When I call ssh_get_issue_banner() under libssh, I get a NULL (failure) back even though "ssh -vvv" shows a myriad of welcome messages. Why would this be?
This can happen if an issue banner, specifically, is not configured (e.g. is commented) with your SSH server, as they, often, are not.
Dustin
Related
I'm writing a transparent intercepting HTTPS capable proxy using boost::asio + openSSL. I have a default server context where I specify that the server is a TLSv1.2 server, when a client connects, I extract the host from the hello and use SSL_set_SSL_CTX to set the context (which either already exists or I've just created it after spoofing the upstream cert) and initiate the server (downstream) read/write volley as well as the upstream.
This was working before I started storing and sharing contexts. On each new incoming connection, I was creating a new client socket and context, loading ca-bundle as verify file, then creating a new server context, getting the spoofed certificate. It was functioning, but I started developing issues where EC_KEY objects were being double freed and such. I learned from another question of mine that I was going about this the wrong way and began refactoring to recycle and share CTX objects. To be specific, I'm using a single client CTX shared across the board that loads, at program startup, the CA-Bundle for verification.
However, since this refactor, I'm getting this on both the client and the server:
decryption failed or bad record mac
..mixed with a bajillion "short read"s. If I try to force everything TLSv1.2, I get
block cipher pad is wrong
Those errors are given to me after a read/write has failed and I call async_shutdown on either upstream or downstream sockets, which in the callback, error is set (so the shutdown failed).
I've scoured the interwebs finding jira posts from places like apache httpd and nginx where this error was fixed in different ways (resizing read buffers to be larger, openSSL patches, forcing SSLv3, so on and so forth).
I thought there might be an issue with multithreading (my io-service uses a thread pool) but I can see in the code that boost do_init sets locking mechanics for openSSL and all of my IO are wrapped into a single strand.
I'm at a total loss and am wondering if anyone can shed light on what might be happening. I realize I've posted no code, that's because I've got hundreds and hundreds of lines of it and don't want to turn people off with a huge code dump. I realize however this is a rather complicated program and thus a complicated issue so please ask and I'll provide whatever I can.
Edit
I guess I should mention for completeness that I'm getting these errors on both openssl 1.0.2 and 1.0.2a, Win 8.1 x64 and I'm intercepting and routing the http/https traffic through my proxy with with WinDivert.
Edit 2
Reduced entire program to 1 thread, same effect. Created new client CTX for each client connection, same issue. Tried disabling AES-NI, issue persists. Tried different computer, same effect. Recompiled openssl from source (was using precompiled binaries), issue persists. Tried setting additional OP_ workaround flags described in current docs related to downgrade detection, padding bugs, so on and so forth, issue persist. I think I'll just start randomly mashing the keyboard and compile button soon.
I was going to just delete this question, but I decided to answer it in light of the fact that nowhere on the net (that I could find) actually pointed to a correct solution to this problem. I've read every single report about this error that one could find and every single one of those reports, the people "solved" or "reduced" this error in a different way. Every single one of them, a different solution. This is what helped make this issue so difficult to reason out, because everyone everywhere has a different underlying causal explanation.
It's complicated, ready? This error will present itself if you cancel/abort a pending async SSL operation. Mind->boom(). It'll be even more confusing if you do what the docs say and use async_shutdown to do so, because even the call back to async_shutdown will fail (error code is set) and your error message will randomly be something stupid like "decryption failed or bad record mac" or "block cipher pad is wrong" or "SSLv3 alert!" so on and so forth. When seeing errors like this, ignore the errors and analyze the control flow of your IO ops, somewhere you're either prematurely ending them or getting them out of order.
In my case, the premature end was (sort of) intentional, since during this stupid heavy refactor I decided to change things outside the scope of the problem, like my HTTPHeader parser, which I bugged out and ended up cause it to fail nearly 100% and thus aborting the connections. :) The error strings were masking the real cause by telling me encryption failed for some reason or another. Dumb mistake I know, but I take comfort in being the first one (apparently) to recognize it. :)
Open a powershell and type this
(Invoke-WebRequest -Uri status.dev.azure.com).StatusDescription
https://devblogs.microsoft.com/devops/deprecating-weak-cryptographic-standards-tls-1-0-and-1-1-in-azure-devops-services/
this might be something obvious but i cannot for the life of me figure it out. Ever since we did a server reboot, a C++ program using mysql++ to connect to our database has just returned 0 rows for all queries instantly. My first thought was that my.cnf might not have been loaded correctly but it appears that it was, after checking show variables and comparing.
any suggestions? is it possible that some directory setting is failing to find some .so needed for mysqlpp that I don't know about?
any advice appreciated.
any suggestions?
Sure:
Ensure that you're checking all error code returns if you've disabled exceptions.
If you haven't disabled exceptions, check that each catch block that could be involved isn't just quietly eating the error.
The MySQL C API library (and therefore MySQL++) is probably trying to tell you what went wrong, and you're suppressing it or ignoring it somehow.
Build and run the examples. If they fail in the same way as your program, it means the problem is broad in nature. The examples have good diagnostics, so they may guide you to the problem.
If the examples work fine, then the problem is specific to your program or its data. So, separate the cases:
Does the program work on a different machine against a DB with the same structure as the problem machine, but different contents?
If so, does it still work on that machine when you load a copy of the problem DB into the second machine?
And if that still works, does it work when you access the remote machine's DB directly from the system that does work? (Be careful with this one. You want to have SSL set up on the MySQL DB connection itself, or have some kind of secure channel to it, like a VPN or SSH tunnel.)
