| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
68548
|
Fri Jan 13 21:05:49 2017 |
 | Andreas Warburton | awarburt@physics.mcgill.ca | Bug report | Linux | Mac OSX | V3.1.2-edc5e85 | Re: elogd crashes during SSL Mirror operations involving attachments | When I switch from SSL = 1 to SSL = 0 and I use http:// instead of https://, the ability to upload attachments to logbook entries returns. With both Chrome and Safari browsers, with SSL = 1 the file upload hangs after only a small percentage of the file has been uploaded. I ran the following openssl diagnostic on my elogd port. Would anyone have advice on what might be causing such errors?
tapajo [/usr/local/elog/elog-latest] openssl s_client -connect elog.hep.xxx.xxx.xx:80xx -state -nbio | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:unknown state
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL handshake has read 1733 bytes and written 871 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
| Andreas Warburton wrote: |
|
The attached screenshot shows the behaviour after doing a synchronization (with Mirror simulate = 1) following first having ensured that the local (Mac) and remote (linux) ELOGs initially showed "All entries identical" when doing a simulated synchronization, and then having edited local entries 9707 and 9709 by uploading (different) attachments to them.
The fact that the synchronization is suggesting to renumber two different entry IDs to the same number looks like a bug.
Best regards,
Andreas W.
| Andreas Warburton wrote: |
|
My MacOS (10.12.2) elogd version V3.1.2 is a recent git commit (edc5e85), due to the fix to my earlier-described issue solved in the thread here: https://midas.psi.ch/elogs/Forum/68519.
I am trying to (re-)set up Mirror functionality with a linux server running the standard public (V3.1.2-bd75964). I had initially updated the linux server so that it also had the latest git commit (edc5e85), but could then not even add new logbook entries that involved attachments to it. I therefore rolled the linux server back to the standard public 3.1.2 version.
On the remote Mac, synchronizations usually look like they are going to work fine, with Mirror simulate = 1 switched on. After I set Mirror simulate = 0, and if the server and remote logbook are already identical, I *occasionally* get the proper "All Entries Identical" synchronization result. Unfortunately, this is very rare, and usually there is a failure whereby the remote (Mac) logbook decides that a significant fraction of its entries (usually sequential, from some seemingly random entry all the way up to the last entry) are missing on the linux server and need to be submitted back to the server from the remote Mac.
When the local and remote logbooks are not identical, and a record in need of synchronization contains an attachment, there is again destructive behaviour similar to that described above, except that the Mac elogd executable usually crashes. (As in the case of the already-identical synchronizations described above, I only tested this after observing the correct expected behaviour first with Mirror simulate = 1.)
I'd be grateful for some help/suggestions. My current testing suggests that my problems are likely not elog-content dependent. (The logbook now undergoing synching has less than 10 entries in it.)
More generally, the issue of having things behave fine with Mirror simulate = 1, but then experiencing corruption/damage when switching to Mirror simulate = 0 seems serious to me.
Many thanks, Andreas
|
|
|
|
68549
|
Sat Jan 14 08:27:42 2017 |
 | Andreas Warburton | awarburt@physics.mcgill.ca | Bug report | Linux | V3.1.2 | Re: elogd crashes during SSL Mirror operations involving attachments | For the time being, I am deeming ELOG 3.1.2 unusable with https (SSL = 1) functionality on my "Debian GNU/Linux 7 (wheezy)" server with "OpenSSL 1.0.1t", due to the described apparent issues with SSL. Reverting to http (SSL = 0) brings back my ability to upload attachments and synchronize with a remote elogd running on a MacOS laptop.
Interestingly, my records indicate that I suffered a problem with very similar symptoms back in 2011, with version 2.8.0. The problem at that time, which is acknowledged in the Changelog as "Fixed bug with SSL connection shutdown", got fixed in version 2.9.0. Perhaps, when the "Replaced insecure SSLv23 with TLSv1 method" change was implemented for version 3.0.0, a similar issue was (re-)introduced?
It would of course be best if this issue were resolvable soon, due to the security vulnerabilities of http versus https. Thank you in advance for any efforts!
