them simply reject sites using self signed certs?

 There are two problems at once:
 1) the cert is self-signed, but you can add exception for it and that's OK
 2) the cert only covers *.7fach.de domains. So `app.7fach.de' is covered, but
 bare `7fach.de' is not, and neither is `wiki.picolisp.com'

 Now Thorsten and I made an experiment. I 'strace'd 'httpGate' while he
 tried to connect.

 What I could see was that 'httpGate' does an accept() on the connection,
 but nothing else.

 So this means, that the certificate isn't sent at all!

 The problem must be somewhere with the OpenSSL library or how it is
 called by 'httpGate'.

 Cheers,
 - Alex
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
On Wed, Feb 15, 2012 at 09:28:23AM +0100, dexen deVries wrote:
 
 Perhaps strangely, in case of wildcard certificates, the important part is 
 the 
 `Certificate Subject Alt Name' field. For example, one of my websites has:
 
 DNS Name: *.example.pl
 DNS Name: example.pl
 
 that is, both *.DOMAIN.pl and DOMAIN.pl
 
 You can put several records here, so both *.7fach.de, 7fach.de, picolisp.com 
 and *.picolisp.com are covered.

Thanks Dexen. Yes, I know about the subject alternate names, but didn't
go deeper into them yet. However, this is probably not the current
connection problem.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
 What I could see was that 'httpGate' does an accept() on the connection,
 but nothing else.
 
 So this means, that the certificate isn't sent at all!

Forget that. I traced the wrong process :(

The certificate is probably indeed sent.

- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
Hi Henrik,

 So this means, that the certificate isn't sent at all!
 
 So earlier versions of for instance FF accepts this fact but with
 version 10 it's a no go?

Sorry, I've just noticed my error (see my other post). I'm not sure what
actually happens.

Question to those who can reproduce the problem: Can you actually see
the parameters of the certificate? If so, it must have been downloaded
(and rejected).

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread dexen deVries
On Wednesday 15 of February 2012 11:12:32 you wrote:
 On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
  What I could see was that 'httpGate' does an accept() on the connection,
  but nothing else.
  
  So this means, that the certificate isn't sent at all!
 
 Forget that. I traced the wrong process :(
 
 The certificate is probably indeed sent.

output from tcpdump and Konqueror suggests the cert is sent alright.

there's that `ssldump' tool that dumps content of HTTPS session, could help.

-- 
dexen deVries

[[[↓][→]]]

Already many of the mutants disguised as human beings are walking the streets 
of Earth's cities.
 -- Music Instructor, ``Electro City''
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Henrik Sarvell
When I install Tamper (google firefox addon tamper) in FF 10 and
access the https version of the wiki Tamper reports the request as
pending.

This seems to indicate that nothing is returned from the server, ie
that FF 10 sends something that breaks the SSL handling (and more)
server side.




On Wed, Feb 15, 2012 at 5:15 PM, Alexander Burger a...@software-lab.de wrote:
 Hi Henrik,

 So this means, that the certificate isn't sent at all!

 So earlier versions of for instance FF accepts this fact but with
 version 10 it's a no go?

 Sorry, I've just noticed my error (see my other post). I'm not sure what
 actually happens.

 Question to those who can reproduce the problem: Can you actually see
 the parameters of the certificate? If so, it must have been downloaded
 (and rejected).

 Cheers,
 - Alex
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Henrik Sarvell
Yes, if FF blocks the result before Tamper gets to access it then what
I said above is not correct, that is the big caveat.


On Wed, Feb 15, 2012 at 5:43 PM, dexen deVries dexen.devr...@gmail.com wrote:
 On Wednesday 15 of February 2012 11:12:32 you wrote:
 On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
  What I could see was that 'httpGate' does an accept() on the connection,
  but nothing else.
 
  So this means, that the certificate isn't sent at all!

 Forget that. I traced the wrong process :(

 The certificate is probably indeed sent.

 output from tcpdump and Konqueror suggests the cert is sent alright.

 there's that `ssldump' tool that dumps content of HTTPS session, could help.

 --
 dexen deVries

 [[[↓][→]]]

 Already many of the mutants disguised as human beings are walking the streets
 of Earth's cities.
  -- Music Instructor, ``Electro City''
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Randall Dow
Look at this:

http://forums.mozillazine.org/viewtopic.php?f=38t=2416901

--
Rand



On Feb 15, 2012, at 11:52 AM, Henrik Sarvell wrote:

 Yes, if FF blocks the result before Tamper gets to access it then what
 I said above is not correct, that is the big caveat.
 