If you run that gauntlet successfully, it means the problem is with the program itself on the original machine, or with the program's environment. Libraries or permissions, as you've speculated, are one possibility.
Run your program under a debugger.
Try gdb first, because what we're interested in is whether the debugger sees any exceptions or signals thrown. Maybe the program is core dumping, for example.
If gdb gives the program a clean bill of health, try valgrind. If Valgrind complains about your program, chances are good that it's complaining about something legitimate; maybe harmless, but legitimate. If you get complaints, and you found above that the problem is specific to one machine, I recommend re-trying the Valgrind run on the system where the program runs successfully. Fix those problems, or at least rule out the harmless warnings before continuing debugging on the original problem machine.
is it possible that some directory setting is failing to find some .so needed for mysqlpp that I don't know about?
It's easy to check:
$ ldd myprogram
You should get a report listing all the shared libraries your program is linking to, including their full paths. Any that are missing or unreadable by the user running ldd will be indicated.
I am developing a C++ network application on Windows. I need to check if internet connection is there or not. I am using gethostbyname(), but it is giving incorrect information when the system is connected through a proxy. InternetCheckConnection() and InternetGetConnectedState() are also not giving reliable results under different conditions. Is there a reliable way to check for internet connectivity covering all the conditions such as proxy and VPN?
Update:
In our company network WinHttpGetProxyForUrl() is failing with the error ERROR_WINHTTP_AUTODETECTION_FAILED and WinHttpSendrequest() is failing with error ERROR_WINHTTP_NAME_NOT_RESOLVED.
In open network WinHttpSendrequest() is successful.
Plain old way !
Include:
#include <wininet.h>
#pragma comment(lib,"Wininet.lib")
In your Method:
char url[128];
strcat(url, "http://www.techtoolbox.com");
bool bConnect = InternetCheckConnection(url, FLAG_ICC_FORCE_CONNECTION, 0);
if (bConnect)
{
//internet connection exists !
}
else
{
//internet DOES NOT connection exists !
}
Hope it helps.
The best way to test the availability of any resource is to try to use it. You only care about the Internet if there is something out there you want to connect to. So, try to connect to it, in the normal course of your program, and handle the errors. Don't try to second-guess what might happen if you try. First, you're trying to predict the future. Second, you aren't necessarily exercising the same things that the actual connection would exercise. Third, your test may succeed and your subsequent use fail due to an intervening condition changing. Fourth, you have to handle the errors from the real use of the resource anyway: why write all that code twice?
A simple solution is to try to connect to a well-known host, if it succeeds then you have a connection.
In my opinion a way is to create a socket and try connecting a known host. These links will help:
For windows: http://msdn.microsoft.com/en-us/library/ms740673(VS.85).aspx and for unix http://www.tenouk.com/cnlinuxsockettutorials.html.
HTH
Anil
I'm developing an app for Symbian device that need to silent filter incoming SMS, and the following link is the code that does that:
http://symbian.devtricks.mobi/tricks/silent_receiving_of_sms_messages/
another similar code on Nokia
http://wiki.forum.nokia.com/index.php/SMS_Utilities_API
It work, but the problem is after I reboot my phone those SMS has been intercept will still add to inbox. I know on the site they did mention to use KIoctlReadMessageSucceeded to prevent that, which I did; but the problem still there. Tried both code but still same result. Is there anything I'm missing?
Another problem with that code is that it will no longer work after a call came in, sms won't be intercept anymore after that. Is that a way to fix that?
Thanks, help would be greatly appreciated.
We regards to not intercepting SMS after a reboot, are you re-starting your executable (and hence the listener) after a reboot?
You can do so with the Nokia startup list management API.
With regards to failing after a call has come in, this sounds like your executable may be panicing (and thus stopping listening). Have you checked to see if it is panicing and whether it is still running after a call has come in?
I've done this kind of application before, and never had any problem with incoming calls.
when I use SQL*Plus, connecting to a user whose password entered the grace period (Oracle 11g, Oracle 8i), I get an error message but the connect is still successful:
SQL*Plus:
=====================================
SQL> connect gumiplesku
Enter password:
ERROR:
ORA-28002: the password will expire within 7 days
Connected.
SQL> select User from dual;
USER
======================================
gumiplesku
=====================================
On the other hand, in my C++ OCI code doing a OCILogon2, if I try to connect the same user, I get an OCI_ SUCCESS_ WITH_ INFO with the same "error", but if I continue, the OCISvcCtx* I got seems to be invalid (even though it's not null), since trying to do a OCIAttrGet or OCIStmtExecute on it gives me an OCI_INVALID_HANDLE error.
User should successfuly connect to database during all his grace period, until his password will be totally expired.
So how come SQL*Plus can connect OK, when I get a bad handle? Shall I be attempting to connect a different way?
Many thanks.
This is a little outside my experience, but since nobody is answering I'll give it a shot.
I recall there being some kind of error handler callback you can install. Since you are able to get the error information via OCIErrorGet (?), I assume it's triggering normal error handling mechanisms. Is it possible that there's an error handler that closes the connection when an "error" occurs without checking for this special case?
This also reminds me of a problem I had long ago, if you pass in the wrong handle type to OCI functions they can fail in odd ways. From a look at the OCIErrorGet docs, it might be that you're passing in OCI_HTYPE_ERROR and an environment handle, or OCI_HTYPE_ENV and an error handle.
Are you calling OCIErrorGet multiple times? Oracle can generate multiple errors, maybe you have to retrieve them all before continuing? But that doesn't really seem reasonable.
Beyond those long-shots, I would try a simple OCI example or any example code from Oracle to see if it has the same issue. If not, then work backwards to find what's making the difference.