ホーム エクスプローラ ヘルプ
サインイン
sapientech
/
goblinoid
Watch 5
Star 6
Fork 1
ファイル 課題 4 プルリクエスト 0 Wiki
ラベル マイルストーン
新しい課題

#13 Connection error with SNI SSL site

オープン
9 年 前sazius によって開かれました · 2 コメント
Mats Sjöberg9 年 前 にコメントしました

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server.

Another hint is from adb logcat:

I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im'
I/python  (14204): webfinger got error message: data connection error, please try again later

As you can see it gets the wrong TLS cert (for domain saz.im instead of media.saz.im which is my MediaGoblin domain) because it doesn't support SNI.

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server. Another hint is from `adb logcat`: I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im' I/python (14204): webfinger got error message: data connection error, please try again later As you can see it gets the wrong TLS cert (for domain `saz.im` instead of `media.saz.im` which is my MediaGoblin domain) because it doesn't support SNI.
Deleted User9 年 前 にコメントしました

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.
Dylan Jeffers8 年 前 にコメントしました
オーナー

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.
会話に参加するには サインイン してください。
ラベル
ラベルをクリア
ラベルなし
マイルストーン
マイルストーンをクリア
マイルストーンなし
担当者
担当者をクリア
担当者なし
3 参加者
書込み プレビュー
読み込み中…
キャンセル
保存
まだコンテンツがありません