* w3m SSL handling error
@ 2016-10-17 7:52 B.V. Raghav
2016-10-17 9:12 ` Bob Proulx
0 siblings, 1 reply; 10+ messages in thread
From: B.V. Raghav @ 2016-10-17 7:52 UTC (permalink / raw)
To: help-gnu-emacs
Hi,
This may not be related to emacs, but if anybody here has solved this
issue, may definitely help
Opening a https URL on w3m errors out with:
error:0906d06c:pem routines:pem_read_bio:no start line
Example: Open `https://www.emacswiki.org/' and w3m fails.
`Something seems to be wrong with URL or this system.'
Then open xterm and `w3m https://www.emacswiki.org/'
The error message is
`0906d06c:pem routines:pem_read_bio:no start line'
Any suggestions?
r
--
Raghav
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-17 7:52 w3m SSL handling error B.V. Raghav
@ 2016-10-17 9:12 ` Bob Proulx
2016-10-17 9:17 ` Eli Zaretskii
2016-10-17 12:33 ` B.V. Raghav
0 siblings, 2 replies; 10+ messages in thread
From: Bob Proulx @ 2016-10-17 9:12 UTC (permalink / raw)
To: B.V. Raghav; +Cc: help-gnu-emacs
B.V. Raghav wrote:
> This may not be related to emacs, but if anybody here has solved this
> issue, may definitely help
Since you see the problem directly from w3m in an xterm it isn't a
problem with emacs. However it is an emacs wiki page and so that
gives some cover for it.
> Opening a https URL on w3m errors out with:
>
> error:0906d06c:pem routines:pem_read_bio:no start line
>
> Example: Open `https://www.emacswiki.org/' and w3m fails.
> `Something seems to be wrong with URL or this system.'
This works okay for me. I cannot recreate the problem.
> Then open xterm and `w3m https://www.emacswiki.org/'
> The error message is
> `0906d06c:pem routines:pem_read_bio:no start line'
>
> Any suggestions?
Here are some ideas. What system are you operating from? You didn't
say. It is an xterm so I might assume some generic GNU/Linux system.
How up to date is it? The error reminds me of other errors I have
seen when the client system is old enough that it only supports SSLv3
connecting to a web server that no longer supports SSLv3 anymore.
Looking at the handshake connecting to it I see that it only supports
TLS v1.1 and v1.2. I am rather expect that your client might not be
supporting one of those two protocols.
Bob
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-17 9:12 ` Bob Proulx
@ 2016-10-17 9:17 ` Eli Zaretskii
2016-10-17 13:05 ` B.V. Raghav
2016-10-17 12:33 ` B.V. Raghav
1 sibling, 1 reply; 10+ messages in thread
From: Eli Zaretskii @ 2016-10-17 9:17 UTC (permalink / raw)
To: help-gnu-emacs
> Date: Mon, 17 Oct 2016 03:12:12 -0600
> From: Bob Proulx <bob@proulx.com>
> Cc: help-gnu-emacs@gnu.org
>
> B.V. Raghav wrote:
> > This may not be related to emacs, but if anybody here has solved this
> > issue, may definitely help
>
> Since you see the problem directly from w3m in an xterm it isn't a
> problem with emacs.
I concur.
> > Opening a https URL on w3m errors out with:
> >
> > error:0906d06c:pem routines:pem_read_bio:no start line
> >
> > Example: Open `https://www.emacswiki.org/' and w3m fails.
> > `Something seems to be wrong with URL or this system.'
>
> This works okay for me. I cannot recreate the problem.
>
> > Then open xterm and `w3m https://www.emacswiki.org/'
> > The error message is
> > `0906d06c:pem routines:pem_read_bio:no start line'
> >
> > Any suggestions?
This seems relevant:
http://stackoverflow.com/questions/20837161/openssl-pem-routinespem-read-biono-start-linepem-lib-c703expecting-truste
Sounds like your certificate store need fixing.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-17 9:12 ` Bob Proulx
2016-10-17 9:17 ` Eli Zaretskii
@ 2016-10-17 12:33 ` B.V. Raghav
2016-10-17 19:08 ` Bob Proulx
1 sibling, 1 reply; 10+ messages in thread
From: B.V. Raghav @ 2016-10-17 12:33 UTC (permalink / raw)
To: help-gnu-emacs
Bob Proulx <bob@proulx.com> writes:
> B.V. Raghav wrote:
[...]
>> Opening a https URL on w3m errors out with:
>>
>> error:0906d06c:pem routines:pem_read_bio:no start line
>>
>> Example: Open `https://www.emacswiki.org/' and w3m fails.
>> `Something seems to be wrong with URL or this system.'
>
> This works okay for me. I cannot recreate the problem.
Okay... As expected
>> Then open xterm and `w3m https://www.emacswiki.org/'
>> The error message is
>> `0906d06c:pem routines:pem_read_bio:no start line'
>>
>> Any suggestions?
>
> Here are some ideas. What system are you operating from? You didn't
> say. It is an xterm so I might assume some generic GNU/Linux system.
I am running on Debian stretch/sid.
>
> How up to date is it? The error reminds me of other errors I have
> seen when the client system is old enough that it only supports SSLv3
> connecting to a web server that no longer supports SSLv3 anymore.
I dont know how to watch a network while some process is connecting to
it. Please tell me I will do so.
> Looking at the handshake connecting to it I see that it only supports
> TLS v1.1 and v1.2. I am rather expect that your client might not be
> supporting one of those two protocols.
I am running behind network-wide proxy, with auth. So I use delegate
server to create a local proxy server that takes care of auth over the
clients that do not support auth.
When I do `netstat -tc', what I see is multiple instances of
`localhost:PORT' which happens to be my local PROXY_SERVER:PORT
I cant figure out how to find some meaningful information, as yourself.
r
--
Raghav
श्रद्धावाँल्लभते ज्ञानम् [https://duckduckgo.com/?q=श्रद्धावाँल्लभते+ज्ञानम्]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-17 12:33 ` B.V. Raghav
@ 2016-10-17 19:08 ` Bob Proulx
2016-10-18 6:21 ` B.V. Raghav
0 siblings, 1 reply; 10+ messages in thread
From: Bob Proulx @ 2016-10-17 19:08 UTC (permalink / raw)
To: B.V. Raghav; +Cc: help-gnu-emacs
B.V. Raghav wrote:
> Bob Proulx writes:
> > Here are some ideas. What system are you operating from? You didn't
> > say. It is an xterm so I might assume some generic GNU/Linux system.
>
> I am running on Debian stretch/sid.
Me too. It works okay for me from Debian Sid fully updated. It also
works for me on Debian Jessie 8 Stable.
> > How up to date is it? The error reminds me of other errors I have
> > seen when the client system is old enough that it only supports SSLv3
> > connecting to a web server that no longer supports SSLv3 anymore.
>
> I dont know how to watch a network while some process is connecting to
> it. Please tell me I will do so.
I think your system may be in an unhappy state. This is probably a
topic for debian-user but... Unless someone complains let's just keep
going here.
You later say you are running behind a network wide proxy which I
think is likely the problem. But first let's start with your system
anyway. I tend to inspect these things from several different
viewpoints all at once and then something wrong appears that can be
fixed. Please inspect with (on my Debian Sid system for example).
Following are a few commands and example output shown from my system.
Then later down I will ask about the network proxy.
ldd -d -r /usr/bin/w3m
linux-vdso.so.1 (0x00007ffcacdfa000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f008f1b8000)
libgc.so.1 => /usr/lib/x86_64-linux-gnu/libgc.so.1 (0x00007f008ef48000)
libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007f008ecde000)
libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007f008e87a000)
libgpm.so.2 => /usr/lib/x86_64-linux-gnu/libgpm.so.2 (0x00007f008e674000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f008e448000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f008e0aa000)
/lib64/ld-linux-x86-64.so.2 (0x000056338d052000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f008de8d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f008dc89000)
In the above I see that w3m is linking against libssl.so.1.0.2 =>
/usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 which is in the libssl1.0.2
package.
dpkg -S /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
libssl1.0.2:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
apt-cache policy w3m
w3m:
Installed: 0.5.3-31
Candidate: 0.5.3-31
Version table:
*** 0.5.3-31 500
500 http://ftp.us.debian.org/debian sid/main amd64 Packages
100 /var/lib/dpkg/status
0.5.3-29 500
500 http://ftp.us.debian.org/debian testing/main amd64 Packages
apt-cache policy libssl1.0.2
libssl1.0.2:
Installed: 1.0.2j-1
Candidate: 1.0.2j-1
Version table:
*** 1.0.2j-1 500
500 http://ftp.us.debian.org/debian sid/main amd64 Packages
500 http://ftp.us.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
That is from Debian Sid today and fully updated. I am hoing that your
system will show different version numbers. I am in the US and using
the US mirror but I expect your mirror will be different which is
okay. The versions of the packages should be the same however.
> > Looking at the handshake connecting to it I see that it only supports
> > TLS v1.1 and v1.2. I am rather expect that your client might not be
> > supporting one of those two protocols.
>
> I am running behind network-wide proxy, with auth. So I use delegate
> server to create a local proxy server that takes care of auth over the
> clients that do not support auth.
>
> When I do `netstat -tc', what I see is multiple instances of
> `localhost:PORT' which happens to be my local PROXY_SERVER:PORT
The above waves flags and rings alarm bells in my head as likely to be
related to the problem because it is right in the middle of
everything. This is a complicated process and I suspect it of being
the problem.
Unfortunately I don't know how to test your proxy. Perhaps someone
else will know how to inspect it and test it for proper working.
Can you bypass your proxy and connect directly in order to test your
software configuration?
Bob
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-17 19:08 ` Bob Proulx
@ 2016-10-18 6:21 ` B.V. Raghav
2016-10-19 22:08 ` Bob Proulx
0 siblings, 1 reply; 10+ messages in thread
From: B.V. Raghav @ 2016-10-18 6:21 UTC (permalink / raw)
To: help-gnu-emacs
Bob Proulx <bob@proulx.com> writes:
> [snip]
> I think your system may be in an unhappy state. This is probably a
> topic for debian-user but... Unless someone complains let's just keep
> going here.
>
> You later say you are running behind a network wide proxy which I
> think is likely the problem. But first let's start with your system
> anyway. I tend to inspect these things from several different
> viewpoints all at once and then something wrong appears that can be
> fixed. Please inspect with (on my Debian Sid system for example).
> Following are a few commands and example output shown from my system.
> Then later down I will ask about the network proxy.
>
> [snip]
>
> In the above I see that w3m is linking against libssl.so.1.0.2 =>
> /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 which is in the libssl1.0.2
> package.
>
> [snip]
>
> That is from Debian Sid today and fully updated. I am hoing that your
> system will show different version numbers. I am in the US and using
> the US mirror but I expect your mirror will be different which is
> okay. The versions of the packages should be the same however.
The results are matching!
$ apt-cache policy w3m
w3m:
Installed: 0.5.3-29
Candidate: 0.5.3-29
Version table:
*** 0.5.3-29 500
500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
except the w3m version 0.5.3-29 in my case vs 0.5.3-31 in your case. My
mirror does not have it updated as yet, I checked. But I think that's
okay.
$ apt-cache policy libssl1.0.2
libssl1.0.2:
Installed: 1.0.2h-1
Candidate: 1.0.2j-1
Version table:
1.0.2j-1 500
500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages
*** 1.0.2h-1 100
100 /var/lib/dpkg/status
$ dpkg -S /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
libssl1.0.2:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2
$ ldd -d -r /usr/bin/w3m
linux-vdso.so.1 (0x00007fff49974000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fe639383000)
libgc.so.1 => /usr/lib/x86_64-linux-gnu/libgc.so.1 (0x00007fe639113000)
libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007fe638ea9000)
libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007fe638a46000)
libgpm.so.2 => /usr/lib/x86_64-linux-gnu/libgpm.so.2 (0x00007fe638840000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fe638615000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe638274000)
/lib64/ld-linux-x86-64.so.2 (0x0000563c1eb9f000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fe638057000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe637e52000)
> Can you bypass your proxy and connect directly in order to test your
> software configuration?
