UnableToStartHostException for any hostname except localhost - grapevine

Using Grapevine if I change the host to anything except "localhost" (or equivalent, 127.0.0.1/0.0.0.0) I will receive the following message:
Exception thrown: 'Grapevine.Exceptions.Server.UnableToStartHostException' in Grapevine.dll
I have tried: "*", "+" and an explicitly configured hostname (ie. "me.example.com").
There is no reason that this should fail at all, there is no other program or service using the hostname or port specified on any of the computers on this network, the ports are appropriately forwarded on both my router and firewall (even disabled the firewall and opened all ports temporarily to test).

Grapevine is using HttpListener under the hood. This answer to a similar question will likely solve your issue.

Related

libcurl use same user defined port to send periodic request

I am working on a project need to send periodic alive message to https server.
Because of security issue, we need to use minimal number of ports (blocking unused ports as many as we can).
I am using c++ libcurl easy interface to send https request in linux.
I have tried to use the same curl handler object (CURL object) and set CURLOPT_LOCALPORT to a port number. The first request is ok. But in the second, libcurl verbose mode said address already in use.
However, when I comment out the port set through CURLOPT_LOCALPORT, it works on second connection also, and by setting VERBOSE to 1, I can see "Re-using existing connection" print out, which is missing in version setting up local port.
And I check with linux netstat, find out that it is using the same port.
I cannot figure out why setting up local port will make it failed.
And also, I have tried to close the connection using curl_easy_cleanup, but due to tcp time_wait state, we cannot reuse the port in a while, that's not what I want.
Could anyone provide a solution or suggestion to us? Thanks a lot.
Edit
My reason using one port is not to keep opening and closing connection too much.
Because of the security issue ...
There is no security issue. You need to get over this phobia about using multiple local outbound ports. There is zero security benefit in using fewer, or in constraining them in any way.

Validating a host using SSL Wildcard certificates

My HTTPS Client uses Poco C++ to connect with our server, which uses a wildcard certificate (*.example.com). The connection fails with a CertificateValidationException and the error message is "Unacceptable certificate from x.y.z.w: application verification failure".
The weird thing is it doesn't ALWAYS fail, just most of the time. After much debugging, my hunch is it has something to do with topology (going across subnets, for example) or with how/when the host name is translated to an I.P. address.
I think this because in cases where everything works as expected, the local DNS is routing the host name. But in cases where it doesn't work (above error message), the host name translation is on a local box like my PC.
Is there a way to narrow down what's going on here? Is this a common or known problem?
Thanks.
I just ran into this same symptom myself. Using Poco::Net::HTTPSClientSession, I could connect just fine to non-wildcard sites, but failed with the exception and message mentioned above when connecting to *.example.com wildcard sites. Note however that the behavior I observed was 100% consistent, never intermittent.
After debugging through Poco source code, I found the problem in how the HTTPSClientConnection class sets itself up to perform certificate validation. I filed Poco issue #1303 on pocoproject.org, but the skinny is that if you create an HTTPSClientSession using the no-arg constructor, you will always get this exception when connecting to server with a wildcard cert. For example:
Poco::URI uri("http://blah.example.com"); // SSL cert is for *.example.com
Poco::Net::HTTPSClientSession session; // Note no-arg constructor
session.setHost(uri.getHost());
session.setPort(uri.getPort());
Poco::Net::HTTPRequest req;
// Populate req...
session.sendRequest(req); // Throws CertificateValidationException:
// "Unacceptable certificate from x.x.x.x,
// application verification failure"
The problem is that when validating the cert, the various Poco::Net classes look up the peer name as an IP address if the hostname hasn't been set already, and then subsequently try to match that IP addr against the wildcard cert CN (obviously, x.y.z.w will fail to match against *.example.com).
The good news is that there are several easy workarounds. The easiest is to just use the HTTPSClientSession(host, port) constructor, which will set the proper host name on the underlying SecureStreamSocket so that subsequent certificate validation matches a real hostname (blah.example.com) against the cert (CN=*.example.com), instead of an IP addr:
Poco::URI uri("http://blah.example.com");
Poco::Net::HTTPSClientSession session(uri.getHost(), uri.getPort()); // Calls SecureStreamSocket::setPeerHostName() internally
There are other workarounds, too: create your own SecureStreamSocket first, call setPeerHostName() on it, and then pass that into the appropriate HTTPSClientSession constructor, etc. See the issue tracker link above for a few more ideas if needed.

How do I block a loopback connection to some port on Windows?

Adding an inbound Windows Firewall rule (via COM from C++) for local port 80 and addresses ANY, 127.0.0.1 or 0.0.0.0 does not block a local browser from accessing a local web server running on port 80. For debugging/testing purposes, I need to simulate loss of network connectivity between two programs running on the same computer. Is there a way to do this programmatically, on the command line, or with a tool?
In this question, they say allegedly there is no way to do this in the Windows Firewall:
How do I block localhost connections with the Windows 7/2008R2 firewall?
Is there a way, other than Windows Firewall, just to simulate loss of network connectivity between programs running on the same computer?
There is WIPFW -- a Windows port of FreeBSD's IPFW. However, I failed to get it to block localhost connections. Maybe you'll have more luck.
Alternatively, you can try a hack. If your programs establish a connection using the localhost host name instead of directly by the 127.0.0.1 IP address, you may change your hosts file to point the localhost name to some non-existing or otherwise unreachable address.

Choose a TCP port on a Windows machine, add a firewall exception if necessary (programmatically)?

Thank you for reading my post.
Can you help me interpret what the following line from "netstat -anb" means:
Proto Local Address Foreign Address State
TCP 192.168.2.241:52440 64.233.166.103:443 ESTABLISHED
[firefox.exe]
In particular:
does this mean that the TCP port 52440 is opened on the machine which IP is 192.168.2.241?
does this mean "firefox.exe" is bound to this port?
Can you guess how "firefox.exe" knew it could use this port (without interfering with another program already bound to that port)?
As a matter of fact, "firefox.exe" is using a lot of ports.
For example, right now on 192.168.2.241, "firefox.exe" is using the ports nro 52163, 57019, 57022, 57030, 57045, 57046, 57049, 57051.
I am asking all this because I would like to write a program which binds to a TCP port to enable communication between the machine where the program is installed and a remote machine on the Internet using sockets.
Contrary to "Firefox" I need only one TCP port on the machine where the program will be installed.
I only need this mechanism to work once, the first time the program is executed (this is not a permanent feature of the program).
How can this port be chosen?
How can this port be chosen programmatically (not manually)?
If there is a firewall preventing the use of any port/the chosen port, how is the program going to behave?
Can an exception be added programmatically to the firewall to open this port?
The machine running the program is a Windows machine.
I would program this in C/C++.
Best regards.
Below is a complement to my original question.
Well, my apologies, maybe you're right: maybe it's wrong to add an exception in the firewall of the user...
What I mean by "adding an exception in the firewall of the user" is doing something like this:
netsh advfirewall firewall add rule name="An exn" dir=in action=allow protocol=TCP localport=6667 program="where/the/program/is/stored/prog.exe" enable=yes
Until now, I thought that, if an application was already "using" a TCP port for its own usage, no other application could "use" this very same port. (I'm aware of the fact that the word "use" is very imprecise. I'd be glad to be able to formulate things more accurately...)
I'm saying this because, as I need a TCP port, I was wondering if I could use an "already available" TCP port... (When I say "already available", I don't exactly know what I mean (maybe I would like to say "open" and "bindable" / or a port already "used" by another application): I'm thinking about TCP port 80 which is often "available"... Again, I wish I could be more specific about this.)
Please let me try to reformulate what I'm willing to do.
A user runs a program "setup.exe" on its machine "M".
"setup.exe" sends a message "m1" to an Internet remote server "RS".
"RS" sends back some information "m2" to "setup.exe" running on machine "M" through a TCP port.
To be able to allow this bidirectional communication between "M" and "RS", I need to "have" a TCP port on machine "M" from which "setup.exe" can receive information sent by "RS". ("RS" is not a problem to me, I can do anything I want on it).
Given the fact that I know nothing about "M" a priori apart from the fact that it is a Windows machine (in particular I do not know what kind of firewall protects it, etc.), I don't really know how to handle the problem correctly. What I would like to avoid is having "setup.exe" fail silently without telling why the TCP port on machine "M" can't be "used".
Given the fact that I need to "have a TCP port available" for the program "setup.exe" running on machine M, what steps should I follow to make it as smooth as possible for the user.
Suppose I'm trying to "use" TCP port 6667, and suppose I'm not "allowed" to.
Apart from a firewall, or another application already "using" this port, what could be the reasons why this port is not available?
I simulated the two machines "M" and "RS" basically using this code http://msdn.microsoft.com/en-us/library/windows/desktop/ms737889%28v=vs.85%29.aspx.
I didn't add an exception to "M"'s firewall.
The two programs on machines "M" and "RS" could communicate smoothly and correctly.
But as you pointed it out in your first answer, "there are no outbound port rules in the firewall at all" on these test machines...
So, I tried, as a simulation, to add an exception into the M's firewall in the section "Outbound rules" to block completely the connection to port TCP 6667 on machine "M": the scenario described above (steps 1) 2) 3)) fails in that case.
I hope this literature is not too indigestible and sorry for the approximations and misunderstandings.
Thank you for helping. Best regards.
does this mean that the TCP port 52440 is opened on the machine which IP is 192.168.2.241?
Possibly, but more probably it means there are no outbound port rules in the firewall at all, as there shouldn't be, being pointless.
does this mean "firefox.exe" is bound to this port?
It means that socket of firefox.exe is bound to that port. It can have many other sockets, and usually does.
I would like to write a program which binds to a TCP port to enable communication between the machine where the program is installed and a remote machine on the Internet using sockets.
You need to state whether your program is a client or a server. If it's a client, it's exactly like Firefox, and you don't have a problem. If it's a server, you have to bind to a port that is open for incoming in your firewall, and Firefox is completely and utterly irrelevant.
Contrary to "Firefox" I need only one TCP port on the machine where the program will be installed.
Sounds like a server, but you need to tell us. For simplicity I am assuming it's a server from here on.
I only need this mechanism to work once, the first time the program is executed (this is not a permanent feature of the program).
You don't need this mechanism to work at all. You need the user to open the port. The user won't appreciate software that breaks his firewall configuration, assuming you can do it at all, which you shouldn't.
How can this port be chosen?
By you. Choose it now. Use one that isn't reserved by IANA.
How can this port be chosen programmatically (not manually)?
You can specify port zero but then you have to tell the user so he can open it at the firewall.
If there is a firewall preventing the use of any port/the chosen port, how is the program going to behave?
Incoming connections won't succeed so the program will do nothing.
Can an exception be added programmatically to the firewall to open this port?
No idea, but it's a bad idea, see above.

