[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wiki

	Hi.

On Fri, Feb 16, 2018 at 10:38:49AM -0500, Greg Wooledge wrote:
> On Fri, Feb 16, 2018 at 10:30:31AM -0500, Gene Heskett wrote:
> > On Friday 16 February 2018 07:08:57 Rodary Jacques wrote:
> > 
> > > Le vendredi 16 février 2018, 06:42:52 CET rhkramer@gmail.com a écrit :
> > > > On Thursday, February 15, 2018 08:42:14 PM Rodary Jacques wrote:
> > > > > Why can't I access wikis from a Debian box:
> > > > > Forbidden
> > > > > <p>You are not allowed to access this!</p>
> > > > > is the message I get.
> > > >
> > > > I think we need more information--which wiki are you having trouble
> > > > with? (What is its URL?)
> > >
> > > I first had this message on  https://wiki.debian.org, then on various
> > > problems.
> > 
> > Old but uptodate wheezy install here. firefox had no problems navigating 
> > the site.
> > Perhaps your http->S<- is defective somehow.
> 
> The original message was so incredibly vague that it could mean anything.
> 
> But.
> 
> If the actual complaint is "I get 403 Forbidden on https://wiki.debian.org";
> then we need additional detail: what version of Debian the OP is using,
> what browser, and any unusual aspects of the OP's network that could
> be relevant (workplace firewall, China firewall, etc.).

My crystal ball says that OP is using home connection, and no, these
details aren't needed. tcpdump/wireshark capture, combined with the SSL
session key - that's what needed.
Or someone from 11AS12322 willing to provide a temporary shell account.

E-mail headers say that e-mail came from 11AS12322 belonging to some
French provider:

Received: from ns.rodary.net (unknown [88.170.1.143])
        by smtp5-g21.free.fr (Postfix) with ESMTP id 154405FF27
        for <debian-user@lists.debian.org>; Fri, 16 Feb 2018 02:42:15 +0100 (CET)

With MUA which is uncommon in dull enterprise world:

User-Agent: KMail/5.2.3 (Linux/4.9.0-5-amd64; KDE/5.28.0; x86_64; ; )

I believe we can exclude such possibilities as China Great Firewall
(unless they installed it in France for some reason), or workplace SSL
Bump (else OP won't see HTTP 403).


> There have been several similar complaints in #debian IRC over the last
> year or two, with random people coming in and saying that they get a
> "403 Forbidden" on the Debian wiki, but the one thing they all have in
> common is a LACK OF DETAIL.

Whose who know they way around don't have such problems. Whose who don't
are unable to describe it. I see nothing unusual in this.

My suggestion to OP - try Tor, see if it works.


> At this point nobody knows how to diagnose the problem, because nobody
> who HAS the problem is willing or able to come forward and just say what
> is happening and why.  Is it a DNS resolution error, in which they're
> getting the wrong IP address?

No. Browsers do certificate validation, "wrong IP address" would be
possible if the third party somehow produced a valid certificate for
wiki.debian.org (you have to be a CA *or* the government to do this) and
faked a DNS record (that's easy part).

> Does the wiki or its front-end web server have a firewall that
> blacklists certain IP address ranges?

Even if it did, the firewall have not come into play.
Since the user saw HTTP 403 it means that HTTPS connection was
established successfully, and a front-end (or back-end) webserver gave
403 code, which was transferred to a user.

>  Is it a web browser bug?  Nobody knows!

Hardly. Of course OP could use some ancient toy browser that does not do
SNI, but wiki.debian.org provides a correct certificate even for
*those*. It's easy to check with (openssl does not use SNI unless you
ask for it):

openssl s_client -host wiki.debian.org -port 443

Reco
Reply to: