From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Bob Proulx Newsgroups: gmane.emacs.help Subject: Re: w3m SSL handling error Date: Thu, 20 Oct 2016 23:26:50 -0600 Message-ID: <20161020230117810189341@bob.proulx.com> References: <87insr1kfy.fsf@ram.bvr.dp.lan> <20161017030047852203188@bob.proulx.com> <87lgxnjgua.fsf@ram.bvr.dp.lan> <20161017125340282252917@bob.proulx.com> <874m4axjm4.fsf@ram.bvr.dp.lan> <20161019160527696379108@bob.proulx.com> <87lgxj8pnu.fsf@ram.bvr.dp.lan> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: blaine.gmane.org 1477027650 17609 195.159.176.226 (21 Oct 2016 05:27:30 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Fri, 21 Oct 2016 05:27:30 +0000 (UTC) User-Agent: NeoMutt/20161014 (1.7.1) Cc: help-gnu-emacs@gnu.org To: "B.V. Raghav" Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Fri Oct 21 07:27:26 2016 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bxSMO-0002sR-Jc for geh-help-gnu-emacs@m.gmane.org; Fri, 21 Oct 2016 07:27:16 +0200 Original-Received: from localhost ([::1]:58734 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxSMQ-000875-S3 for geh-help-gnu-emacs@m.gmane.org; Fri, 21 Oct 2016 01:27:18 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53666) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxSM3-00086y-71 for help-gnu-emacs@gnu.org; Fri, 21 Oct 2016 01:26:56 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxSM0-0003gd-2I for help-gnu-emacs@gnu.org; Fri, 21 Oct 2016 01:26:55 -0400 Original-Received: from havoc.proulx.com ([96.88.95.61]:37174) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxSLz-0003gG-S2 for help-gnu-emacs@gnu.org; Fri, 21 Oct 2016 01:26:52 -0400 Original-Received: from joseki.proulx.com (localhost [127.0.0.1]) by havoc.proulx.com (Postfix) with ESMTP id E63F2B5E; Thu, 20 Oct 2016 23:26:50 -0600 (MDT) Original-Received: from hysteria.proulx.com (hysteria.proulx.com [192.168.230.119]) by joseki.proulx.com (Postfix) with ESMTP id A474621230; Thu, 20 Oct 2016 23:26:50 -0600 (MDT) Original-Received: by hysteria.proulx.com (Postfix, from userid 1000) id 8DD602DC5F; Thu, 20 Oct 2016 23:26:50 -0600 (MDT) Mail-Followup-To: "B.V. Raghav" , help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87lgxj8pnu.fsf@ram.bvr.dp.lan> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 96.88.95.61 X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.org gmane.emacs.help:111579 Archived-At: B.V. Raghav wrote: > $ apt-cache policy libssl1.0.2 > libssl1.0.2: > Installed: 1.0.2j-1 > Candidate: 1.0.2j-1 > Version table: > *** 1.0.2j-1 500 > 500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages > 100 /var/lib/dpkg/status > > It is not up to date. But the result is the same. Is there some cache > clear etc. required? That is up to date. The "***" is pointing to what is installed. That is version 1.0.2j-1 which is from the stretch/main repository. Previously that was listed as newer and not installed. Now it is listed as being installed. All good. > $ w3m https://www.emacswiki.org/ > SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line Drat! Was hoping that would solve the problem. Since it needed to be upgraded anyway. The two version of packages you upgraded through with that had a long list of CVEs fixed by the update. It was needed to be done anyway. > This is one more preposterous > > $ gnutls-cli-debug www.emacswiki.org > GnuTLS debug client 3.5.4 > Checking www.emacswiki.org:443 > for SSL 3.0 (RFC6101) support... no > whether we need to disable TLS 1.2... yes > whether we need to disable TLS 1.1... yes > whether we need to disable TLS 1.0... yes > whether %NO_EXTENSIONS is required... yes > whether %COMPAT is required... yes > for TLS 1.0 (RFC2246) support... > Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2 no That does not match what I see. I have 3.5.5 from Sid but that seems like a small difference. for SSL 3.0 (RFC6101) support... no whether we need to disable TLS 1.2... no whether we need to disable TLS 1.1... no whether we need to disable TLS 1.0... no Something in your environment is intercepting your packets. But you said that much already in one of your emails that you were forced to go through a proxy of some type. > With other domains, I run the command > $ gnutls-cli --tofu domain.tld > > and it succeeds in connecting with following Certificate[#] info: > - subject `CN=domain.tld', issuer `C=IN,O=IIT Kanpur,OU=Computer > Center,CN=ironport1.iitk.ac.in', serial ... It seems to me that you are living in an environment that tries to MITM man-in-the-middle all of your traffic to the outside world. For http this is typical. No real problem. As long as the proxy is operating correctly. For https this is very problematic. The MITM appears to be an attacker. Which they are since they are. The only way this is done is by having the MITM use their own certificate and having all clients trust that certificate. This is typically within the rights of companies at work when you are using work equipment that the company owns. It is the only way the company can inspect what you are doing. This is a removal of your privacy. But if it is the company euipment and you are using it on work time then perhaps they have the right to do so. In which case I would NOT use company equipment for anything other than strictly work related business. Nothing more. Do all personal and non-work anything elsewhere on my own non-work equipment. > but fails to terminate `properly': > > *** Fatal error: The TLS connection was non-properly terminated. > *** Server has terminated the connection abnormally. > > Does this seem to have a bearing on my problem? Yes. I don't understand your environment but it seems you are in a captured network where they are trying to prevent you from connecting directly through https to the outside world. Your errors are an indication that the network restrictions are restricting you. And if you were to get it to work then you should know that someone is seeing every byte of data that you are transmitting and that your "encrypted" https connection is being observed by a MITM. Personally I can reject such an environment. Whether you need it for your job or not is something you will need to decide. Do you have outbound ssh access outside of your network? To another machine that is outside of this control? If so then you can set up a vpn / tunnel between your client and this outside server. You could use it to proxy through to the outside world. There are several good ways to do this. "sshuttle" is one good way. You should be able to "apt-get install sshuttle" it. Bob