Posts by flarbnatz

1) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 108298)
Posted 1 Jun 2022 by flarbnatz
Post:
Einstein@home does not work through the SonicWall "transparent TLS proxy":
2022-06-01 13:30:16 | Einstein@Home | [http] [ID#1] Info: Connected to scheduler.einsteinathome.org (130.75.116.40) port 443 (#4)
...
2022-06-01 13:30:17 | Einstein@Home | [http] [ID#1] Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
2022-06-01 13:30:17 | Einstein@Home | [http] [ID#1] Info: ALPN, server did not agree to a protocol

even as Rosetta@home works through the same "transparent TLS proxy":
2022-06-01 13:30:25 | Rosetta@home | [http] [ID#1] Info: Connected to bwsrv1.bakerlab.org (128.95.160.156) port 443 (#5)
...
2022-06-01 13:30:25 | Rosetta@home | [http] [ID#1] Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
2022-06-01 13:30:25 | Rosetta@home | [http] [ID#1] Info: ALPN, server accepted to use http/1.1

Only after I bypass the TLS proxy (by adding wireless NIC and using "route add" to route BOINC requests through it), Einstein@home works:
2022-06-01 13:35:53 | Einstein@Home | [http] [ID#1] Info: Connected to scheduler.einsteinathome.org (130.75.116.40) port 443 (#7)
...
2022-06-01 13:35:54 | Einstein@Home | [http] [ID#1] Info: SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
2022-06-01 13:35:54 | Einstein@Home | [http] [ID#1] Info: ALPN, server accepted to use http/1.1

So the company's "transparent" TLS proxy is not completely transparent. Either: 1) The proxy modifies a request on its way through (making an alternative request that the server doesn't like), or 2) The proxy modifies a reply (causing the client take make a request that the server does not like).

•Making the TLS proxy more perfectly transparent (if it is possible) would (by definition) eliminate this problem (and surely others). (A patch that fixes "only" this problem might break other software or reduce security.)

•Making Einstein@home's server tolerate the protocol change would eliminate this problem.

•There probably is no patch for the BOINC client that would eliminate this problem.
2) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 108222)
Posted 24 May 2022 by flarbnatz
Post:
"Conclusion:"? Really??
Wrong in multiple ways. Profoundly unhelpful.

•Squid proxy is not SonicWall. It might do something different.
•Rosetta and LHC-dev are not Einstein@home. They might not be as strict.
(You have tested nothing relevant.)

•The only way to know that your Squid proxy actually intercepts your outbound TLS connections is to verify that your browsers and BOINC cannot connect via TLS until you show them the needed certificate (the certificate that tells them your Squid proxy is authoritative for every domain).
(You might not have actually tested Squid's transparent TLS proxying.)

To this day:
When I go through SonicWall:
2022-05-24 15:03:03 | Einstein@Home | [http] [ID#1] Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
2022-05-24 15:03:03 | Einstein@Home | [http] [ID#1] Info: ALPN, server did not agree to a protocol

When I route some IP addresses through the wireless LAN, bypassing SonicWall (by disabling the wired connection or by using route add):
2022-05-24 15:08:46 | Einstein@Home | [http] [ID#1] Info: SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
2022-05-24 15:08:46 | Einstein@Home | [http] [ID#1] Info: ALPN, server accepted to use http/1.1

It looks like SonicWall is not a perfectly transparent TLS proxy. SonicWall changes a security protocol on the way through, and Einstein@Home's BOINC server (and a few rare other servers) doesn't like it.

•This problem goes away if someone configures or patches SonicWall to pass the right security protocol through. (IF it is possible for SonicWall to determine.) (IF it is acceptable for SonicWall to not change the security protocol.)

•This problem goes away if someone configures or patches Einstein@Home's BOINC server to accept the other security protocol, the one that comes in when the connection comes through SonicWall's TLS proxy.

•(Patching BOINC client seems less likely to fix this problem. BOINC client would have to alter its request such that the request that passes through SonicWall is accepted by BOINC server.)
3) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 107662)
Posted 30 Mar 2022 by flarbnatz
Post:
If it fails to connect, it tries other addresses. (Close and restart BOINC might rest the list.)
These commands divert more main and alternate addresses used by Einstein@Home to the UNfiltered router:
route add 130.75.116.0 mask 255.255.255.0 10.1.55.1 metric 4
route add 129.89.61.0 mask 255.255.255.0 10.1.55.1 metric 4
route add 138.230.171.0 mask 255.255.255.0 10.1.55.1 metric 4


BOINC client displays the message "BOINC can't access Internet" after doing a "general connectivity" check.
After the client discards the connection to Einstein (with "ALPN, server did not agree to a protocol"), it tries to access https://www.google.com/ :
2022-03-30 17:30:26 | | [http] [ID#0] Info: Connected to www.google.com (172.253.122.99) port 443 (#4)
When connected through the firewall, it rejects that connection with the same error:
2022-03-30 17:30:26 | | [http] [ID#0] Info: SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
2022-03-30 17:30:26 | | [http] [ID#0] Info: ALPN, server did not agree to a protocol
...
2022-03-30 17:30:26 | | [http] HTTP error: Failure when receiving data from the peer
2022-03-30 17:30:26 | | BOINC can't access Internet - check network connection or proxy configuration.
I can browse https://www.google.com/ through the firewall, but BOINC discards this connection just like it does the connection to Einstein server.