Best regards,
Andreas Warburton
| Andreas Warburton wrote: |
|
When I switch from SSL = 1 to SSL = 0 and I use http:// instead of https://, the ability to upload attachments to logbook entries returns. With both Chrome and Safari browsers, with SSL = 1 the file upload hangs after only a small percentage of the file has been uploaded. I ran the following openssl diagnostic on my elogd port. Would anyone have advice on what might be causing such errors?
tapajo [/usr/local/elog/elog-latest] openssl s_client -connect elog.hep.xxx.xx:80xx -state -nbio | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:unknown state
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL handshake has read 1733 bytes and written 871 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
| Andreas Warburton wrote: |
|
The attached screenshot shows the behaviour after doing a synchronization (with Mirror simulate = 1) following first having ensured that the local (Mac) and remote (linux) ELOGs initially showed "All entries identical" when doing a simulated synchronization, and then having edited local entries 9707 and 9709 by uploading (different) attachments to them.
The fact that the synchronization is suggesting to renumber two different entry IDs to the same number looks like a bug.
Best regards,
Andreas W.
| Andreas Warburton wrote: |
|
My MacOS (10.12.2) elogd version V3.1.2 is a recent git commit (edc5e85), due to the fix to my earlier-described issue solved in the thread here: https://midas.psi.ch/elogs/Forum/68519.
I am trying to (re-)set up Mirror functionality with a linux server running the standard public (V3.1.2-bd75964). I had initially updated the linux server so that it also had the latest git commit (edc5e85), but could then not even add new logbook entries that involved attachments to it. I therefore rolled the linux server back to the standard public 3.1.2 version.
On the remote Mac, synchronizations usually look like they are going to work fine, with Mirror simulate = 1 switched on. After I set Mirror simulate = 0, and if the server and remote logbook are already identical, I *occasionally* get the proper "All Entries Identical" synchronization result. Unfortunately, this is very rare, and usually there is a failure whereby the remote (Mac) logbook decides that a significant fraction of its entries (usually sequential, from some seemingly random entry all the way up to the last entry) are missing on the linux server and need to be submitted back to the server from the remote Mac.
When the local and remote logbooks are not identical, and a record in need of synchronization contains an attachment, there is again destructive behaviour similar to that described above, except that the Mac elogd executable usually crashes. (As in the case of the already-identical synchronizations described above, I only tested this after observing the correct expected behaviour first with Mirror simulate = 1.)
I'd be grateful for some help/suggestions. My current testing suggests that my problems are likely not elog-content dependent. (The logbook now undergoing synching has less than 10 entries in it.)
More generally, the issue of having things behave fine with Mirror simulate = 1, but then experiencing corruption/damage when switching to Mirror simulate = 0 seems serious to me.
Many thanks, Andreas
|
|
|
|
|
68552
|
Thu Jan 19 12:56:51 2017 |
| Andreas Warburton | awarburt@physics.mcgill.ca | Bug report | Linux | V3.1.2 | Re: elogd crashes during SSL Mirror operations involving attachments | Further to my comment in https://midas.psi.ch/elogs/Forum/68549, if the described synchronization requires attachment(s) to be transferred from my Mac laptop to the Debian linux server (with SSL = 0 set), it fails in all the tests that I tried.
To check whether these problems are linked to the OpenSSL version on the linux server, we also tried building an elogd executable using 1.0.2j instead of 1.0.1t. This did not appear to change/improve the behaviour.
I'd like to keep using ELOG into the foreseeable future. Don't hesitate to contact me if you'd like me to beta test any upcoming releases. I'd appreciate having the earlier mirroring and attachment-handling functionality back again.
Best regards,
Andreas W.
| Andreas Warburton wrote: |
|
For the time being, I am deeming ELOG 3.1.2 unusable with https (SSL = 1) functionality on my "Debian GNU/Linux 7 (wheezy)" server with "OpenSSL 1.0.1t", due to the described apparent issues with SSL. Reverting to http (SSL = 0) brings back my ability to upload attachments and synchronize with a remote elogd running on a MacOS laptop.
Interestingly, my records indicate that I suffered a problem with very similar symptoms back in 2011, with version 2.8.0. The problem at that time, which is acknowledged in the Changelog as "Fixed bug with SSL connection shutdown", got fixed in version 2.9.0. Perhaps, when the "Replaced insecure SSLv23 with TLSv1 method" change was implemented for version 3.0.0, a similar issue was (re-)introduced?
