[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: wiki

Le vendredi 16 février 2018, 19:53:44 CET Reco a écrit :
> 	Hi.
> 
> On Fri, Feb 16, 2018 at 10:38:49AM -0500, Greg Wooledge wrote:
> > On Fri, Feb 16, 2018 at 10:30:31AM -0500, Gene Heskett wrote:
> > > On Friday 16 February 2018 07:08:57 Rodary Jacques wrote:
> > > 
> > > > Le vendredi 16 février 2018, 06:42:52 CET rhkramer@gmail.com a écrit :
> > > > > On Thursday, February 15, 2018 08:42:14 PM Rodary Jacques wrote:
> > > > > > Why can't I access wikis from a Debian box:
> > > > > > Forbidden
> > > > > > <p>You are not allowed to access this!</p>
> > > > > > is the message I get.
> > > > >
> > > > > I think we need more information--which wiki are you having trouble
> > > > > with? (What is its URL?)
> > > >
> > > > I first had this message on  https://wiki.debian.org, then on various
> > > > problems.
> > > 
> > > Old but uptodate wheezy install here. firefox had no problems navigating 
> > > the site.
> > > Perhaps your http->S<- is defective somehow.
> > 
> > The original message was so incredibly vague that it could mean anything.
> > 
> > But.
> > 
> > If the actual complaint is "I get 403 Forbidden on https://wiki.debian.org";
> > then we need additional detail: what version of Debian the OP is using,
> > what browser, and any unusual aspects of the OP's network that could
> > be relevant (workplace firewall, China firewall, etc.).
> 
> My crystal ball says that OP is using home connection, and no, these
> details aren't needed. tcpdump/wireshark capture, combined with the SSL
> session key - that's what needed.
> Or someone from 11AS12322 willing to provide a temporary shell account.
> 
> E-mail headers say that e-mail came from 11AS12322 belonging to some
> French provider:
> 
> Received: from ns.rodary.net (unknown [88.170.1.143])
>         by smtp5-g21.free.fr (Postfix) with ESMTP id 154405FF27
>         for <debian-user@lists.debian.org>; Fri, 16 Feb 2018 02:42:15 +0100 (CET)
> 
> With MUA which is uncommon in dull enterprise world:
> 
> User-Agent: KMail/5.2.3 (Linux/4.9.0-5-amd64; KDE/5.28.0; x86_64; ; )
> 
> I believe we can exclude such possibilities as China Great Firewall
> (unless they installed it in France for some reason), or workplace SSL
> Bump (else OP won't see HTTP 403).
> 
> 
> > There have been several similar complaints in #debian IRC over the last
> > year or two, with random people coming in and saying that they get a
> > "403 Forbidden" on the Debian wiki, but the one thing they all have in
> > common is a LACK OF DETAIL.
> 
> Whose who know they way around don't have such problems. Whose who don't
> are unable to describe it. I see nothing unusual in this.
> 
> My suggestion to OP - try Tor, see if it works.
> 
> 
> > At this point nobody knows how to diagnose the problem, because nobody
> > who HAS the problem is willing or able to come forward and just say what
> > is happening and why.  Is it a DNS resolution error, in which they're
> > getting the wrong IP address?
> 
> No. Browsers do certificate validation, "wrong IP address" would be
> possible if the third party somehow produced a valid certificate for
> wiki.debian.org (you have to be a CA *or* the government to do this) and
> faked a DNS record (that's easy part).
> 
> > Does the wiki or its front-end web server have a firewall that
> > blacklists certain IP address ranges?
> 
> Even if it did, the firewall have not come into play.
> Since the user saw HTTP 403 it means that HTTPS connection was
> established successfully, and a front-end (or back-end) webserver gave
> 403 code, which was transferred to a user.
> 
> >  Is it a web browser bug?  Nobody knows!
I was using Opera  browser,so quick,  but I just tried with firefox, so slow, but both mozilla, and the result is the same when google search ( which I don't use with  Opera)  gives me a lot of choices , all with 403 result. My  public IP, 88.170.1.143 is the one my provider ( free.fr=proxad.fr)  gave me.
> 
> Hardly. Of course OP could use some ancient toy browser that does not do
> SNI, 
what is  SNI?
> but wiki.debian.org provides a correct certificate even for
> *those*. It's easy to check with (openssl does not use SNI unless you
> ask for it):
> 
> openssl s_client -host wiki.debian.org -port 443
> 
> Reco
> 
Will my comments help?
	Jacques
Reply to: