egghelp/eggheads community

HTTP/TLS Package

2010-03-18T12:34:50-04:00

no problemo,
thanks for the effort

Statistics: Posted by w00f — Thu Mar 18, 2010 12:34 pm

HTTP/TLS Package

2010-03-10T13:52:01-04:00

Hmm... running very low in ideas then :/

Statistics: Posted by nml375 — Wed Mar 10, 2010 1:52 pm

HTTP/TLS Package

2010-03-10T08:04:21-04:00

Thanks nml375, but it still returns eof =/
lol this is getting weirder

Statistics: Posted by w00f — Wed Mar 10, 2010 8:04 am

HTTP/TLS Package

2010-03-07T14:49:59-04:00

Well, that pretty much concludes that your issue with self-signed certificate is due to a missing CA (solved with the -CApath option). Did you try sending a http-request (and was it successful)?

Lets try a new set:

Code:

http::register https 443 [list ::tls::socket -require 0 -request 1 -tls1 1 -command ::tls::callback -cadir /etc/ssl/certs]set ::tls::debug 0set ::tls::logcmd putlog

Now we've enabled TLSv1 (since your openssl s_client suggests that's what your server likes), as well as included the CA-directory, and using the builtin callback to log (and validate certs - should work as we've added the -cadir option).

Statistics: Posted by nml375 — Sun Mar 07, 2010 2:49 pm

HTTP/TLS Package

2010-03-07T14:38:42-04:00

Yea sure.

openssl s_client -showcerts -connect xpto.com:443 >> ssl
http://pastebin.com/scQq6ZTK

openssl s_client -showcerts -connect xpto.com:443 -CApath /etc/ssl/certs >> ssl2
http://pastebin.com/UkM7ps5V

Statistics: Posted by w00f — Sun Mar 07, 2010 2:38 pm

HTTP/TLS Package

2010-03-06T22:53:22-04:00

Well, there is something fishy there..
Unfortunately, I'm unable to connect to xpto.com:443 from here, so that makes it a little hard to have a closer look at the certificate chain :/
Could you run the following command from your shell, and post the output?

Code:

openssl s_client -showcerts -connect xpto.com:443

And possibly also this one:

Code:

openssl s_client -showcerts -connect xpto.com:443 -CApath /etc/ssl/certs

That should provide some clues to the self signed certificate...
(the openssl s_client opens a ssl-encrypted "telnet" session with the remote host, just hit ctrl+C to disconnect, or test writing a "GET / HTTP/1.0" http request and see what happens).

Statistics: Posted by nml375 — Sat Mar 06, 2010 10:53 pm

HTTP/TLS Package

2010-03-06T22:34:27-04:00

Setting the debug value to 0/1 will output the following when executing the wget proc,

::tls::debug 0
TLS/sock7: error: certificate verify failed

::tls::debug 1
TLS/sock7: verify/3: Bad Cert: self signed certificate in certificate chain (rc = 0)

:\

Statistics: Posted by w00f — Sat Mar 06, 2010 10:34 pm

HTTP/TLS Package

2010-03-06T11:41:51-04:00

That was some interresting results.
The message regarding a self-signed cert means there was one certificate in the chain (not necessary yours) that was self-signed. Root CA certificates are generally self-signed, since there is no "higher" cert to sign it. Instead, we tell our clients (web browsers, etc) that we explicitly trust this cert, and any cert it has signed. An intermediate cert should however never be self-signed.

Setting the ::tls::debug variable to anything higher than 0, wil tell ::tl::callback to approve any cert, regardless of it's validity. The fact that your connection now doesn't close prematurely would suggest there might be some issue with the site-cert or your CA. However, the fact that it now freezes/times out suggests that the web server is not doing too well...

If you keep the ::tls::callback, but set ::tls::debug to 0, do you get the same behaviour?

Statistics: Posted by nml375 — Sat Mar 06, 2010 11:41 am

HTTP/TLS Package

2010-03-05T21:54:56-04:00

here's the log/handshake

Code:

[01:40a]  -modtcl    • TLS/sock18: handshake/start: before/connect initialization[01:40a]  -modtcl    • TLS/sock18: connect/loop: before/connect initialization[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv2/v3 write client hello A[01:40a]  -modtcl    • TLS/sock18: connect/exit: SSLv2/v3 read server hello A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 read server hello A[01:40a]  -modtcl    • TLS/sock18: connect/exit: SSLv3 read server certificate A[01:40a]  -modtcl    • TLS/sock18: connect/exit: SSLv3 read server certificate A[01:40a]  -modtcl    • TLS/sock18: verify/3: Bad Cert: self signed certificate in certificate chain (rc = 0)[01:40a]  -modtcl    • TLS/sock18: verify/3: /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com[01:40a]  -modtcl    • TLS/sock18: verify/2: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority[01:40a]  -modtcl    • TLS/sock18: verify/1: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287[01:40a]  -modtcl    • TLS/sock18: verify/0: /O=www.xpto.com/OU=Domain Control Validated/CN=www.xpto.com[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 read server certificate A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 read server key exchange A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 read server done A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 write client key exchange A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 write change cipher spec A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 write finished A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 flush data[01:40a]  -modtcl    • TLS/sock18: connect/exit: SSLv3 read finished A[01:40a]  -modtcl    • TLS/sock18: connect/loop: SSLv3 read finished A[01:40a]  -modtcl    • TLS/sock18: handshake/done: SSL negotiation finished successfully[01:40a]  -modtcl    • TLS/sock18: connect/exit: SSL negotiation finished successfully