It would of course be best if this issue were resolvable soon, due to the security vulnerabilities of http versus https. Thank you in advance for any efforts!
Best regards,
Andreas Warburton
| Andreas Warburton wrote: |
|
When I switch from SSL = 1 to SSL = 0 and I use http:// instead of https://, the ability to upload attachments to logbook entries returns. With both Chrome and Safari browsers, with SSL = 1 the file upload hangs after only a small percentage of the file has been uploaded. I ran the following openssl diagnostic on my elogd port. Would anyone have advice on what might be causing such errors?
tapajo [/usr/local/elog/elog-latest] openssl s_client -connect elog.hep.xxx.xx:80xx -state -nbio | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:unknown state
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 C = EU, ST = SomeState, L = SomeCity, O = SomeOranization, OU = SomeOrganizationUnit, CN = localhost
verify return:1
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL_connect:error in unknown state
SSL_connect:error in unknown state
SSL_connect:unknown state
SSL_connect:unknown state
SSL handshake has read 1733 bytes and written 871 bytes
SSL-Session:
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify
| Andreas Warburton wrote: |
|
The attached screenshot shows the behaviour after doing a synchronization (with Mirror simulate = 1) following first having ensured that the local (Mac) and remote (linux) ELOGs initially showed "All entries identical" when doing a simulated synchronization, and then having edited local entries 9707 and 9709 by uploading (different) attachments to them.
The fact that the synchronization is suggesting to renumber two different entry IDs to the same number looks like a bug.
Best regards,
Andreas W.
| Andreas Warburton wrote: |
|
My MacOS (10.12.2) elogd version V3.1.2 is a recent git commit (edc5e85), due to the fix to my earlier-described issue solved in the thread here: https://midas.psi.ch/elogs/Forum/68519.
I am trying to (re-)set up Mirror functionality with a linux server running the standard public (V3.1.2-bd75964). I had initially updated the linux server so that it also had the latest git commit (edc5e85), but could then not even add new logbook entries that involved attachments to it. I therefore rolled the linux server back to the standard public 3.1.2 version.
On the remote Mac, synchronizations usually look like they are going to work fine, with Mirror simulate = 1 switched on. After I set Mirror simulate = 0, and if the server and remote logbook are already identical, I *occasionally* get the proper "All Entries Identical" synchronization result. Unfortunately, this is very rare, and usually there is a failure whereby the remote (Mac) logbook decides that a significant fraction of its entries (usually sequential, from some seemingly random entry all the way up to the last entry) are missing on the linux server and need to be submitted back to the server from the remote Mac.
When the local and remote logbooks are not identical, and a record in need of synchronization contains an attachment, there is again destructive behaviour similar to that described above, except that the Mac elogd executable usually crashes. (As in the case of the already-identical synchronizations described above, I only tested this after observing the correct expected behaviour first with Mirror simulate = 1.)
I'd be grateful for some help/suggestions. My current testing suggests that my problems are likely not elog-content dependent. (The logbook now undergoing synching has less than 10 entries in it.)
More generally, the issue of having things behave fine with Mirror simulate = 1, but then experiencing corruption/damage when switching to Mirror simulate = 0 seems serious to me.
Many thanks, Andreas
|
|
|
|
|
|
68635
|
Wed Jun 28 22:20:38 2017 |
| Andreas Warburton | awarburt@physics.mcgill.ca | Bug report | Linux | V3.1.3-aded4ae | Re: Server dropping SSL connection while uploading large files | Hi Erkcan,
I observed similar behaviours when attempting to do SSL uploads and mirroring over a WAN (see some of my recent posts). Having not received any responses/help, and no time to try debugging the source myself, I've changed the way I use ELOG such that my attachment uploads are always local (on my Mac laptop, where I do most of my ELOGging) and I have switched off the mirroring, choosing instead to do my own rsync backup to a central linux server on which I have running a read-only ELOG executable. This configuration is both relatively secure and stable, and it matches my use case well. More generally, however, it is unfortunate that this SSL and mirroring functionality isn't truly there for all users, even though the documentation touts it to be so.
Best regards,
Andreas W.
| Erkcan Ozcan wrote: |
|
Hi,
Could someone at least suggest how I could debug this problem myself? If I know where to start, perhaps I can fix it myself and contribute to the software.
