Comments (19)
Please note that the SSL Certificate that the Notary is using is not signed by a Root CA. The convergence client will verify that the certificate presented by the notary matches the one it has locally.
I have no problems with my convergence client connecting to notaries.
Perhaps you should disable the throughtcrime notaries locally, and add other notaries and try testing that way, to see if the problem persists. Also, uncheck "anonymize" to make sure that the notary the client is attempting to connect to is the problem and not another notary (through proxy tunnel). You can narrow down this behavior in the notary client by also selecting "notary majority" and enabling only one or two notaries.
from convergence.
Hey @ivanr, sounds like you might actually be getting hit with #22 -- do you have a password for your PSM?
from convergence.
No, that's not it. I don't have a master password set in FF.
from convergence.
in about:config add the following value to your browser configuration:
Add New boolean value
browser.dom.window.dump.enabled = true
Close FireFox
Launch Firefox from command line with the console flag:
like this firefox -console
Copy all the console messages and paste into pastebin.
Send us Link to pastebin.
from convergence.
Here you go: http://pastebin.com/QcsePhQu That's my attempt to open a secure web site, and I see that a sync attempt was caught as well.
from convergence.
Uninstall Convergence plugin completely.
restart firefox
open about:support in FF
Open Profile Containing folder.
Delete convergence.sqlite
Make sure that "extensions\[email protected]" is completely gone. If not ->delete.
Restart FireFox
Install Convergence.
Test again with only default options and notaries installed.
from convergence.
I did all that, and there's no improvement -- I still get the same problem.
Doesn't the fact that I am unable to establish an SSL connection using OpenSSL, on either Mac or Ubuntu, indicate that this is a problem outside Firefox?
from convergence.
Establishing an SSL connection to what? A convergence Notary?
Please see:
https://crypto.is/guides/running-a-convergence-notary/
On the Public Cert and matching Private Key:
Also:
"Client Certificate Check" https://crypto.is/guides/how-convergence-works/
from convergence.
@ivanr It is strange that you're not getting anything from openssl. Is there maybe some kind of SSL firewall on the network or something? Are you running any kind of firewall or network inspection tool on your local machine?
The same command works fine for me:
openssl s_client -connect notary.thoughtcrime.org:443 CONNECTED(00000003) depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org verify error:num=10:certificate has expired notAfter=May 14 14:29:33 1915 GMT verify return:1 depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org notAfter=May 14 14:29:33 1915 GMT verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org i:/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org --- Server certificate -----BEGIN CERTIFICATE----- MIIDkjCCAnoCCQCiafEhF0D5qzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x GjAYBgNVBAoTEVRob3VnaHRjcmltZSBMYWJzMQ8wDQYDVQQLEwZOb3RhcnkxIDAe BgNVBAMTF25vdGFyeS50aG91Z2h0Y3JpbWUub3JnMCAXDTExMDYyOTIwNTc0OVoY DzE5MTUwNTE0MTQyOTMzWjCBiTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm b3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAoTEVRob3VnaHRj cmltZSBMYWJzMQ8wDQYDVQQLEwZOb3RhcnkxIDAeBgNVBAMTF25vdGFyeS50aG91 Z2h0Y3JpbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt02q TwZFohBLbOPzo+DN+EMTYpF9l23lmGlKzoM3W2c7CCosZhg8bRscmzl0SOAALbVK Rrogrqhghnv03psqb2oznyD16rrF6R2rhYOT/u9XPkuw+l5o11JFt5YSthLobTtt 7BHGXcpHCtsd6rvZn/bWVg9s1cV+5Q+wZ8saDEJbKkt2MoswnzueP/cslAYOIeDs xXQHOiGMlNYG/RLHUw1ISFXmVGE2qq+riwTcneglngqjfi7AEnXjPsc++bnZ5aCe T168ViLrhyj2UYep+U30vuKyO26Nv/SJWSY2Ax/nGbr2COOCiFTAdkGJSsM+bmd9 02BarFZqIbl+y/Iy+wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQASDKkpnPMSfhAA njvkNJFlFjYHGGZ1ZCFPEbyD7ABhSebT/yv33cw3bmO+1X0ZSQ11yAXBS7vIv8OR E8hOtvS6GHtwP3OYblYOW+aRNjPNqQ1xzuPvKo8MHZfSu8dBgCVUMzjYxg0vVNAl Vh6pqDaLecNDjHdCTLOESycKuy9sd5nnI96zfy9PWk+4pesuUOqNPend17DyXB4J kETvCnMQfxH9LDg6dm+AtFCAfcdoQGzalwvKG8YIZbAYVS3/rZGa4oYbYcr15ae5 Ria17mALrWOZTMpXys2x+OfIc2lB/B56Wm9fLhQYfznCKXpHtrIhSE0N4tuTgu0s IY42yv8q -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org issuer=/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org --- No client certificate CA names sent --- SSL handshake has read 1119 bytes and written 451 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: 5C45D974FE543290D05E3CEDFA2F5D069F7D90AF25F4402ECB38F0D046499779 Session-ID-ctx: Master-Key: DF3337AB163CDF4E1A4DBA7C447A84411389F79EDD9C426D5B96C1B99CB45712C5A2855B2A3E4CC3F5B6D97483119E1F Key-Arg : None Compression: 1 (zlib compression) Start Time: 1315595986 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) ---
from convergence.
