Home Explore Help
Register Sign In
sapientech
/
goblinoid
Watch 5
Star 6
Fork 1
Files Issues 4 Pull Requests 0 Wiki
Labels Milestones
New Issue

#13 Connection error with SNI SSL site

Open
opened 8 years ago by sazius · 2 comments
Mats Sjöberg commented 8 years ago

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server.

Another hint is from adb logcat:

I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im'
I/python  (14204): webfinger got error message: data connection error, please try again later

As you can see it gets the wrong TLS cert (for domain saz.im instead of media.saz.im which is my MediaGoblin domain) because it doesn't support SNI.

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server. Another hint is from `adb logcat`: I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im' I/python (14204): webfinger got error message: data connection error, please try again later As you can see it gets the wrong TLS cert (for domain `saz.im` instead of `media.saz.im` which is my MediaGoblin domain) because it doesn't support SNI.
Deleted User commented 8 years ago

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.
Dylan Jeffers commented 7 years ago
Owner

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.
Sign in to join this conversation.
Labels
Clear labels
No Label
Milestone
Clear milestone
No Milestone
Assignee
Clear assignee
No assignee
3 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.