Best,
e.
| Erkcan Ozcan wrote: |
|
Hi,
I am having trouble with uploading large (>0.5MB) files to elog. We click on upload and in a couple of seconds, the webbrowser complains that the server has dropped the connection.
Following the suggestions I found on these forums (https://midas.psi.ch/elogs/Forum/66753), I increased the timeout.tv_sec to 30 in three locations in elogd.c, but this did not help.
The problem is present in my old elog installation (from ~2 years ago), as well as the latest git snapshot from bitbucket that I cloned on June 10, 2017.
PS: Upload seems to work for non-secure configuration. It still takes a while to load, but it completes. However we prefer to use secure connections ( SSL = 1 ).
PS: Using nmap I looked at the latency to the relevant port, it can be as high as 0.5sec, but most often it is shorter.
Cheers,
e.
|
|
|
|
68832
|
Mon Aug 13 21:09:30 2018 |
 | Andrew Wade | awade@caltech.edu | Question | Linux | Other | 3.1.2 | Reverse proxy of Elog using Docker and Nginx? | I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt. |
|
68835
|
Fri Aug 17 22:07:41 2018 |
| Andrew Wade | awade@caltech.edu | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? | Yes, I tried setting the URL parameter to the url used by the proxy. It goes to the correct address but that landing is the login page.
Andrew
| Stefan Ritt wrote: |
|
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
| Andrew Wade wrote: |
|
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
|
|
68838
|
Tue Aug 28 23:38:55 2018 |
| Andrew Wade | awade@caltech.edu | Question | Linux | Other | 3.1.2 | Re: Reverse proxy of Elog using Docker and Nginx? | It does indeed seem to be a cookie stripping issue. I just need to figure out how to get Nginx to forward these properly.
Thanks for the help.
| Stefan Ritt wrote: |
|
Actually this forum works through an Apache reverse proxy with authentication and it works, so I suspect that the problem has to do with jwilder/nginx-proxy. Since we don't have this here, all I can propose is that you do debugging yourself. Run elogd with the -v flag so that you see all requests coming from the user through the proxy. Compare the requests through Apache and Nginx to see if any argumets are stripped or mangled. Upon successful login, elog sets a cookie with a unique session-ID (the cookie name is "sid") to the browser. If you proxy strips that cookie, you would land on the login page. Maybe look in that direction.
Stefan
| Andrew Wade wrote: |
|
Yes, I tried setting the URL parameter to the url used by the proxy. It goes to the correct address but that landing is the login page.
Andrew
| Stefan Ritt wrote: |
|
Have you tried the "URL = ..." statement? This determines you elog redirects if you log in. If you reach elog through a proxy, the URL is a different one that if you access it directly. In your case the proxy URL might be necessary.
Stefan
| Andrew Wade wrote: |
|
I've been trying to configured a Synology NAS to run my personal elog with a reverse proxy to the outside world. The best way seems to be running Elog in a Docker instance and then running a separate connected Docker running a nginx-proxy (in this case jwilder/nginx-proxy). This second container manages the certificates to letsencrypt and mapping URL requests to relevant containers so that connection is secured properly.
It worked great in the initial test. However, I have an issue with authentication. When I password protect the elog it goes to a login page. When I give an correct password it loops back to the login page (incidentally when I give an incorrect password it gives an 'Invalid user name or password!' warning). So I know that its getting the correct password but there is some issue that is resetting or ignoring the authentication. I am never able to actually get to the protected content.
Does anyone have any experience in using Nginx to setup a secure reverse proxy? Any insights into why this would mess with the authentication of elog?
Side note: I have tried using Apache to do the same and authentication worked fine. But the pre-canned jwilder/nginx-proxy docker manages all the certificates automatically and seamlessly and allows me to have multiple services running on the same outward facing port on my router. There is no equivalent (as far as I know) that uses Apache for proxying with letsencrypt.
|
|
|
|
|
|
840
|
Thu Dec 9 18:39:15 2004 |
| auser | auser | Question | Linux | | Anyone try doing majordomo->Elog? |
Hi all,
We currently have Elog postings mirrored on to a majordomo email list.
Invariably, people on this list reply to the listserv and not to the Elog.
Has anyone tried getting emails to a listserv to autoformat and register as
proper elog entries. Didn't see any mention of this in the docs or forums.
Thx |
|