newsbin.com

[kenr]

Trying to get NB 6.3/4 running on my new Mint 13/64bit/Mate install.
Installed Wine 1.4 fine, installed NB 6.3 fine, when I run it the registration says ssl error. If I copy my working MB 6.4 over i get SSL errors connecting to astraweb. Works fine under Mint 11/64bit/G2 Wine 1.4.
Anybody got any ideas?

[DThor]

Newsbin has it's own dll that handles SSL, but there was a problem with the latest Ubuntu where SSL apps weren't working. Check the last few linux threads for more information. I'm wondering if the problem has bizarrely crept over to this distro too? I do know that Quade recently ran Mint as an experiment but I'm unsure if he actually tested Newsbin on it.

Well, before you get into all of that, probably best to check your firewall first to make sure it's allowed the correct port access. Testing any other app outside of wine that uses SSL would be useful too - all SSL was busted in the Ubuntu scenario.

DT

[kenr]

No f/w running checked that.
Looks like it maybe the OpenSSL but reported in wine http://bugs.winehq.org/show_bug.cgi?id=30598
Will continue to play about with it.

[Quade]

Works fine under Mint 11/64bit/G2 Wine 1.4.
Anybody got any ideas?

I'd say you've done a good job of characterizing the problem and that it seems to be Linux and/or wine. As D said, Newsbin has SSL built in so, it needs nothing external for SSL to work. It sounds like something is messing with it at the TCP level. Does non-SSL work? How about SSL alternate ports?

[kenr]

Not an NB issue, sorry for reporting it.
It appears the openssl is broken in Ubuntu 12.04 and Mint 13 is based on that.
Nothing to be done till the filter the patches down from Debian.

Tried the upstream Openssl from Debian but it still fails, so will have to wait for them to fix it.
Thanks for the help guys.

[DThor]

Not a problem, but I must admit I'm mystified how the openssl can cause the problem when Newsbin doesn't even use it. I don't really pose that as a question to you, but I wonder why? My initial thoughts were that something in the firewall, but you aren't using it. Hmmm...

Plus, I have to say it again - I'm rather stunned that this hasn't been fixed yesterday. A linux distro with no SSL? Pretty shabby...

DT

[Quade]

Not a problem, but I must admit I'm mystified how the openssl can cause the problem when Newsbin doesn't even use it.

This. I'm not sure how something in wine or Linux is messing with SSL in Newsbin. That implies that something is trying to intercept the SSL connection and isn't doing it very well. To Wine and Linux an SSL connection from Newsbin should be treated like any other TCP connection. Meaning pass the data back and forth and don't mess with the contents. This sounds like something is messing with the contents of the connection. I think it's very suspicious.

If regular TCP works, and SSL from Newsbin doesn't. Something is noting that the data is SSL and is messing with it.

[kenr]

From the WineHq site, the issue is with the libssl lib. If wine is built using an older version as a static as opposed to the normal one it works fine apparently the POL wine version works but the "normal" ones don't.

SSL V3 is fine is just ssl2 & TLS that are affected.

[DThor]

Yeah, I guess that means no matter what you do in wine, it stays there in wine space. You end up using wine to interface with the linux OS.

DT

[Quade]

What's the actual error message Newsbin reports when connecting to astra?

[kenr]

[10:20:41] ERROR InterSocket - Error: Socket Open Failed, Host: news.astraweb.com Error Code: 10061 Connection refused.


Thats on the standard port haven't tried any others.

[Quade]

Have you looked at the net traffic with TCPDump? A 10061 error isn't an SSL error. It's a TCP error below the level of SSL. Basically Newsbin has to establish a connection before it hands the connection off to SSL. This error is happening at the connection stage before SSL is even consulted.

"news.astraweb.com" is the wrong address if you're trying to use SSL. You have to use "ssl.astraweb.com".

[kenr]

OK changed to ssl.astraweb.com
error now is
[15:16:49] ERROR InterSocket - Error: SSL Negotiation Failed, Host: ssl.astraweb.com Error: SSL Connection Failed 0 Success.

I did have the entire .wine copied over but deleted it when I couldn't get it working, so this is a new install of NB and I was working from memory, hence the error in the name.

[Quade]

Well, that's pretty SSL specific. I changed the error message to give more details. New beta should be up in a couple days.

[kenr]

Same results with b3 no real change to the error message.
[18:18:24] ERROR InterSocket - Error: SSL Negotiation Failed, Host: ssl.astraweb.com Error: SSL Connection Failed: 5 Error 0 Success.

[Quade]

I wasn't expecting it to fix anything because the problem isn't in Newsbin.

SSL Connection Failed: 5 Error 0 Success.

#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */

This is error 5. It's saying something in Wine's socket layer's dropping the ball.

Have you tried both SSL ports?

[kenr]

OK thanks for that. I have tried POL wine 1.4 but it gives the same error, looks like I will just have to wait for them to fix the ssl 2 errors.
No way you can force ssl v3 is there?

[DThor]

I caught this thread:

http://ubuntuforums.org/showthread.php?t=1988735

where it indicates RC4-MD5 is busted. This might well be a completely red-herring other issue, but wonder if you try the suggestion:

Code: Select all

workaround is to add to /etc/postfix/main.cf

smtpd_tls_exclude_ciphers = RC4-MD5

if that works? I'm thinking the server should roll to the next cypher if that one is disabled, but not sure.

DT

[Quade]

Just for shits and grins, add

"news.giganews.com" to a new server entry, then click "Use SSL" then see if you can connect to giganews. You won't be able to download but, if SSL works, that would be interesting.

They use a different protocol than Astra.

[DThor]

Yeah, try Quade's idea first. I realized after posting that exclude statement is related to mail, since it was a mail issue. However, I'm thinking this is related to the problem, the giganews test might prove it.

DT

[kenr]

OK same error

[10:20:48] ERROR InterSocket - Error: SSL Negotiation Failed, Host: news.giganews.com Error: SSL Connection Failed: 5 Error 0 Success.

[kenr]

OK openened a "question" of launchpad saying it is a bug in ssl 1.0.1 will see what they say.

[Quade]

Newsbin's not using "ssl 1.0.1"

I haven't upgraded the SSL yet.

Got a link to the problem report? I'd like to see what people are saying about it.

[kenr]

Newsbin might not be using it but wine ism as that is what is on the system.
Here's the link https://answers.launchpad.net/ubuntu/+question/200607
No comments yet.

Also created a bug in the win bugzilla as they didn't like me adding to the mail one.
http://bugs.winehq.org/show_bug.cgi?id=30931

[Quade]

fixme:wininet:INET_QueryOption INTERNET_OPTION_CONNECTED_STATE: semi-stub
fixme:wininet:InternetAttemptConnect Stub
fixme:wininet:InternetSetOptionW Option INTERNET_OPTION_CONNECT_TIMEOUT
(60000): STUB
fixme:wininet:InternetSetOptionW
INTERNET_OPTION_SEND/RECEIVE_TIMEOUT/DATA_SEND_TIMEOUT 60000
fixme:wininet:InternetSetOptionW
INTERNET_OPTION_SEND/RECEIVE_TIMEOUT/DATA_SEND_TIMEOUT 300000
err:wininet:NETCON_secure_connect SSL_connect failed: 12157

Last message was generated in dlls/wininet/netconnection.c:

Do you see any log messages that look like this when Newsbin tries to connect? Newsbin isn't using WinInet but, I wonder if you see any kind of errors in wine itself when you try SSL connections.

I posted to your bug report.

[kenr]

I just get

fixme:wininet:query_global_option INTERNET_OPTION_SECURITY_FLAGS: Stub
fixme:wininet:InternetSetOptionW Option INTERNET_OPTION_SECURITY_FLAGS; STUB
err:wininet:HTTP_ParseDateAsAsctime unexpected weekday L"133"
err:wininet:HTTP_ParseDate unexpected date format L"1339699522"
fixme:wininet:CommitUrlCacheEntryInternal entry already in cache - don't know what to do!
fixme:ieframe:WebBrowser_Stop (0xb4de0)
fixme:ieframe:OleInPlaceObject_InPlaceDeactivate (0xb4de0)
fixme:heap:HeapSetInformation 0x1365000 0 0x23e900 4
fixme:heap:HeapSetInformation 0x1475000 0 0x23e960 4

Nothing when I click on get group list, other than the no connection on the newsbin screen.
Seen your post, maybe they will do something now that you have posted.
Its a nucance as it is all that is stopping me from switching to Mint 13 totally now, I have everything working bar this.

[kenr]

OK thinking OOB and reading the thread about not being able to register NB I tried the solution

Seems there is a kernel bug with the LTS 12.04 release of Ubuntu. I was able to register and download via SSL by performing the following:

echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

This solution was found at:
http://www.codeweavers.com/support/wiki ... ubuntu1204

And this seems to have fixed it for me, I can both register and download headers using ssl.

Wierd bugs floating about!

From the file:-

# The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access
# credentials that exist in memory (re-using existing SSH connections,
# extracting GPG agent information, etc).
#
# A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
# PTRACE only to direct child processes (e.g. "gdb name-of-program" and
# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
# do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
# "sudo strace -fp $PID" will work as before. For more details see:
# https://wiki.ubuntu.com/SecurityTeam/Ro ... ing#ptrace
#
# For applications launching crash handlers that need PTRACE, exceptions can
# be registered by the debugee by declaring in the segfault handler
# specifically which process will be using PTRACE on the debugee:
# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
#
# In general, PTRACE is not needed for the average running Ubuntu system.
# To that end, the default is to set the PTRACE scope to "1". This value
# may not be appropriate for developers or servers with only admin accounts.

So I don't quite see why it is stopping ssl communications in wine but it is!

Thanks for the help.

[Quade]

I still have my tinfoil hat on. It still seems suspicious to me. It's not clear to me why only SSL would be impacted by this.


I think your log messages are for the MOTD for the most part.

http://www.codeweavers.com/support/wiki ... ubuntu1204

When I followed your link, it didn't take me to the proper place.

[kenr]

I totally agree that this SHOULD not impact only ssl comns but it does and the like was a quote from the "cant register newsbin" a couple of posts down in this forum.

The fact that it works as a work around is enough for me to use Newsbin now and see if they fix it upstream.

[kenr]

Update on this, they seem to have fixed it in Wine 1.5.8
Changed the ptrace back to 1 and ssl still works.
Got a new problem but will open a new thread for that.

[DThor]

Good info, thanks. Glad they finally acknowledged it.

DT

[newsraider]

thread sticky prob not needed anymore

[Quade]

I just tried to unstall it under wine. Installer failed. Couldn't write to "Program Files". It was there but I guess it couldn't write to it. Any hints?

[newsraider]

using alternative installer? won't install with regular installer for me but the alt works fine.

[kenr]

Never tried to uninstall it. I have it in its own wine prefix (using winetools) so I can just copy the useful stuff off it if I need to move it/re-install in. Usually I just delete the wine folder and start again.

[Quade]

Thanks. I can always just copy the files over but I wanted to try it the official way.