 
 On Wed, Feb 15, 2012 at 5:43 PM, dexen deVries dexen.devr...@gmail.com 
 wrote:
 On Wednesday 15 of February 2012 11:12:32 you wrote:
 On Wed, Feb 15, 2012 at 09:47:48AM +0100, Alexander Burger wrote:
 What I could see was that 'httpGate' does an accept() on the connection,
 but nothing else.
 
 So this means, that the certificate isn't sent at all!
 
 Forget that. I traced the wrong process :(
 
 The certificate is probably indeed sent.
 
 output from tcpdump and Konqueror suggests the cert is sent alright.
 
 there's that `ssldump' tool that dumps content of HTTPS session, could help.
 
 --
 dexen deVries
 
 [[[↓][→]]]
 
 Already many of the mutants disguised as human beings are walking the 
 streets
 of Earth's cities.
  -- Music Instructor, ``Electro City''
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subjectUnsubscribe
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe

--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Henrik Sarvell
I think the discussion on the aforementioned bugzilla page relates to
issues that have nothing to do with web filters and such.

The browser behavior has changed it seems.


On Wed, Feb 15, 2012 at 6:32 PM, Alexander Burger a...@software-lab.de wrote:
 Hi Randall,

 http://forums.mozillazine.org/viewtopic.php?f=38t=2416901

 Thanks. But ... does this really address the same problem? I don't know
 whether a web filter is involved in the problematic cases.

 Cheers,
 - Alex
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
On Wed, Feb 15, 2012 at 06:46:05PM +0700, Henrik Sarvell wrote:
 I think the discussion on the aforementioned bugzilla page relates to
 issues that have nothing to do with web filters and such.
 
 The browser behavior has changed it seems.

I'm wondering whether it might have to do with the different SSL/TLS
versions (line 177 in src/httpGate.c)

  if (!(ctx = SSL_CTX_new(SSLv23_server_method())) ||

or the lack of a CA certificate (because it is self-signed), i.e.
because a call to SSL_CTX_load_verify_locations() is missing.

- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread José Romero
On Wed, 15 Feb 2012 08:00:10 +0100
Alexander Burger a...@software-lab.de wrote:

 Hi all,
 
 since Firefox 10 (Windows) is out, some of my customers complain that
 they can't access their PicoLisp applications via SSL any longer. At
 least one also reports the same for Safari.
 
 They can't access even the application's start page. The browser
 refuses to connect.
 
 I've already generated new (self-signed) certificates, but this didn't
 help. Could it be 'httpGate'?
 
 Does anybody have an idea? I can't reproduce the problem here, and the
 browser's error messages are not helpful at all.
 
 The problem might be reproduced also on the demo app
 
https://app.7fach.de
 
 or also on the Wiki
 
https://wiki.picolisp.com
 
 though the latter is not covered by the certificate's Common Name (as
 it is for *.7fach.de).
 
 Why does this happen only with new browsers? I suspect something might
 be wrong with 'httpGate', though it worked during the last 10 years
 without problems.
 
 Cheers,
 - Alex

I have checked both with FF10 and chromium and could see a problem in
both. In FF, it got an unhelpful connection reset error, while
chromium had me skipping the certificate twice before it worked. It all
points to a protocol error, either the browsers are now doing something
nonstandard or you cut some corner (or relied on something nonstandard
clients used to do) when you implemented the proxy originally and they
came back to haunt you.
Perhaps there is a light reverse proxy like tinyproxy or something like
that you could put in front of httpgate to temporarily solve the
problem by now?

Cheers,
José
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
Hi José,

 points to a protocol error, either the browsers are now doing something
 nonstandard or you cut some corner (or relied on something nonstandard
 clients used to do) when you implemented the proxy originally and they
 came back to haunt you.

Yeah, that's what I'm suspecting too. But what?


 Perhaps there is a light reverse proxy like tinyproxy or something like
 that you could put in front of httpgate to temporarily solve the
 problem by now?

Thanks. 'tinyproxy' looks indeed nice.

However, I think it is quite difficult to get it run in front of
'httpGate', because 'httpGate' would then run in plain (non-SSL) mode
and would not do the proper URL rewriting necessary for the server. In
effect, the connection would then run unencrypted after the first page.

