incubator-wave-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ali Lown <...@lown.me.uk>
Subject Re: Proxy issues
Date Tue, 25 Sep 2012 08:43:11 GMT
The firefox logs do show the attempts to authenticate (which is more
than Chrome tries) at (say) #193,#194,#203,#204,#205,#213 which is a
succesful login (I assume to open the connection for the page, since
it is followed by #214 (TLSv1 Client Hello).

The Websocket attempts (I think) look like #1841,#1842,#1850,#1851
which are failing for some reason.

However, it isn't a problem with Wave, rather a potential bug in
Chrome (since it doesn't even attempt to authenticate) and an
overly-restrictive (for no good reason) corporate firewall (Might I
suggest a VPN, or SSH tunnel to somewhere less restrictive).

Ali

(Interestingly, does GTalk work since it gets a 502 for attempting to
use a non-standard SSL'd port. You also seem to have some problematic
bit of software attempting to connect to https://uk.bp.com which fails
since the DNS records are invalid).

On 25 September 2012 09:27, Ben Hegarty <hegsie@gmail.com> wrote:
> ok hopefuly this one is cleaner for firefox, though I have to add that
> firefox keeps asking for my credentials and no matter how many times I
> enter them it just keeps returning asking for them again... then after a
> while I just get a turbulence detected...
>
> https://docs.google.com/open?id=0B5FF_Ld8SzsNUDVlN0RyQjU2Vkk
>
> hegsie
>
> On Tue, Sep 25, 2012 at 9:19 AM, Ali Lown <ali@lown.me.uk> wrote:
>
>> In the chrome logs (original: #144, new: #344), in the firefox logs
>> #274 show a 407 response to the attempt to CONNECT to
>> wave.eezysys.co.uk:443.
>>
>> I would expect to possibly see a 407 once, at which stage the browser
>> should then re-attempt the connection with the proxy credentials (as
>> described here[1], but I see no attempts to authenticate.
>>
>> Does the actual page load in this situation? Do other secure sites load?
>>
>> Ali
>>
>> [1]:
>> http://tmgblog.richardhicks.com/2011/08/29/access-to-the-web-proxy-filter-on-forefront-tmg-2010-is-denied/
>>
>> On 25 September 2012 09:05, Ben Hegarty <hegsie@gmail.com> wrote:
>> > Hey Ali,
>> > Was looking over the chrome capture and I'm not sure that the one below
>> is
>> > very clean so I performed it again...
>> >
>> > https://docs.google.com/open?id=0B5FF_Ld8SzsNWG5rd0d0UnZVQU0
>> >
>> > Regards
>> > hegsie
>> >
>> > On Tue, Sep 25, 2012 at 8:53 AM, Ben Hegarty <hegsie@gmail.com> wrote:
>> >
>> >> Hey Ali,
>> >> I've tested this again with firefox to no avail...
>> >>
>> >> https://docs.google.com/open?id=0B5FF_Ld8SzsNaGFVV2NabEd0RFU
>> >>
>> >> and with chrome...
>> >>
>> >> https://docs.google.com/open?id=0B5FF_Ld8SzsNdmw5aThEZXF1U0k
>> >>
>> >> Regards
>> >> hegsie
>> >>
>> >>
>> >> On Mon, Sep 24, 2012 at 9:19 PM, Ben Hegarty <hegsie@gmail.com> wrote:
>> >>
>> >>> Ok, will do when I'm back behind the firewall tomorrow, I'll let you
>> know
>> >>> how it goes.
>> >>> Cheers
>> >>>
>> >>>
>> >>> On Monday, September 24, 2012, Ali Lown wrote:
>> >>>
>> >>>> If you would like to test it again now/tomorrow?
>> >>>>
>> >>>> It took a few hours longer than I expected because I had to stop
and
>> >>>> write a patch for Wave (and have dinner, and everything else) to
make
>> >>>> it work.
>> >>>>
>> >>>> This should have all traffic going over port 443, so if you check
in
>> >>>> Wireshark all you should see is some TLS traffic to 71.19.144.245.
>> >>>>
>> >>>> Ali
>> >>>>
>> >>>> On 24 September 2012 17:18, Ben Hegarty <hegsie@gmail.com>
wrote:
>> >>>> > Whenever you get a chance to do that I'll be happy to retest
:)
>> >>>> > Thanks again
>> >>>> >
>> >>>> > On Mon, Sep 24, 2012 at 5:14 PM, Ali Lown <ali@lown.me.uk>
