Failed Connection over Mobile (Cellular) Networks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Nikos and Dan,

I've just managed to connect over the mobile network using IP address 
instead of hostname, and it worked.

As my lab is behind a VDSL service without static IP, I'm using a 
dynamic DNS service (zzzz.io) to get a static name with which I 
connect.? If I access openconnect/ocserv with the <my account>.zzzz.io 
DNS name, it also works over the mobile network.

But, as I also have registered a domain name for myself, I've setup up 
an alias to point vpn.<my domain name> to <my account>.zzzz.io.? This 
alias works for OpenVPN, but for some reason, it doesn't work for 
Openconnect or gnutls-cli over either of my mobile networks.

This is something for me to either put up with, or work out what's 
happening.? Either way, it's not a problem with openconnect or 
gnutls-cli I don't think. I also found that if I try to access the 
vpn.<my domain name> with any browser, the connection gets reset.? I'd 
have sworn I'd tried that previously and it had worked, returning some 
XML.? So chances are the network provider has a middlebox here that 
checks 'something' on the https port and aborts the connect.? Why 
OpenSSL works, will remain a mystery I believe.

Thank you both for your time and assitance with this issue. I've learnt 
quite a bit over the weekend, so it's not a complete waste of time from 
my point of view.? I'm sorry I wasted your precious time on it though.

Kind regards,

Gareth

On 15/07/2018 18:48, Nikos Mavrogiannopoulos wrote:
> On Sun, Jul 15, 2018 at 4:41 PM, Gareth Williams
> <gareth at garethwilliams.me.uk> wrote:
>> On 14/07/2018 21:06, Nikos Mavrogiannopoulos wrote:
>>> Unfortunately, it is only heuristics you can try here. It could be
>>> that the middlebox doesn't understand a particular extension, or some
>>> particular ciphersuite, or doesn't like the hello size. Try a smaller
>>> ciphersuite list as:
>>>
>>> "NORMAL:-SHA256:-SHA384:-3DES-CBC:-DHE-DSS:-SIGN-DSA-SHA1:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM"
>>>
>>> And/or combinations of that list (i.e., re-enabling DSS/DSA if you
>>> need it). That's the list of algorithms which are already disabled in
>>> 3.6.2 (some also from the unreleased 3.6.3) versions of gnutls. Would
>>> that improve the situation? If not you can go further by trying
>>> options for specific extensions such as %NO_ETM,
>>> %DISABLE_SAFE_RENEGOTIATION, %NO_SESSION_HASH, %NO_TICKETS etc. If any
>>> of these help improve the situation let me know.
>>
>> Hi Nikos,
>>
>> I tried various combinations and came to the conclusion that the only
>> extension that differ between gnutls-cli working (with the
>> --disable-extensions option) and failing was server_name.  I then noticed
>> that gnutls-cli has the --disable-sni option.  I therefore tried the
>> following:
>>
>> gnutls-cli --no-ca-verification <hostname>, and the connection failed as
>> expected.
>>
>> gnutls-cli --no-ca-verification --disable-sni <hostname>, and it works (no
>> need for Priority Strings by the way)
>>
>> Then, to add confusion I added server_name to openssl's s_client Client
>> Hello:
>>
>> openssl s_client -servername <hostname> -connect <hostname>:443, and oddly
>> that worked.
>>
>> Therefore it seems the problem is down to the server_name TLS extension but
>> only when the client is gnutls.  I compared the hex dumps (from Wireshark)
>> of the extension from gnutls-cli and openssl s_client and they are
>> identical.  The only difference I noticed was the ordering of the extensions
>> - when using gnutls-cli the extension is 4th in the extension list (behind
>> extended_master_secret, encrypt_then_mac and status_request) while for
>> openssl s_client the server_name extension is the 1st in the list.  Could
>> that make a difference?
> Protocol-wise it shouldn't make a difference. That's very odd though,
> do browsers work there? If yes, it may be that there is a buggy middle
> box, or a middle box which is fingerprinting to block VPNs (the latter
> you can rule out if openvpn works).
>
> regards,
> Nikos



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux