Unable to parse tls packet header android

Virgin Media

My Virgin Media

My Virgin Media

Mobile Your Account

My Virgin Media

My Virgin Media

Your Mobile Account

Virgin Media Community

• Virgin Media Community
• :
• Broadband
• :
• Email
• :
• Error checking mail — Unable to parse TLS packet h.

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Bookmark
• Subscribe
• Mute
• Printer Friendly Page

• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Bookmark
• Subscribe
• Printer Friendly Page

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎25-02-2021 15:51

Can anyone help me.

I connect to an IMAP server based in New Zealand using SSL 993 (inbound) and 465 (outbound) using my mobile phone on Vodafone / O2 networks. All works fine. I switch to Virgin Media network (wired / wireless) and I get the error message, ‘Error checking mail. Error connecting: Unable to parse TLS packet header.»

This started this week. All has been working for years but now I cannot connect via my phone (wireless) or my pc (wired) to retrieve email.

Tried to call Virgin but the representative was not helpful and dropped the call.

Thanks anyone who can help. Andy

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

‎27-02-2021 13:13 — edited ‎27-02-2021 13:14

It would be helpful to know the IMAP server’s URL

I’m a Very Insightful Person , I’m here to share knowledge, I don’t work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎27-02-2021 14:10

Thank you for responding

mail.digiweb.net.nz for IMAP inbound and SMTP. Port 993 SSL and 465 SSL outbound.

Works perfectly on O2 and Vodafone but fails on Virgin Media broadband wireless or wired.

Any help greatly appreciated. Thank you. Andy

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎27-02-2021 15:49

Not seeing the same issue when connecting to mail.digiweb.net.nz ; not much help to you, I know, but does suggest a localised issue.

On your PC open a Command Shell or Terminal window and enter the following command to connect to mail.digiweb.net.nz :

Review and redact any personal information from the resulting output and post here, for example (redaction shown in red for clarity):

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎27-02-2021 16:50

Output as follows:

curl -v imaps://mail.digiweb.net.nz

* Connected to mail.digiweb.net.nz (202.174.80.113) port 993 (#0)

* successfully set certificate verify locations:

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

* Closing connection 0

curl: (35) error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎27-02-2021 23:24

Can you repeat the previous curl command but with Web Safe turned off.

FYI : in its default configuration Web Safe blocks access to http://nordvpn.com, to confirm its status type the following command:

If the returned Location value is:

• Mark as New
• Bookmark this message
• Subscribe to this message
• Mute
• Subscribe to this message’s RSS feed
• Highlight this message
• Print this message
• Email this message to a friend
• Flag for a moderator

on ‎27-02-2021 23:49

Can you repeat the previous curl command but with Web Safe turned off.

FYI : in its default configuration Web Safe blocks access to http://nordvpn.com, to confirm its status type the following command:

If the returned Location value is:

I have been keeping an eye on this thread as a learning opportunity. Where does nordvpn come into play? I can’t see any reference in the previous posts.

You asked for the previous curl query to be done on the SMTP server but the reply seems to indicate a query against the IMAP server. Could that add to the confusion?

I’m a Very Insightful Person, I’m here to share knowledge, I don’t work for Virgin Media, I’m a VM customer. There are no guarantees that my advice will work. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Источник

Unable to compile app for android «WARNING: pip is configured with locations that require TLS/SSL» #1141

Comments

ghost commented Jun 4, 2020

Versions

• Python: 3.8.2
• OS: Ubuntu 20.04 64bit
• Buildozer: 1.2.0

Description

I am working with KivyMD to develop a cross platform application. I have successfully been able to compile the application in Windows using pyinstaller. Now I am working on a Linux Box to compile the app for an Android device. I have followed the guides to setup buildozer requirements and completed the following.

sudo apt update
sudo apt install -y git zip unzip openjdk-8-jdk python3-pip autoconf libtool pkg-config zlib1g-dev libncurses5-dev libncursesw5-dev libtinfo5 cmake libffi-dev
pip3 install —user —upgrade cython virtualenv
sudo apt install cython

also I install these following packages
sudo apt install cython3
sudo apt-get install autoconf
sudo apt-get install automake
sudo apt-get install g++
sudo apt-get install libtool m4 automake
sudo apt-get install lld

Then I run the command below against the spec file below and receive the error message.

It seems to be related to needing to download a file (not sure why) and not having the ssl module available. I have pyOpenSSL installed, and I read that ssl isn’t compatible with my version of python so I’m really not sure how to resolve this.

Any help is appreciated.

buildozer.spec

The text was updated successfully, but these errors were encountered:

Источник

wget on nqsb.io fails on Debian (GnuTLS) #293

Comments

edwintorok commented Jul 7, 2015

Not sure where to report this, curl (OpenSSL) works fine but wget (GnuTLS) gives an error:

Tried some wget flags but no good:

Update: this works:

The text was updated successfully, but these errors were encountered:

amirmc commented Jul 7, 2015

Just for info, I tried on a Mac (10.10.3) and it worked first time.

edwintorok commented Jul 7, 2015

thanks, we can rule out wget+openssl then, only wget+gnutls is a problem.
However gnutls-cli on its own works and established a TLSv1.2 connection, here is gnutls-cli-debug nqsb.io if it helps:

pqwy commented Jul 9, 2015

Thanks for the report!

I compiled a version of wget that uses GnuTLS (3.4.2) on my Arch Linux machine:

Using this binary, I cannot replicate the behavior you get on Debian. It always connects successfully.

While I’m digging around for Debian source packages to check if they do something interesting to the default options, could you please run another test:

Check out ocaml-tls , and ./configure —enable-lwt —enable-tests && make . This should produce echo_server.native . Could you please run it, connect to it using wget (like wget https://localhost:4433 ), and paste the echo_server ‘s output? By default it will dump copious tracing information to the terminal, and this should make it clear what ocaml-tls thinks of the other side.

edwintorok commented Jul 9, 2015

edwintorok commented Jul 9, 2015

Also reproduces with (this is what wget on debian sets):

The problem is when using %COMPAT about which the manual says:

edwintorok commented Jul 9, 2015

Looking at a wireshark trace GnuTLS %COMPAT sends:

Whereas OpenSSL sends:

It looks like ocaml-tls rejects padding that has a length, shouldn’t it parse the length and check just that the data is all zeroes?

hannesm commented Jul 9, 2015

edwin, thanks for your research. according to padding extension draft https://tools.ietf.org/html/draft-ietf-tls-padding-01#section-3 the data must be all 0. (we mentioned this behaviour, although we didn’t knew it was GnuTLS in 7.1 of our paper).

there are two things to do: inform the GnuTLS people that they should not insert a length field in the padding data, and evaluate whether we should be more lose in what we accept.

hannesm commented Jul 9, 2015

which version of GnuTLS are you using?

edwintorok commented Jul 9, 2015

I don’t know much about how to read ASN.1 specifications (or encoding), is the field extension_data usually prefixed with its length in ASN.1/DER?

hannesm commented Jul 9, 2015

the example in section 3 is pretty clear: extension_type 0x00 0x15 followed by length 0x00 0x06 followed by length amount of 0s..

edwintorok commented Jul 9, 2015

Looks like wireshark looks for extension length, then padding length, then padding data, and GnuTLS adds the length twice (once for extension, once for the padding itself). I agree that it’d be useful to discuss with them to see why they chose to implement it that way.

hannesm commented Jul 9, 2015

looking through GnuTLS git source code, I cannot find the padding data extension. maybe it already got removed!?

edwintorok commented Jul 9, 2015

Its called dumbfw
because its used to work around dumb firewalls that have trouble in the 256-511 range with ClientHello 🙂

hannesm commented Jul 9, 2015

yes, I found the dumbfw code as well, and it indeed still prefixes the padding data with a length. do you want to report an issue at gnutls.org, or should I?

edwintorok commented Jul 9, 2015

Please go ahead and report it, you actually know about TLS implementation details, I’m just a user 🙂

edwintorok commented Jul 9, 2015

On 07/09/2015 11:44 AM, Hannes Mehnert wrote:

evaluate whether we should be more lose in what we accept.

I think it’d be consistent with the ‘we thereby capture the practical de facto standard’ mentioned in your paper to accept the GnuTLS behaviour
(first two bytes either 00 00, or the length of padding).

Once an updated gnutls or wget is sufficiently widely deployed in major distributions you could revert to the strict checking you have now.
The extension draft says ‘Servers MAY verify that the extension is either empty or contains only zero bytes’, so you’re not required to reject all paddings that are not conforming.

hannesm commented Jul 9, 2015

@edwintorok sure, but not being strict in checking introduces a covert channel (as mentioned in section 5 of the draft).. still unclear to me @pqwy what’s your opinion?

pqwy commented Jul 9, 2015

@edwintorok Has a pretty reasonable position, esp. given that what TLS is is more-or-less an empirical fact. And the «covert channel» mention in the draft sounds a little hand-wavy, it is unclear to me how this could be used for anything.

Then again, I’m reminded of this. GnuTLS is constantly causing small headache, and I’m not inclined to have any code that specifically caters to their many historical quirks. If anything, I would rather adopt a no-exceptions policy for that library: if GnuTLS is the only dissenting voice on something, I would ignore it on principle.

It’s also worth noting that this problem is encountered only when using GnuTLS’ own «quirks mode.» Adding our quirks mode to adapt to their quirks mode sounds like an arms race in arbitrariness. 😄

hannesm commented Jul 9, 2015

in the traces from https://tls.openmirage.org we encountered 7 times (out of > 22000) this bad padding extension. this is such a minority that I don’t think we need to make our checks more lose.

hannesm commented Jul 9, 2015

giving the small percentage of systems which are affected, closing this with WONTFIX. If I misjudged the cardinality of affected systems, please reopen..

UltimateByte commented May 16, 2016 •

hannesm commented May 16, 2016

@UltimateByte two things: a) it is a bug in GnuTLS, fixed upstream — debian people should poke their maintainers to get fixed packages b) I don’t believe OCaml-TLS is running on github or cloudflare servers, thus it is likely another TLS stack which has the same behaviour as ours.

UltimateByte commented May 16, 2016

@hannesm Thanks for bothering answering me. 🙂
Pardon my ignorance, i thought this was related but it seems like i know nothing :p

Источник

tls-crypt unwrap error: packet too short #21

Comments

Engineer-of-Stuff commented Dec 18, 2018 •

I have tls-auth enabled on my ovpn server. I supply the required file (the TLS key from the server, which the script accepts and sends) but the command fails saying CRIT: Not responding .

Checking the ovpn logs I see that it was having trouble reading the tls key.

Here us the command being run:

The text was updated successfully, but these errors were encountered:

Engineer-of-Stuff commented Dec 24, 2018

Can I get some help.

liquidat commented Jan 11, 2019

Can you verify that the very same tls key file works with other clients?

liquidat commented Jan 14, 2019

andiwand commented Feb 5, 2019 •

@Engineer-of-Stuff can you post your openvpn server config? and the version of the server binary please.

drajcan-nephthys commented Feb 9, 2019 •

hello guys, I am confirming that tls-crypt does not work at all.

I am getting the following error:
Sat Feb 9 14:07:47 2019 tls-crypt unwrap error: packet authentication failed

Here is my server.conf:
mode server
tls-server
tls-crypt /etc/openvpn/certs/tlscrypt.key 0
proto udp
dev tun0
port 1194
topology subnet
group openvpn
user openvpn
auth SHA512
cipher AES-256-GCM
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
duplicate-cn
reneg-sec 0
persist-key
compress lz4-v2
fast-io
tun-mtu 1200
verb 3
max-clients 250
auth-retry interact
ping-restart 15
ping 5
inactive 1800
management 127.0.0.1 5555
status /var/log/openvpn/status.log
log-append /var/log/openvpn/access.log
tmp-dir /etc/openvpn/tmp
plugin /etc/openvpn/plugins/openvpn-plugin-auth-script.so /etc/openvpn/scripts/authenticate.sh

Version of openvpn server binary:
openvpn-2.4.6-1.el7.x86_64

Can you help me please ?

Thank you very much.

andiwand commented Apr 13, 2019 •

@Engineer-of-Stuff i see «Tue Dec 18 21:23:01 2018 TCP connection established with [AF_INET]myip» but for the check script you use udp.
@drajcan i just tested it for my setup and it works. maybe «tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384» is the problem here.

Engineer-of-Stuff commented Apr 16, 2019 •

How do I specify TCP in the monitor?
Also, do you still want my server config?

andiwand commented Apr 17, 2019

you find it in the usage » -t, —tcp use tcp instead of udp»

connorpower commented Dec 16, 2019 •

Note: tls-auth and tls-crypt are different. This tool doesn’t yet have a command-line option for —tls-crypt (see separate issue #22).

andiwand commented Dec 24, 2019

@connorpower i see, thank you for pointing this out!

liquidat commented Jan 2, 2020

As discussed, we currently do not support tls-crypt. Closing the issue for now.

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Источник