Yes. I did that:
$ http_proxy= w3m https://www.emacswiki.org/
But result is the same
SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line
Thanks for your support
r
--
Raghav
यस्य स्मरण मात्रेन जन्म संसार बन्धनात् विमुच्यते नमस्तस्मै विष्णवे प्रभविष्णवे
Salutations to the one, whose mere thought itself manifests in freedom
from bonds of the world of life.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-18 6:21 ` B.V. Raghav
@ 2016-10-19 22:08 ` Bob Proulx
2016-10-20 7:07 ` B.V. Raghav
0 siblings, 1 reply; 10+ messages in thread
From: Bob Proulx @ 2016-10-19 22:08 UTC (permalink / raw)
To: B.V. Raghav; +Cc: help-gnu-emacs
B.V. Raghav wrote:
> The results are matching!
Do they really match? Your results say otherwise.
> $ apt-cache policy libssl1.0.2
> libssl1.0.2:
> Installed: 1.0.2h-1
> Candidate: 1.0.2j-1
> Version table:
> 1.0.2j-1 500
> 500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages
> *** 1.0.2h-1 100
> 100 /var/lib/dpkg/status
Why aren't you using 1.0.2j-1? That is a big difference!
> > Can you bypass your proxy and connect directly in order to test your
> > software configuration?
>
> Yes. I did that:
>
> $ http_proxy= w3m https://www.emacswiki.org/
>
> But result is the same
> SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line
I suggest upgrading your system and then trying again.
Bob
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-19 22:08 ` Bob Proulx
@ 2016-10-20 7:07 ` B.V. Raghav
2016-10-21 5:26 ` Bob Proulx
0 siblings, 1 reply; 10+ messages in thread
From: B.V. Raghav @ 2016-10-20 7:07 UTC (permalink / raw)
To: help-gnu-emacs
Bob Proulx <bob@proulx.com> writes:
> Why aren't you using 1.0.2j-1? That is a big difference!
My my! I totally missed that. In fact I apologise for not having
bothered about it!
# apt update && apt full-upgrade
$ apt-cache policy libssl1.0.2
libssl1.0.2:
Installed: 1.0.2j-1
Candidate: 1.0.2j-1
Version table:
*** 1.0.2j-1 500
500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status
It is not up to date. But the result is the same. Is there some cache
clear etc. required?
$ w3m https://www.emacswiki.org/
SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line
This is one more preposterous
$ gnutls-cli-debug www.emacswiki.org
GnuTLS debug client 3.5.4
Checking www.emacswiki.org:443
for SSL 3.0 (RFC6101) support... no
whether we need to disable TLS 1.2... yes
whether we need to disable TLS 1.1... yes
whether we need to disable TLS 1.0... yes
whether %NO_EXTENSIONS is required... yes
whether %COMPAT is required... yes
for TLS 1.0 (RFC2246) support...
Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2 no
With other domains, I run the command
$ gnutls-cli --tofu domain.tld
and it succeeds in connecting with following Certificate[#] info:
- subject `CN=domain.tld', issuer `C=IN,O=IIT Kanpur,OU=Computer
Center,CN=ironport1.iitk.ac.in', serial ...
but fails to terminate `properly':
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
Does this seem to have a bearing on my problem?
--
Raghav
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: w3m SSL handling error
2016-10-20 7:07 ` B.V. Raghav
@ 2016-10-21 5:26 ` Bob Proulx
0 siblings, 0 replies; 10+ messages in thread
From: Bob Proulx @ 2016-10-21 5:26 UTC (permalink / raw)
To: B.V. Raghav; +Cc: help-gnu-emacs
B.V. Raghav wrote:
> $ apt-cache policy libssl1.0.2
> libssl1.0.2:
> Installed: 1.0.2j-1
> Candidate: 1.0.2j-1
> Version table:
> *** 1.0.2j-1 500
> 500 http://mirror.cse.iitk.ac.in/debian stretch/main amd64 Packages
> 100 /var/lib/dpkg/status
>
> It is not up to date. But the result is the same. Is there some cache
> clear etc. required?