filezilla Connection timed out

This might seem like a duplicate question but it is not. I tried to go through similar questions but I couldn't find a fix for my problem. Here is my problem:
I need to set up an ftp connection on company servers.
I can easily connect to ftp server from fileZilla on my PC but when I try it over one of the server machines to the file server all I see is the following:
Response: fzSftp started
Command: open "*****#***.***.***.**" **
Error: Connection timed out
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to ***.***.***.**...
Response: fzSftp started
Command: open "*****#***.***.***.**" **
Error: Connection timed out
Error: Could not connect to server
I googled the "Connection timed out"
error and I realized that the first place to check is firewall or router setting. these are outsourced to another company and they say that the issue is solved and it should work fine. I don't know where to look at.
I've had lots of issues with Filezilla. You may try another software first to see if Filezilla itself is the issue.
If you're on Windows, I highly suggest the open source project WinSCP (https://winscp.net/eng/download.php). For Mac, Cyberduck (https://cyberduck.io/?l=en) is solid (and free), though you may prefer Transmit.
I was having this problem after upgrading Filezilla. I downgraded it to a previous version and it worked like charm. I came across this ticket thread and it was absolutely helpful : Filezilla Support Ticket
Check your security group rules. You need a security group rule that allows inbound traffic from your public IP address(Google: What is my ip?) on the proper port.
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances, and then select your instance.
In the Description tab, next to Security groups, choose view rules to display the list of rules that are in effect.
For Linux instances: Verify that there is a rule that allows traffic from your computer(public ip) to port 22 (SSH).
For Windows instances: Verify that there is a rule that allows traffic from your computer(public ip) to port 3389 (RDP).
Also take a look at here and here for more details
I need to set up an ftp connection on company servers. I can easily connect to ftp server from fileZilla on my PC but when I try it over one of the server machines to the file server all I see is the following:
<failure to connect code>
Please note that public IP and internel IPs will be a different address; such as 123.456.675.574 for the public but internal to the server network it will be something more like 192.168.10.574 .
This is why you can easily connect from your PC because it uses the public IP address but from the internal IP network of the company servers that address will not be valid, and the internal one would need to be used instead.
Try this, 200 is just an example, just increase it and try.
Edit --> Settings --> Connection --> Timeout in seconds = 200