#13 Connection error with SNI SSL site

Açık
sazius tarafından 9 yıl önce kere açıldı · 2 yorum
Mats Sjöberg 9 yıl önce olarak yorumlandı

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server.

Another hint is from adb logcat:

I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204):  /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
I/python  (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im'
I/python  (14204): webfinger got error message: data connection error, please try again later

As you can see it gets the wrong TLS cert (for domain saz.im instead of media.saz.im which is my MediaGoblin domain) because it doesn't support SNI.

After entering my webfinger I get the error message: "Connection error, please try again". I was able to track down that this is because of my site using TLS and SNI (because I have several domains on the same ip address). I was able to confirm this, since it worked once I temporarily disabled all the other domains on that server. Another hint is from `adb logcat`: I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): /data/data/com.sapientech.mediagoblin/files/_applibs/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. I/python (14204): hostname 'media.saz.im' doesn't match either of 'saz.im', 'www.saz.im' I/python (14204): webfinger got error message: data connection error, please try again later As you can see it gets the wrong TLS cert (for domain `saz.im` instead of `media.saz.im` which is my MediaGoblin domain) because it doesn't support SNI.
Deleted User 9 yıl önce olarak yorumlandı

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.

Same issue for me. I don't have a dedicated IP address for my mediagoblin Pump API interface, so it uses SNI to present the correct certificate. Since this doesn't work with Goblinoid, I have to disable automatic https redirection, and all Goblinoid connections to my site are unsecured.
Dylan Jeffers 8 yıl önce olarak yorumlandı
Sahibi

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.

sazius, thanks for the issue! I'm back working on goblinoid; will take a look at this bug after resolving some dependency issues.
Giriş yap bu konuşmaya katılmak için.
Etiket Yok
Kilometre Taşı Yok
Atanan Kişi Yok
3 Katılımcı
Yükleniyor...
İptal
Kaydet
Henüz bir içerik yok.