Then it hangs till times out

Code:

[01:41a]  -modtcl    • TLS/sock18: alert/write: close notify[01:41a]  -modtcl    • [DEBUG] Request timeout (15s).

timeout only happens with the tls callback.
what does the "verify/3" log means? It's not a self-signed cert lol

Statistics: Posted by w00f — Fri Mar 05, 2010 9:54 pm

HTTP/TLS Package

2010-03-05T18:29:40-04:00

Ah well, was reported self-signed when I attempted to connect at that time.. nevertheless, try these settings:

Code:

http::register https 443 [list ::tls::socket -require 0 -request 1 -command ::tls::callback]set ::tls::debug 3set ::tls::logcmd putlog

That should dump quite a lot of data into the logs, hopefully revealing what is going on.

Edit: Sorry 'bout that, seems I was investigating the certificate of xpto.org, not xpto.com

Edit again: Should be -command, not -callback

Statistics: Posted by nml375 — Fri Mar 05, 2010 6:29 pm

HTTP/TLS Package

2010-03-05T16:49:33-04:00

Yes nml375, i've already tried -cadir and -cafile options, same error.
The certificate it's not self-signed,

Code:

(curl verbose output)* successfully set certificate verify locations:*   CAfile: none* CApath: /etc/ssl/certs* SSLv3, TLS handshake, Client hello (1):* SSLv3, TLS handshake, Server hello (2):* SSLv3, TLS handshake, CERT (11):* SSLv3, TLS handshake, Server key exchange (12):* SSLv3, TLS handshake, Server finished (14):* SSLv3, TLS handshake, Client key exchange (16):* SSLv3, TLS change cipher, Client hello (1):* SSLv3, TLS handshake, Finished (20):* SSLv3, TLS change cipher, Client hello (1):* SSLv3, TLS handshake, Finished (20):* SSL connection using DHE-RSA-AES256-SHA* Server certificate:*        subject: /O=www.xpto.com/OU=Domain Control Validated/CN=www.xpto.com*        start date: 2009-11-11 05:55:55 GMT*        expire date: 2011-11-11 05:55:55 GMT*        subjectAltName: xpto.com matched*        issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07                                                                  * SSL certificate verify ok.

I'm running Tcl 8.5.

Thanks for the code speechles, but the output is the same (status: eof)
ah! that "redirect" was a typo in the script, my bad.

Anyway, thanks guys =)

Statistics: Posted by w00f — Fri Mar 05, 2010 4:49 pm

HTTP/TLS Package

2010-03-04T19:50:56-04:00

Code:
set data [http::data $token] 
May i ask one question to that code.
What would be the easiest way to check $data, if theres eg html inside ?

The easiest way is by knowing how html is constructed. There is a as well as a to most html pages. If these are present there is usually most always, a as well.

The http::geturl used above in my example meant for the original poster, w00f, includes "-binary 1". This omits the encoding as everything is bit-oriented. HTML obtained using this method probably won't appear correct for any languages that aren't composed of "ascii" characters (utf-8, for example, will lose its sequencing and render things incorrectly) as the HTML loses the encoding associated with the transaction when done in binary.

Statistics: Posted by speechles — Thu Mar 04, 2010 7:50 pm

HTTP/TLS Package

2010-03-04T15:53:58-04:00

Code:

set data [http::data $token]

May i ask one question to that code.
What would be the easiest way to check $data, if theres eg html inside ?

Statistics: Posted by Elfriede — Thu Mar 04, 2010 3:53 pm

HTTP/TLS Package

2010-03-02T21:42:38-04:00

[11:10p] jackass • s:wget "https://xpto.com/index.php?action=dl&id=133"
[11:10p] -modtcl • [DEBUG] URL: https://xpto.com/index.php?action=dl&id=6437"

It's redirecting you. You've changed my messages to make it harder for me to tell, but this is obviously not the the url you chose. It's the one your being re-directed to.

Code:

PHPSESSID=29o1qivkuab8taakmfhhlg9ig5

It wants cookies too. This is why it's redirecting you. You aren't supplying the cookies during the redirect though. So all you'll get is an eof. Try the code below for a better outcome ...