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Tamas Herman
beware of tinyproxy.
i used it for a while 2-3yrs ago as a regular web proxy
but it was very unstable.
just put an nginx in reverse proxy mode in front of pil.

-- 
  tom

-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
Hi Tomas,

 you could try nginx as Tamas suggested and see if you get the same
 problem.
 
 Tamas Herman hermanta...@gmail.com writes:
  just put an nginx in reverse proxy mode in front of pil.

Yes, but as I tried to explain in my previous mail, it won't work with
the application server. It depends on 'httpGate' rewriting parts of the
HTTP header, and inserting certain PicoLisp-specific new headers,
which would not work if 'httpGate' believes to work unencrypted.


 A sample configuration is at
 http://logand.com/blog/picolisp-behind-nginx-proxy.html.  It should
 work same as httpGate passing the right parameters iirc.

Perhaps, if it were running stand-alone. But not with the whole
app-server machinery.


Meanwhile, I'm wondering whether the observed problems might have
anything to do with the fact that PicoLisp (and httpGate) run in IPv6
hybrid mapped addresses mode. Perhaps some browsers suddenly can't cope
with that? Just an idea ...

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Tomas Hlavaty
Hi Alex,

 Yes, but as I tried to explain in my previous mail, it won't work with
 the application server. It depends on 'httpGate' rewriting parts of
 the HTTP header, and inserting certain PicoLisp-specific new
 headers, which would not work if 'httpGate' believes to work
 unencrypted.  Perhaps, if it were running stand-alone. But not with
 the whole app-server machinery.

 A sample configuration is at
 http://logand.com/blog/picolisp-behind-nginx-proxy.html.  It should
 work same as httpGate passing the right parameters iirc.

as described on that web page, you can configure nginx to set the
headers exactly like httpGate!  I used it instead of httpGate
successfully.  See that part where it says:

proxy_set_header  Host $host;
proxy_set_header  Gate $scheme $remote_addr;
proxy_passhttp://127.0.0.1:1234;

Also:

  if ($request_filename ~* /([0-9]+)/?(.*)) {
set $gate   http://127.0.0.1:$1/$2$is_args$args;
  }
  proxy_set_header  Host $host;
  proxy_set_header  Gate $scheme $remote_addr;
  proxy_pass$gate;

etc.  That's what httpGate does.

 Meanwhile, I'm wondering whether the observed problems might have
 anything to do with the fact that PicoLisp (and httpGate) run in IPv6
 hybrid mapped addresses mode. Perhaps some browsers suddenly can't
 cope with that? Just an idea ...

That could well be, but I suppose you could easily check that;-)

Cheers,

Tomas
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-15 Thread Alexander Burger
Hi Tomas,

 as described on that web page, you can configure nginx to set the
 headers exactly like httpGate!  I used it instead of httpGate

OK, thanks. Good to know.

However, I need to solve the original problem, not have a quick and
dirty fix. I can't risk to change a production system where more than 30
people in three countries work on.

For the moment, the problem is alleviated as all users either

   - didn't install the new version of FF yet
   - reverted to an older version of FF
   - or use IE or Safari for now

(Safari works, as opposed to what I understood initially).

Thanks anyway!

Cheers,
- Alex
-- 
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe


Re: PicoLisp SSL Problem

2012-02-14 Thread Henrik Sarvell
Could it be that they come with new default settings/behavior making
them simply reject sites using self signed certs?



On Wed, Feb 15, 2012 at 2:00 PM, Alexander Burger a...@software-lab.de wrote:
 Hi all,

 since Firefox 10 (Windows) is out, some of my customers complain that
 they can't access their PicoLisp applications via SSL any longer. At
 least one also reports the same for Safari.

 They can't access even the application's start page. The browser refuses
 to connect.

 I've already generated new (self-signed) certificates, but this didn't
 help. Could it be 'httpGate'?

 Does anybody have an idea? I can't reproduce the problem here, and the
 browser's error messages are not helpful at all.

 The problem might be reproduced also on the demo app

   https://app.7fach.de

 or also on the Wiki

   https://wiki.picolisp.com

 though the latter is not covered by the certificate's Common Name (as it
 is for *.7fach.de).

 Why does this happen only with new browsers? I suspect something might
 be wrong with 'httpGate', though it worked during the last 10 years
 without problems.

 Cheers,
 - Alex
 --
 UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe
--
UNSUBSCRIBE: mailto:picolisp@software-lab.de?subject=Unsubscribe