| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
67197
|
Tue Feb 14 17:17:44 2012 |
 | Diego | diego.obradors@ciemat.es | Bug fix | Linux | Windows | 2.9.0 | Re: ssl problems |
| Andreas Luedeke wrote: |
|
| John Doroshenko wrote: |
|
[...] The elog server is running SL5.5 (updates applied). As you suggested, I ran firefox 3.6.26 on the elog server via https://localhost:port and it worked fine. Downloaded firefox 10.0.1 and retried
on elog server and get error again: The connection was Reset; The connection to the server was reset while the page was loading.
-John
|
Finally I was able to reproduce the problem. I don't know why FF10 worked locally on the ELOG host last weekend, maybe I shouldn't have worked on it during a night shift. I can now confirm that ELOG has problems with firefox 10.0.1.
For those who need a quick workaround: you can set-up apache to access elog via a reverse proxy (like I do and like Stefan does for the ELOG forum does). That 'll work fine with new browsers like FF10.0.1 (at least for apache 2.2) ;-)
Some guidance how to set it up can be found here: https://midas.psi.ch/elogs/Contributions/11
A shorter (but may be incomplete) summary:
- add in httpd.conf
- Listen 443
LoadModule proxy_module modules/mod_proxy.so
- ServerName <fully-qualified-host-name>
-
- add in ssl.conf
- <VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProxyEngine on
ProxyPreserveHost On
<Location />
ProxyPass https://<fully-qualified-host-name>:444/
ProxyPassReverse https://<fully-qualified-host-name>:444/
SSLRequireSSL
</Location>
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "<cert-file>"
SSLCertificateKeyFile "<cert-key-file>"
</VirtualHost>
- And in the ELOG configuration [global] section
- port = 444
- URL = https://<fully-qualified-host-name>
Cheers
Andreas
 ⇄
Detect language » English
|
With Chrome 17 there is the same problem.
Is not possible a quick workaround for windows 7 users that we do not use apache server?
Thank you so much!!
Diego
|
|
67198
|
Tue Feb 14 20:41:08 2012 |
| John Doroshenko | doroshenko@physics.rutgers.edu | Bug fix | Linux | Windows | 2.9.0 | Re: ssl problems |
| John Doroshenko wrote: |
|
| Andreas Luedeke wrote: |
|
| John Doroshenko wrote: |
|
| Olaf Kasten wrote: |
|
Hi there,
I have a connection problem with an actual elog installation. Many Browsers like as Chrome, Firefox and IE don't connect to the elog server with ssl = 1 in elogd.cfg.
I tested with Firefox 3.6 and IE 7 installations and there are no problems.
I guess it's a bug. Does someone have a suggestion to solve that problem?
Thx. Olaf
|
Hi!
This just started happening here also. Some users can't get on to a SSL=1 config'd elog using either IE or firefox 10 (win7 or linux) or chrome. SAFARI works. Occurs in 2.8.0 and a newly built (even after
ssl yum updates) 2.9.0 version on SL5.5 system. Seems to accept self signed cert then nothing.. (connection reset message). Tried an stunnel from one port to port running elog
with SSL=0. Same behavior. Doesn't work on some browsers. Any clues?
Thanks,
-John
|
Hi everyone,
it appears that many people have this problem. I believe this is simply a problem of your firewall settings. There are two simple checks you can do to test if I'm right or wrong:
- Run your logbook on the standard port 443 and retry. If the special port has been opened on the firewall, it has been likely only opened for specific clients like firefox 3.6, IE 7, etc. If you use a different client (FF 10, IE 9) the port can be blocked.
- Or just run the browser that does not work on the ELOG server. If it works to access ELOG via localhost, then you know for sure that it is the firewall.
I've actually tested it here at my institute: I've downloaded firefox 10 and could access ELOG on port 443 but couldn't access it on port 444, unless I've started FF10 on the ELOG host.
To John, Olaf and Christian: If you need to be able to use a special port and a certain set of browsers then just contact your computing division or whoever maintains your firewalls.
I hope this settles the matter.
Cheers
Andreas
⇄
Detect language » English
PS: I've solved this with the help of google  : have a look at http://forums.mozillazine.org/viewtopic.php?p=2295421#2295421 about firewalls
|
Hi,
Thanks for the reply.
The elog server is running SL5.5 (updates applied). As you suggested, I ran firefox 3.6.26 on the elog server via https://localhost:port and it worked fine. Downloaded firefox 10.0.1 and retried
on elog server and get error again: The connection was Reset; The connection to the server was reset while the page was loading.
-John
|
Hi,
One of our sys admins discovered that Firefox 10 appeared to send parts of the initial GET in two parts. As if there was a flush() after the "G" and this caused elog problems. By making the change in
the patch below, the read loop is re-entered again after the 2nd part of the GET comes in. Firefox 10.0.1 then works with ELOG with SSL. Stefan... perhaps you can take a look to see if there is a
better way to accomplish this?
One side effect with it done this way is that if you start a connection (ie, telnet localhost port) and type a single character, the elog will block further connections until the telnet is terminated.
Thank you,
-John Doroshenko |
| Attachment 1: fire10elog.patch
|
--- elogd.c.orig 2012-02-14 12:54:05.000000000 -0500
+++ elogd.c 2012-02-14 13:20:13.000000000 -0500
@@ -28805,7 +28805,9 @@
/* finish when empty line received */
pend = NULL;
- if (strncmp(net_buffer, "GET", 3) == 0 && strncmp(net_buffer, "POST", 4) != 0) {
+ if (len < 4) {
+ pend = net_buffer + len;
+ } else if (strncmp(net_buffer, "GET", 3) == 0 && strncmp(net_buffer, "POST", 4) != 0) {
if (len > 4 && strstr(net_buffer, "\r\n\r\n") != NULL) {
pend = strstr(net_buffer, "\r\n\r\n") + 4;
break;
|
|
67201
|
Thu Feb 16 18:10:33 2012 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | Linux | Windows | 2.9.0 | Re: ssl problems | Yes, there is a new feature called record splitting which causes the browser to send the "G" of the "GET ..." in a dedicated TCP package. This started in FF10, Chrome 17, and it will come in others as well. It only affects direct SSL connections (SSL=1). I fixed the bug in SVN revision #2435. Please update also MXML to revision #73. Let's hope that surprises like that will not happen too often.
- Stefan
|
|
67202
|
Thu Feb 16 23:56:35 2012 |
| John Doroshenko | doroshenko@physics.rutgers.edu | Bug fix | Linux | Windows | 2.9.0 | Re: ssl problems |
| Stefan Ritt wrote: |
|
Yes, there is a new feature called record splitting which causes the browser to send the "G" of the "GET ..." in a dedicated TCP package. This started in FF10, Chrome 17, and it will come in others as well. It only affects direct SSL connections (SSL=1). I fixed the bug in SVN revision #2435. Please update also MXML to revision #73. Let's hope that surprises like that will not happen too often.
- Stefan
|
Thank you Stefan! I put up your new svn revision and we're back in business. Seems to be working perfectly.
And thank you again for your efforts with regards to ELOG. It is an incredibly handy tool.
-John
|
|
67203
|
Mon Feb 20 14:53:04 2012 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug fix | Linux | Windows | 2.9.0 | Re: ssl problems |
| Stefan Ritt wrote: |
|
Yes, there is a new feature called record splitting which causes the browser to send the "G" of the "GET ..." in a dedicated TCP package. This started in FF10, Chrome 17, and it will come in others as well. It only affects direct SSL connections (SSL=1). I fixed the bug in SVN revision #2435. Please update also MXML to revision #73. Let's hope that surprises like that will not happen too often.
- Stefan
|
Today I released version 2.9.1 which fixes this problem.
- Stefan |
|
69631
|
Wed Jan 25 21:44:51 2023 |
| Laurent Jean-Rigaud | lollspam@free.fr | Question | Linux | 3.1.3 | Re: ssl certificate | Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
69632
|
Wed Jan 25 22:22:07 2023 |
| Giuseppe Cucinotta | giuseppe.cucinotta@unifi.it | Question | Linux | 3.1.3 | Re: ssl certificate | Hi Laurent,
thanks very much! Probably I've copied the certificate in the wrong directory. I'll try ASAP
| Laurent Jean-Rigaud wrote: |
|
Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
|
69651
|
Fri Feb 17 14:29:54 2023 |
| Giuseppe Cucinotta | giuseppe.cucinotta@unifi.it | Question | Linux | 3.1.3 | Re: ssl certificate | Hi I'm here again,
According to my conf file I run elog under a specified user and group different from root. So I copied the .pem file I obtained from certbot in /etc/ssl as well as /urs/local/elog/ssl and ssl folder in the user directory (I will call it <user-dir>) but when I launch elog I receive the error that cannot initialize SSL because the old self signed certificate server.crt in <user-dir>/ssl is not found.
I wonder where in elog.cfg or elsewhere is written that <user-dir>/ssl/server.crt must be usedand how to fix it
Thanks
| Giuseppe Cucinotta wrote: |
|
Hi Laurent,
thanks very much! Probably I've copied the certificate in the wrong directory. I'll try ASAP
| Laurent Jean-Rigaud wrote: |
|
Hi Giuseppe,
The new certificate files should be copy under ssl folder (/usr/local/elog/ssl or /usr/share/elog/ssl by example, closed to templates and script directories) in place of the embedded (autosigned) certificate files enclosed with ELOG source.
It seems that there is no parameter to set a custom path.
SSL = <0 | 1>
Turn on Secure Socket Layer transport. If SSL is on, one can connect via https://... to the elogd daemon. If the URL = directive is used, make sure to use https://... instead of http://... there. The ELOG distribution contains a simple self-signed certificate in the ssl subdirectory. One can replace this certificate and key with a real ceritficate to avoid browser pop-up windows warning about the self-signed certificate. The default for this option is 0.
| Giuseppe Cucinotta wrote: |
|
We obtained a certificate from let's encrypt in order to replace the self signed certificate provided with elog. We copied the new certificates replacing the older server.crt
The problem is that when restarted elog raises an error related to the fact it is looking for server.crt and it doesn't find it anymore.
I searched in elog config file in order to find a way to indicate the new certificate but I didn't find how to manage this issue.
Any suggestion?
|
|
|
|
|