There's nothing unusual here -- it's my home connection. Also, the Ubuntu machine is a server that's hosted on an external network. I also have a Windows XP desktop, on which Convergence does not run. On that machine I have Cygwin installed, and its OpenSSL cannot talk to the notary (handshake failure). On the positive side, I have a Windows 7 virtual machine on which Convergence does run. That's the only machine on which I can get it working.
To me this looks like an SSL/TLS interoperability problem with the SSL implementation used in the notary server.
from convergence.
Notary server uses whatever twisted uses, which is pyopenssl which is python bindings for the openssl library and the client uses Mozilla's NSS, which is what all mozilla clients use. If there is a problem with general interoperability between these two then firefox would not connect to most SSL sites running off 'nix servers, as most of those also use openssl libs (although new apache module is gnutls). But also, there certainly wouldn't be an issue with openssl at both ends, which moxie has asked you to try.
In all seriousness, this issue is not making much sense, sure there isn't a local virus scanner or something intercepting SSL connections? But then it would work fine on the server.
from convergence.
from convergence.
try: -ssl3 arg in your openssl statement.
Like this:
http://pastebin.com/rZJNCm1i
standard openssl command line doesn't work for me either on macosx openssl.
The problem is SSL V2
See here:
http://pastebin.com/jaFaAjQC
from convergence.
Yes, well, SSLv2 is deliberately disabled in twisted (http://twistedmatrix.com/trac/ticket/3330), and I wouldn't recommend re-enabling it, firefox should be trying TLSv1/SSLv3 first anyway:
from convergence.
+1 for the link. This issue should be closed, unless someone can reproduce the behavior in FF on MacOSx (which I can't).
from convergence.
@ivanr Do you have SSLv3 unchecked in FF? The notary SSL context is being initialized to SSLv3, but I can't remember why. My recollection was that TLSv1 was causing compatibility problems with something.
from convergence.
@moxie0 Yes, that was it. I do indeed have SSLv3 disabled in my Firefox installations. That's why FF was failing. OpenSSL is failing for some other reason: even if you have SSLv2 disabled, there is no reason why the SSLv2-style handshake + upgrade to SSLv3 should not be working.
from convergence.
@ivanr I would have to explicitly configure the server to accept "v23," meaning SSLv2 handshakes with the v3 hints. Seems like I should actually upgrade the notary to TLSv1. I wish I remembered why I went back to v3.
from convergence.
Alright, the notary now supports v2 handshakes with v3+ hints, will not negotiate v2, but will negotiate either v3 or tlsv1. Done in 9b6a561
from convergence.
Related Issues (20)
- Yahoo mail domain fails cert UCC match HOT 1
- Make Convergence standalone HOT 2
- Make Convergence standalone HOT 1
- Make Convergence standalone HOT 2
- No Longer Works with Firefox 18.0 new beta update HOT 4
- Notary Source missing HOT 2
- certificate verification is sucesseful, but firefox dont accept certificate HOT 1
- 404
- Changing to non standart ports HOT 1
- Convergence Addon Breaking in Firefox 18 HOT 2
- Adding notary from URL doesn't work HOT 4
- SSL slows to a crawl HOT 3
- Convergence doesn't work on Firefox Aurora 22 HOT 1
- recentbadcerts undefined (Firefox 22.0) HOT 2
- Connectivity failure - notaries overloaded? HOT 4
- Unable to add notaries HOT 14
- Automated reporting of new notaries HOT 1
- Is this project dead? HOT 6
- You need to sign the extension for it to install in Firefox HOT 2
- convergence.io is pointing to a different project HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from convergence.