That is up to date. The "***" is pointing to what is installed. That
is version 1.0.2j-1 which is from the stretch/main repository.
Previously that was listed as newer and not installed. Now it is
listed as being installed. All good.
> $ w3m https://www.emacswiki.org/
> SSL error: error:0906D06C:PEM routines:PEM_read_bio:no start line
Drat! Was hoping that would solve the problem. Since it needed to be
upgraded anyway. The two version of packages you upgraded through
with that had a long list of CVEs fixed by the update. It was needed
to be done anyway.
> This is one more preposterous
>
> $ gnutls-cli-debug www.emacswiki.org
> GnuTLS debug client 3.5.4
> Checking www.emacswiki.org:443
> for SSL 3.0 (RFC6101) support... no
> whether we need to disable TLS 1.2... yes
> whether we need to disable TLS 1.1... yes
> whether we need to disable TLS 1.0... yes
> whether %NO_EXTENSIONS is required... yes
> whether %COMPAT is required... yes
> for TLS 1.0 (RFC2246) support...
> Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2 no
That does not match what I see. I have 3.5.5 from Sid but that seems
like a small difference.
for SSL 3.0 (RFC6101) support... no
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
Something in your environment is intercepting your packets. But you
said that much already in one of your emails that you were forced to
go through a proxy of some type.
> With other domains, I run the command
> $ gnutls-cli --tofu domain.tld
>
> and it succeeds in connecting with following Certificate[#] info:
> - subject `CN=domain.tld', issuer `C=IN,O=IIT Kanpur,OU=Computer
> Center,CN=ironport1.iitk.ac.in', serial ...
It seems to me that you are living in an environment that tries to
MITM man-in-the-middle all of your traffic to the outside world. For
http this is typical. No real problem. As long as the proxy is
operating correctly.
For https this is very problematic. The MITM appears to be an
attacker. Which they are since they are. The only way this is done
is by having the MITM use their own certificate and having all clients
trust that certificate. This is typically within the rights of
companies at work when you are using work equipment that the company
owns. It is the only way the company can inspect what you are doing.
This is a removal of your privacy. But if it is the company euipment
and you are using it on work time then perhaps they have the right to
do so. In which case I would NOT use company equipment for anything
other than strictly work related business. Nothing more. Do all
personal and non-work anything elsewhere on my own non-work equipment.
> but fails to terminate `properly':
>
> *** Fatal error: The TLS connection was non-properly terminated.
> *** Server has terminated the connection abnormally.
>
> Does this seem to have a bearing on my problem?
Yes. I don't understand your environment but it seems you are in a
captured network where they are trying to prevent you from connecting
directly through https to the outside world. Your errors are an
indication that the network restrictions are restricting you. And if
you were to get it to work then you should know that someone is seeing
every byte of data that you are transmitting and that your "encrypted"
https connection is being observed by a MITM. Personally I can reject
such an environment. Whether you need it for your job or not is
something you will need to decide.
Do you have outbound ssh access outside of your network? To another
machine that is outside of this control? If so then you can set up a
vpn / tunnel between your client and this outside server. You could
use it to proxy through to the outside world. There are several good
ways to do this. "sshuttle" is one good way. You should be able to
"apt-get install sshuttle" it.
Bob
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2016-10-21 5:26 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-17 7:52 w3m SSL handling error B.V. Raghav
2016-10-17 9:12 ` Bob Proulx
2016-10-17 9:17 ` Eli Zaretskii
2016-10-17 13:05 ` B.V. Raghav
2016-10-17 12:33 ` B.V. Raghav
2016-10-17 19:08 ` Bob Proulx
2016-10-18 6:21 ` B.V. Raghav
2016-10-19 22:08 ` Bob Proulx
2016-10-20 7:07 ` B.V. Raghav
2016-10-21 5:26 ` Bob Proulx
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.