Note: What follows can work as "the textbook example" for anyone wishing to do the same or anything remotely similar. This covers every possible aspect and scenario that could arise from the http transaction (with the exception of security certificate authentications which nml375 discussed). This also includes redirect-to-self and nesting-too-deep when handling redirect traversals, even handles malicious url's safely. I've seen some poor web scripts that could benefit greatly just by reusing this code. Feel free to reuse it yourself for any non-malicious intents or purposes.

Code:

package require httppackage require tlshttp::register https 443 [list ::tls::socket -require 0 -request 1]# recursive wget with cookies and refererproc s:wget { url {refer ""} {cookies ""} { re 0 } } {   http::config -useragent "Mozilla/EggdropWget"   # if we have cookies, let's use em ;)   if {![string length $cookies]} {      catch {set token [http::geturl $url -binary 1 -timeout 10000]} error   } else {      catch {set http [::http::geturl $url -binary 1 -headers [list "Referer" "$refer" "Cookie" "[string trim [join $cookies {;}] {;}]" ] -timeout 10000]} error   }   # error condition 1, invalid socket or other general error   if {![string match -nocase "::http::*" $error]} {      s:debug "Error: [string totitle [string map {"\n" " | "} $error]] \( $url \)"      return 0   }   # error condition 2, http error   if {![string equal -nocase [::http::status $token] "ok"]} {      s:debug "Http error: [string totitle [::http::status $token]] \( $url \)"      http::cleanup $token      return 0   }   upvar #0 $token state   # iterate through the meta array to grab cookies   foreach {name value} $state(meta) {      # do we have cookies?                                                                    if {[regexp -nocase ^Set-Cookie$ $name]} {         # yes, add them to cookie list                                                                 lappend ourCookies [lindex [split $value {;}] 0]      }   }   # if no cookies this iteration remember cookies from last   if {![info exists ourCookies] && [string length $cookies]} {      set ourCookies $cookies   }   # recursive redirect support, 300's   # the full gambit of browser support, hopefully ... ;)   if {[string match "*[http::ncode $token]*" "303|302|301" ]} {      foreach {name value} $state(meta) {         if {[regexp -nocase ^location$ $name]} {            if {![string match "http*" $value]} {               # fix our locations if needed               if {![string match "/" [string index $value 0]]} {                  set value "[join [lrange [split $url "/"] 0 2] "/"]/$value"               } else {                  set value "[join [lrange [split $url "/"] 0 2] "/"]$value"               }            }            # catch redirect to self's. There is one rule:            # A url can redirect to itself a few times to attempt to            # gain proper cookies, or referers. This is hard-coded at 2.            # We catch the 3rd time and poison our recursion with it.            # This will stop the madness ;)            if {[string match [string map {" " "%20"} $value] $url]} {               if {![info exists poison]} {                  set poison 1                } else {                  incr poison                  if {$poison > 2} {                    s:debug "HTTP Error: Redirect error self to self \(3rd instance poisoned\) \( $url \)""                    return                  }               }            }            # poison any nested recursion over 10 traversals deep. no legitimate            # site needs to do this. EVER!            if {[incr re] > 10} {              s:debug "HTTP Error: Redirect error (>10 too deep) \( $url \)"              return             }            # recursive redirect by passing cookies and referer            # this is what makes it now work! :)            s:wget [string map {" " "%20"} $value] $url $ourCookies $re            # only the last iteration from our recursion is required            # we save time by using return on prior recurses. this does            # not poison the recursion because we have invoked ourself            # before we poison the unneeded iteration.            return         }      }   }   # waaay down here, we finally check the ncode for 400 or 500 codes   if {[string match 4* [http::ncode $token]] || [string match 5* [http::ncode $token]]} {      s:debug "Http resource is not evailable: [http::ncode $token] \( $url \)"      return 0   }   # uncomment the three lines below to return the http::data   # check for error by string equaling 0, if it isn't 0 it contains   # the data returned from the http transaction. If it's an empty   # reply "", it means the site is either malicious or causing you   # to have endless redirects these are poison and no html is   # returned.   # ---   # set data [http::data $token]   # http::cleanup $token   # return $data}

Statistics: Posted by speechles — Tue Mar 02, 2010 9:42 pm

HTTP/TLS Package

2010-03-02T19:51:50-04:00

Are you using the very same CA's with your tcl-script? I see that your xpto.com site uses a self-signed certificate. Unless this is listed as a trusted cert for your tls/tcl script, the connection would most likely be dropped.

Also, reading the docs for the tls tcl library, there are several additional parameters for tls connections, including -cadir and -cafile (specifying the root CA), and -command which may be used as a callback to track the status/failure of the tls/ssl handshake.

Further, depending on the version of tcl, you might have to patch the http-package. Supposedly, it's been submitted to the tcl developers to be included since v8.2.1

Statistics: Posted by nml375 — Tue Mar 02, 2010 7:51 pm