[clug] ssl and https

Scott Ferguson scott.ferguson.clug at gmail.com
Sat Feb 26 15:42:03 MST 2011 

On Sat, 26 Feb 2011 22:24:34 +1100 dylan porter wrote:
> On 02/26/2011 10:01 PM, Scott Ferguson wrote:
>> Hi Dylan
>> in addition to what Kevin Pulo has suggested:-
>>
>> 1. Firefox --> Preferences --> Network --> Settings
>> "should" be set to "Use system proxy settings" (it's counter intuitive,
>> means use none if none is set).
>>
>> 2. Firefox --> Preferences --> Encryption
>> tick both boxes (SSL3.0 and TLS1.0).
> yeah thats all set but its not just firefox its also when i try to
> connect to things like msn and try to browse in lynx

Aaah - now if only you'd told us that right at the start ;-p

>>
>> It seems unlikely that those settings would be the cause of your
>> problem, as they are default, and you've no reason to change them.
>>
>> No offence intended - but most likely it is one of two things you
>> *didn't* tell us (ain't it always the way!).
>>
>> 1. Have you set up any sort of firewall in Ubuntu (other than bog
>> standard default, as it came out of the box settings)?
> yeah just the standard firewall i haven't really done anything with that


Excellent.

>> Unless I've (quite likely) missed something here, you are connecting to
>> a wireless modem, through which you connect to the internet....
>>
>> 2. How did you setup the modem? (absolutely stock? I had a fiddle? etc)
> well stock yeah

Also excellent - saves dragging every setting out of you, for a device
I'm probably unfamiliar with. For all I know you could've been
wardriving over Canberra in a light aeroplane, or using a McDonald's
access-point...

>> I suspect from the comment about Windoof VB (VirtualBox??) being able to
>> connect, that it is using UPNP, whereas Ubuntu isn't... In which case
>> you should consider reconfiguring your modem rules. (I consider UPNP the
>> network equivalent of ActiveX, others may disagree).
>> You can test that by turning off UPNP in Windoof and seeing if it will
>> still connect.
>>
>> Cheers
>  how do i turn it off to test it

[pretending this is a Microsoft list]
Fire up your VirtualBox -
Windoof+R (run...) --> "appwiz.cpl" --> "Add/Remove Windoof Programs"
--> Networking Services --> Details --> First and last options


> and if that is the case how do i get
> ubuntu to use UPnP?
> 


I don't know that you can - and I'd certainly recommend against it (but
then, I thought the seven layers OSI had something to do with a member
of Black Sabbath).

*If* you can no longer connect to fffacebook using https in Windoof
after disabling UPnP && you could before - then I suspect we will have
proven the cause of the problem. In which case I'd suggest you study
your modem settings to learn what needs to be changed to allow https
connections through.

There are two things I may have overlooked (at a minimum) - one is your
wireless card which may not be operating optimally under Ubuntu (which
makes no sense if it does for a vm in Ubuntu), and the other is SSL itself.

"#dpkg --get-selections | grep openssl" should show you if you have it
installed. Note: the "#" means the command is run as root (use your
sudo), and I'm "assuming" Ubuntu calls the package the same as Debian.

If ssl is *not* installed - there's your problem. The other part of ssl
that *might* be a problem (unlikely given Konq works neither) is that
for some purposes ssl requires a user certificate as well as a server
certificate. You can get more information about ssl functions using:-

"$ openssl s_client -connect facebook.com:443" which will return a lot
of gibberish, or sod all. (Note: "$" means *not* run as root)

eg. output:-
scott at work:~$ openssl s_client -connect facebook.com:443
CONNECTED(00000003)
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=www.facebook.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
CA-3
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
EV Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
EV Root CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snipped to save electrons>


Cheers

More information about the linux mailing list