wrote:
>> >>>> >
>> >>>> >> Yes, packet #46 because I try to make you connect over
9898.
>> >>>> >> (This is because I have the configuration mis-setup, but
didn't
>> want
>> >>>> >> to reboot the wave server to fix it).
>> >>>> >>
>> >>>> >> I can move it so that websockets goes over 443, then I
will let you
>> >>>> >> try again. (At which time it should work fine).
>> >>>> >>
>> >>>> >> On 24 September 2012 17:09, Ben Hegarty <hegsie@gmail.com>
wrote:
>> >>>> >> > https://docs.google.com/open?id=0B5FF_Ld8SzsNMnlmZkZWZWtEQ28
>> >>>> >> >
>> >>>> >> > Looks like you're right there Ali I'm seeing port
not allowed in
>> >>>> the http
>> >>>> >> > packets
>> >>>> >> > Cheers
>> >>>> >> >
>> >>>> >> > On Mon, Sep 24, 2012 at 5:03 PM, Ali Lown <ali@lown.me.uk>
>> wrote:
>> >>>> >> >
>> >>>> >> >> Yes.
>> >>>> >> >>
>> >>>> >> >> On 24 September 2012 17:01, Ben Hegarty <hegsie@gmail.com>
>> wrote:
>> >>>> >> >> > Sure I can try there too, is it still set
with the same dets?
>> >>>> >> >> > Regards
>> >>>> >> >> >
>> >>>> >> >> >
>> >>>> >> >> > On Mon, Sep 24, 2012 at 4:59 PM, Ali Lown
<ali@lown.me.uk>
>> >>>> wrote:
>> >>>> >> >> >
>> >>>> >> >> >> Extracting the data as raw bytes from
the first Websocket
>> >>>> response
>> >>>> >> >> >> packet (#95) gives us the following HTML
page (attached).
>> >>>> >> >> >>
>> >>>> >> >> >> So, it is _definitely_ an issue with
your proxy server not
>> >>>> >> >> >> understanding the Websockets.
>> >>>> >> >> >>
>> >>>> >> >> >> For more information on exactly how they
work, a good article
>> >>>> would
>> >>>> >> >> >> be: http://lucumr.pocoo.org/2012/9/24/websockets-101/
>> >>>> >> >> >> "The protocol went through many iterations
and basically had
>> to
>> >>>> be
>> >>>> >> >> >> changed multiple times because of unforeseen
security
>> problems
>> >>>> that
>> >>>> >> >> >> came up with misbehaving proxies." seems
to sum-up the
>> problem.
>> >>>> >> >> >>
>> >>>> >> >> >> Ali
>> >>>> >> >> >>
>> >>>> >> >> >> NB: When you tried on my server (https://wave.eezysys.co.uk
>> ),
>> >>>> I am
>> >>>> >> >> >> less certain as to why it failed there
given all the traffic
>> is
>> >>>> >> >> >> encrypted. (Unless your company proxy
is terminating my SSL
>> >>>> >> >> >> connection, performing DPI on the now-decrypted
data, and
>> then
>> >>>> >> >> >> re-encrypting it before presenting it
to you)
>> >>>> >> >> >> Could you do a wireshark capture for
that server as well?
>> >>>> >> >> >> Actually, it might be because my server
still tries to use a
>> >>>> >> >> >> non-standard port for the websockets,
and it is quite likely
>> >>>> you have
>> >>>> >> >> >> most outgoing ports blocked.
>> >>>> >> >> >>
>> >>>> >> >> >> On 24 September 2012 16:42, Ben Hegarty
<hegsie@gmail.com>
>> >>>> wrote:
>> >>>> >> >> >> > Hey Ali,
>> >>>> >> >> >> > Basically I get 'A turbulance' after
logging in and never
>> go
>> >>>> online
>> >>>> >> >> and
>> >>>> >> >> >> no
>> >>>> >> >> >> > wave data is saved down, you just
see 'Unsaved all the
>> time'..
>> >>>> >> >> >> > I've uploaded the wireshark trace
to the following
>> location :)
>> >>>> >> >> >> >
>> >>>> >> >> >> >
>> https://docs.google.com/open?id=0B5FF_Ld8SzsNMm5oOGJXajlOV00
>> >>>> >> >> >> >
>> >>>> >> >> >> > HTH
>> >>>> >> >> >> >
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> Mobile Phone: +447767-322-122
>> >>> Work Phone: +4420 79485612
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Mobile Phone: +447767-322-122
>> >> Work Phone: +4420 79485612
>> >>
>> >>
>> >
>> >
>> > --
>> > Mobile Phone: +447767-322-122
>> > Work Phone: +4420 79485612
>>
>
>
>
> --
> Mobile Phone: +447767-322-122
> Work Phone: +4420 79485612

Mime
View raw message