Not sure what do I miss on Fedora

[ewoks]

First of all thanks for the project and all the work you put in. It looks very interesting and useful but somehow I can't make it work.

Fedora 36 here with OpenJDK 11, vpn.sh status looks ok-ish (v1.80, CShell running, SNX installed, CHSell self-signed CA cert visible, but in status report there is a line "VPN off", "VPN signatures" are empty). Opening FF v102 on https://vpn.address.com renders "Secure connection failed". Going to https://localhost:14186/id shows JSON response like {"id":"some-uuid-here"}. Curling verbose same link, shows certificate(O=check Point), with same JSON response. starting vpn.sh in new terminal or vpn.sh restart doesn't bring me any further.

Thanks :)

[ruyrybeyro]

Hi Vladi,

That seems a problem either with mobile portal setup on VPN side and/or the certificate installed on the Checkpoint side or expired, if any installed.

Most probably certificate expired.

You can check the certificate with:

openssl s_client -showcerts -servername vpn.address.com -connect vpn.address.com:443

If expired certificate, I think you can bypass the error temporarily doing in Firefox

about:config

and setting

security.ssl.enable_ocsp_stapling to false until the underlying issue is fixed in the Checkpoint side.

On holidays, can't add code to the script for a week to status to check for that.

Regards

On Tue, 26 Jul 2022, 18:29 Vladi, @.***> wrote:

First of all thanks for the project and all the work you put in. It looks very interesting and useful but I can't make it work somehow. Fedora 36, vpn.sh status looks ok-ish (v1.80, CShell running, SNX installed, CHSell self-signed CA cert visible, but in status report there is a line "VPN off", "VPN signatures" are empty). Opening FF v102 on https://vpn.address.com renders "Secure connection failed". Going to https://localhost:14186/id shows JSON response like {"id":"some-uuid-here"}.

starting vpn.sh in new terminal or vpn.sh restart doesn't bring me any further.

— Reply to this email directly, view it on GitHub https://github.com/ruyrybeyro/chrootvpn/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPDBPYGHDL7HQRBMREZ4C3VWAOARANCNFSM54WXXVLA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[ewoks]

hmm.. openssl response looks fine, all certificates in chain have valid dates. Ok, time for you to enjoy holidays, maybe we can analyse more when you are back.

Cheers

[ruyrybeyro]

The mobile portal site has to open without any software/agent installed. e.g the issue is not the software installed.

If vpn.sh is ending the setup, is because it ignores certificates being valid intentionality when downloading scripts from your VPN. So at least we know the vpn web service side is answering.

What does a wget https://vpn.address.com say?

Please send the openssl output to my ruyrybeyro@gmail.com email.

On Wed, 27 Jul 2022, 07:55 Vladi, @.***> wrote:

hmm.. openssl response looks fine, all certificates in chain have valid dates. Ok, time for you to enjoy holidays, maybe we can analyse more when you are back.

Cheers

— Reply to this email directly, view it on GitHub https://github.com/ruyrybeyro/chrootvpn/issues/1#issuecomment-1196335275, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPDBPY6SVBOUK6L27TU453VWDMPRANCNFSM54WXXVLA . You are receiving this because you commented.Message ID: @.***>

[ewoks]

you are right, something is wrong with that vpn web service. wget request gives output as:

HTTP request sent, awaiting response... Read error (The TLS connection was non-properly terminated.) in headers.
Retrying.

Interestingly enough from other Linux machine, output is slightly different:

HTTP request sent, awaiting response... Read error (Success.) in headers.
Retrying.

Nevertheless wget is retrying on both systems.

curl is no different returning: curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

which according to [1] and various other posts/comments brings us to confirmation of your bad server assumption.

Unfortunately I'm not sure that vpn server owners are willing to do anything about it. All of their users are using default Checkpoint Win/MacOS client, therefore I propose to close this issue as it's almost certain that "these are not the droids we are looking for".

It also means I would not have a proper chance to test this project which looks amazing. Never the less, thanks a lot for all the effort, responsiveness and giving this project to community. Now back to well deserved holidays. Enjoy :)

[1] - https://github.com/curl/curl/issues/5138#issuecomment-929945830

[ruyrybeyro]

Ok, thanks. How about Chrome, is it able to open it?

If you send me by a side channel the real DNS address, I might be able to have a look by Monday.

Regards

On Wed, 27 Jul 2022, 19:42 Vladi, @.***> wrote:

you are right, something is wrong with that vpn web service. wget request gives output as:

HTTP request sent, awaiting response... Read error (The TLS connection was non-properly terminated.) in headers. Retrying.

Interestingly enough from other Linux machine, output is slightly different:

HTTP request sent, awaiting response... Read error (Success.) in headers. Retrying.

Nevertheless wget is retrying on both systems.

— Reply to this email directly, view it on GitHub https://github.com/ruyrybeyro/chrootvpn/issues/1#issuecomment-1197222347, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPDBP6ZQ7UKTWWDQPY4NWLVWF7ILANCNFSM54WXXVLA . You are receiving this because you commented.Message ID: @.***>

[ewoks]

Same issue with Chrome This page isn’t working ERR_EMPTY_RESPONSE

[ruyrybeyro]

Btw, just added in vpn.sh to status printing the VPN X.509 certificate.