Notaries don't accept TLSv1 handshakes. about convergence HOT 19 CLOSED

Please note that the SSL Certificate that the Notary is using is not signed by a Root CA. The convergence client will verify that the certificate presented by the notary matches the one it has locally.

I have no problems with my convergence client connecting to notaries.

Perhaps you should disable the throughtcrime notaries locally, and add other notaries and try testing that way, to see if the problem persists. Also, uncheck "anonymize" to make sure that the notary the client is attempting to connect to is the problem and not another notary (through proxy tunnel). You can narrow down this behavior in the notary client by also selecting "notary majority" and enabling only one or two notaries.

from convergence.

Hey @ivanr, sounds like you might actually be getting hit with #22 -- do you have a password for your PSM?

from convergence.

No, that's not it. I don't have a master password set in FF.

from convergence.

in about:config add the following value to your browser configuration:
Add New boolean value
browser.dom.window.dump.enabled = true
Close FireFox

Launch Firefox from command line with the console flag:

like this firefox -console

Copy all the console messages and paste into pastebin.
Send us Link to pastebin.

from convergence.

Here you go: http://pastebin.com/QcsePhQu That's my attempt to open a secure web site, and I see that a sync attempt was caught as well.

from convergence.

Uninstall Convergence plugin completely.
restart firefox
open about:support in FF
Open Profile Containing folder.
Delete convergence.sqlite
Make sure that "extensions\[email protected]" is completely gone. If not ->delete.
Restart FireFox
Install Convergence.
Test again with only default options and notaries installed.

from convergence.

I did all that, and there's no improvement -- I still get the same problem.

Doesn't the fact that I am unable to establish an SSL connection using OpenSSL, on either Mac or Ubuntu, indicate that this is a problem outside Firefox?

from convergence.

Establishing an SSL connection to what? A convergence Notary?

Please see:
https://crypto.is/guides/running-a-convergence-notary/
On the Public Cert and matching Private Key:
Also:
"Client Certificate Check" https://crypto.is/guides/how-convergence-works/

from convergence.

@ivanr It is strange that you're not getting anything from openssl. Is there maybe some kind of SSL firewall on the network or something? Are you running any kind of firewall or network inspection tool on your local machine?

The same command works fine for me:

openssl s_client -connect notary.thoughtcrime.org:443
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
verify error:num=10:certificate has expired
notAfter=May 14 14:29:33 1915 GMT
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
notAfter=May 14 14:29:33 1915 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
   i:/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCiafEhF0D5qzANBgkqhkiG9w0BAQUFADCBiTELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GjAYBgNVBAoTEVRob3VnaHRjcmltZSBMYWJzMQ8wDQYDVQQLEwZOb3RhcnkxIDAe
BgNVBAMTF25vdGFyeS50aG91Z2h0Y3JpbWUub3JnMCAXDTExMDYyOTIwNTc0OVoY
DzE5MTUwNTE0MTQyOTMzWjCBiTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlm
b3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xGjAYBgNVBAoTEVRob3VnaHRj
cmltZSBMYWJzMQ8wDQYDVQQLEwZOb3RhcnkxIDAeBgNVBAMTF25vdGFyeS50aG91
Z2h0Y3JpbWUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt02q
TwZFohBLbOPzo+DN+EMTYpF9l23lmGlKzoM3W2c7CCosZhg8bRscmzl0SOAALbVK
Rrogrqhghnv03psqb2oznyD16rrF6R2rhYOT/u9XPkuw+l5o11JFt5YSthLobTtt
7BHGXcpHCtsd6rvZn/bWVg9s1cV+5Q+wZ8saDEJbKkt2MoswnzueP/cslAYOIeDs
xXQHOiGMlNYG/RLHUw1ISFXmVGE2qq+riwTcneglngqjfi7AEnXjPsc++bnZ5aCe
T168ViLrhyj2UYep+U30vuKyO26Nv/SJWSY2Ax/nGbr2COOCiFTAdkGJSsM+bmd9
02BarFZqIbl+y/Iy+wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQASDKkpnPMSfhAA
njvkNJFlFjYHGGZ1ZCFPEbyD7ABhSebT/yv33cw3bmO+1X0ZSQ11yAXBS7vIv8OR
E8hOtvS6GHtwP3OYblYOW+aRNjPNqQ1xzuPvKo8MHZfSu8dBgCVUMzjYxg0vVNAl
Vh6pqDaLecNDjHdCTLOESycKuy9sd5nnI96zfy9PWk+4pesuUOqNPend17DyXB4J
kETvCnMQfxH9LDg6dm+AtFCAfcdoQGzalwvKG8YIZbAYVS3/rZGa4oYbYcr15ae5
Ria17mALrWOZTMpXys2x+OfIc2lB/B56Wm9fLhQYfznCKXpHtrIhSE0N4tuTgu0s
IY42yv8q
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
issuer=/C=US/ST=California/L=San Francisco/O=Thoughtcrime Labs/OU=Notary/CN=notary.thoughtcrime.org
---
No client certificate CA names sent
---
SSL handshake has read 1119 bytes and written 451 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 5C45D974FE543290D05E3CEDFA2F5D069F7D90AF25F4402ECB38F0D046499779
    Session-ID-ctx: 
    Master-Key: DF3337AB163CDF4E1A4DBA7C447A84411389F79EDD9C426D5B96C1B99CB45712C5A2855B2A3E4CC3F5B6D97483119E1F
    Key-Arg   : None
    Compression: 1 (zlib compression)
    Start Time: 1315595986
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---

from convergence.

There's nothing unusual here -- it's my home connection. Also, the Ubuntu machine is a server that's hosted on an external network. I also have a Windows XP desktop, on which Convergence does not run. On that machine I have Cygwin installed, and its OpenSSL cannot talk to the notary (handshake failure). On the positive side, I have a Windows 7 virtual machine on which Convergence does run. That's the only machine on which I can get it working.

To me this looks like an SSL/TLS interoperability problem with the SSL implementation used in the notary server.

from convergence.

Notary server uses whatever twisted uses, which is pyopenssl which is python bindings for the openssl library and the client uses Mozilla's NSS, which is what all mozilla clients use. If there is a problem with general interoperability between these two then firefox would not connect to most SSL sites running off 'nix servers, as most of those also use openssl libs (although new apache module is gnutls). But also, there certainly wouldn't be an issue with openssl at both ends, which moxie has asked you to try.

In all seriousness, this issue is not making much sense, sure there isn't a local virus scanner or something intercepting SSL connections? But then it would work fine on the server.

from convergence.

from convergence.

try: -ssl3 arg in your openssl statement.
Like this:
http://pastebin.com/rZJNCm1i

standard openssl command line doesn't work for me either on macosx openssl.

The problem is SSL V2

See here:
http://pastebin.com/jaFaAjQC

from convergence.

Yes, well, SSLv2 is deliberately disabled in twisted (http://twistedmatrix.com/trac/ticket/3330), and I wouldn't recommend re-enabling it, firefox should be trying TLSv1/SSLv3 first anyway:

from convergence.

+1 for the link. This issue should be closed, unless someone can reproduce the behavior in FF on MacOSx (which I can't).

from convergence.

@ivanr Do you have SSLv3 unchecked in FF? The notary SSL context is being initialized to SSLv3, but I can't remember why. My recollection was that TLSv1 was causing compatibility problems with something.

from convergence.

@moxie0 Yes, that was it. I do indeed have SSLv3 disabled in my Firefox installations. That's why FF was failing. OpenSSL is failing for some other reason: even if you have SSLv2 disabled, there is no reason why the SSLv2-style handshake + upgrade to SSLv3 should not be working.

from convergence.

@ivanr I would have to explicitly configure the server to accept "v23," meaning SSLv2 handshakes with the v3 hints. Seems like I should actually upgrade the notary to TLSv1. I wish I remembered why I went back to v3.

from convergence.

Alright, the notary now supports v2 handshakes with v3+ hints, will not negotiate v2, but will negotiate either v3 or tlsv1. Done in 9b6a561

from convergence.