search

BlackArch / blackarch-site

BlackArch Linux website
https://www.blackarch.org/
120 stars 84 forks source link

error: failed retrieving file 'blackarch.db' from www.blackarch.org : OpenSSL SSL_read: Connection reset by peer, errno 104 #165

Closed D3vil0p3r closed 2 years ago

D3vil0p3r commented 2 years ago

Bug description

On Arch Linux having blackarch repository implemented, when I use (sometimes) my mobile connection on a specific computer with VMware hosting this Arch Linux, and execute sudo pacman -Sy I get the following error:

 :: Synchronizing package databases...
 core downloading...
 extra downloading...
 community downloading...
 multilib downloading...
 chaotic-aur downloading...
 blackarch downloading...
 athena-repository downloading...
error: failed retrieving file 'blackarch.db' from www.blackarch.org : OpenSSL SSL_read: Connection reset by peer, errno 104
error: failed to synchronize all databases (unexpected error)

I was aware also another set of users have this kind of issue by their home network.

If I use my home network instead of my mobile network, it works correctly.

Another clearer way to trigger this issue is to run BlackArch strap.sh script. If I run it on my mobile network, I get the following print:

You don't have an Internet connection!

This error is triggered inside the check_internet() function. And in this case, if you visit https://blackarch.org web site (I used Mozilla Firefox as browser), you will get an error containing:

image

So, could be that from some IPs (not VPN, not TOR, but normal Internet connections), some ISP or BlackArch itself refuse the connections/IP addresses? Or the issue has another cause?

I'm starting to think if it could be related also due to the computer used instead of the connection itself since the mobile connection works on blackarch.org on a different machine.

Steps to reproduce

First method

Second method

Actual result: Describe here what happens after you run the steps above (i.e. the buggy behaviour)

By using the First Method, on the terminal we get:

error: failed retrieving file 'blackarch.db' from www.blackarch.org : OpenSSL SSL_read: Connection reset by peer, errno 104

By using the Second Method, the result of strap.sh script is:

You don't have an Internet connection!

On both of the scenarios, if you visit https://blackarch.org website by the browser, I get this error:

image

I noted that not always this happen if I use the same mobile connection... Since the IP is assigned dynamically, could be that IP address could be blacklisted for some reason by BlackArch?

Expected result: Describe here what should happen after you run the steps above (i.e. what would be the correct behaviour) sudo pacman -Sy command is run correctly with no error messages from BlackArch side.

Info for developers

GNU/Linux distribution: Arch Linux, kernel: 5.19.4-arch1-1

noraj commented 2 years ago

For your sudo pacman -Sy you can't temporary workaround by picking another mirror. By the way you shouldn't perform sudo pacman -Sy (because partial upgrade). Could that be that your carrier ISP intercept the traffic in some way? But if you can join blackarch.org normally on your land ISP + on your carrier ISP from other computer it's likely an issue with your device. In any way BA is not blacklisting some IP addresses. I'm not aware of the website being behind some sort of CDN like cloudflare that could auto-ban some IPs.

D3vil0p3r commented 2 years ago

For your sudo pacman -Sy you can't temporary workaround by picking another mirror. By the way you shouldn't perform sudo pacman -Sy (because partial upgrade). Could that be that your carrier ISP intercept the traffic in some way? But if you can join blackarch.org normally on your land ISP + on your carrier ISP from other computer it's likely an issue with your device. In any way BA is not blacklisting some IP addresses. I'm not aware of the website being behind some sort of CDN like cloudflare that could auto-ban some IPs.

Since the error of the browser says about "authenticity" of received data could not be verified, could it be related to certificates? Could be that, despite Im using a VM Arch Linux, my host machine refuses certificates from blackarch domain when need to exchange data? I noticed also another guy (from another country) had the same issue.

noraj commented 2 years ago

We use let's encrypt certificate, some browser or OSes may have issue with them sometimes, keeping the list of CA up to date or stuff like that, but it seems unlikely it is an issue on BA side.

D3vil0p3r commented 2 years ago

We use let's encrypt certificate, some browser or OSes may have issue with them sometimes, keeping the list of CA up to date or stuff like that, but it seems unlikely it is an issue on BA side.

Hey @noraj thank you for your patience. With other users we investigated the issue, and we have been aware that some Firewalls can blacklist blackarch domain, so some people cannot reach the blackarch repository unless they allow explicitly BlackArch domain, but this solution works only for not-beginner users and for people that have control on their firewall, so, it could be a problem also for people that don't have permissions on Firewall (i.e., in a company), despite BlackArch is not malicious, but it is just labelled as default in blocklist by these FW vendors.

Is there some actions BlackArch team could do for facing this issue? For example contacting the several FW vendors exposing the fact that there is not reason to blacklist BlackArch domain?

Until now we are getting this issue from CheckPoint, ESET and maybe BitDefender.

ikstream commented 2 years ago

It's mostly configuration of these firewalls and most likely depends on which Blocklist is used by the firewall admin. BlackArch is on some of these lists, as well as Kali (at least used to be) as done folks see hacking tools as evil. I already contacted some list maintainer a long while ago, some removed Blackarch, others just ignored me.

I had the chance to test your issue with checkpoint and eset protected systems and can't reproduce it. So maybe you and the others need to contact their firewall admin

noraj commented 2 years ago

I'll close this issue as there is not much we can do that we didn't already tried.