It still looks like a patch is needed for BOINC client, BOINC server, and/or SonicWall's firewall appliance.
4) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 107660)
Posted 30 Mar 2022 by flarbnatz
Post:
"the CA cert must be added to ca-bundle.crt"
I did that. That makes BOINC believe that the "man in the middle" is the endpoint and allow the connection. (That's how I got this far.)
The problem is that after connection, the firewall tries to use a different security protocol. The BOINC client (or server) sees this and rejects the connection. (This firewall behavior MIGHT break some websites too. Coincidentally, some websites don't work for me when they go through the firewall - "secure connection failed".)

I forgot to mention, besides the logged errors, BOINC puts up this Notice:
"Notice from BOINC
BOINC can't access Internet - check network connection or proxy configuration.
2022-03-29 21:40:10"

The firewall is an appliance, SonicWall NSa 2700. "Firmware updated last week."

I found another work-around, still good for me only:
Instead of forcing ALL traffic into the unfiltered wireless LAN connection (by temporarily disabling the filtered wired LAN connection), I can divert [only] BOINC traffic into the unfiltered wireless connection by typing this at an administrative command prompt:
route add 130.75.116.42 mask 255.255.255.255 10.1.55.1 metric 2 if 23

That should work until reboot.

I copied the parameters from various places:
130.75.116.42 mask 255.255.255.255 : only divert 130.75.116.40 (einsteinathome.org). (copied from BOINC Manager's Event Log.)
10.1.55.1 : the gateway address for the wireless router. (copied from ipconfig output)
metric 2 : (any number lower than the metrics displayed by route print before)
if 23 : number of the wireless adapter (copied from route print output)
(I think I've seen the interface number change sometimes. Run route print each time to be sure.)
5) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 107631)
Posted 29 Mar 2022 by flarbnatz
Post:
My wired LAN blocks some websites by content "category". All traffic is inspected by SonicWALL Firewall DPI-SSL. BOINC connections fail.

My wireless "guest" LAN blocks some websites (last time I looked). Its traffic is NOT inspected by DPI-SSL. BOINC connections work.
It is not public. (It has a weak password.) Many devices connect to it. (Phones, laptops, thermostats.)
It might be unwise to leave the wireless "guest" LAN without traffic inspection. BUT: Putting it through DPI-SSL would cause many tech-support requests. Also, devices can access the Internet via their cellular provider, so the devices are often on "unprotected" data connections anyway.

I assume that many users run BOINC behind SonicWALL Firewall DPI-SSL.
I suspect that they all must have this same problem.
And not all have the handy work-around that I have (a less-protected LAN).
They might only get BOINC to upload and download by connecting through a VPN (if possible), or by hosting a hotspot from their cellphone and connecting to it from their BOINC computer.

I still think this problem happens because the DPI-SSL firewall tries to change or upgrade the connection security from "DHE-RSA-AES256-GCM-SHA384" to "ECDHE-RSA-AES256-GCM-SHA384", but either the BOINC app or the BOINC project servers (I can't guess which) don't like it.

If this problem blocks enough users, something has to be changed.
Maybe the firewall shouldn't change the selected encryption. (If enough people object, they MIGHT adjust it.)
Maybe the BOINC app and/or BOINC server should tolerate it when a DPI-SSL changes or upgrades the selected encryption. Maybe a configuration option could fix it. Maybe adding a DLL or a Windows patch could fix it. Maybe it has to be hard-coded.

I don't know whether BOINC under Windows 8/10/11 has this same problem. BOINC could detect the OS and make different requests, or it could make the same request that happens to act differently under different OS.
6) Message boards : Questions and problems : Download, upload, and Notices don't work on wired LAN; work on wireless guest LAN (Message 107571)
Posted 25 Mar 2022 by flarbnatz
Post:
BOINC 7.16.20 (x64) [20211014; latest]. Windows 7.

Downloading, Uploading, and Notices stopped working via the wired LAN, but they all work via the wireless guest LAN. (The work-around is to plug in the wireless USB adapter and disable the wired LAN or disconnect the cable.)

I think it started right after we added SonicWALL Firewall DPI-SSL. (BOINC took a few days to run out of work units and then tell me.) DPI-SSL firewall decrypts TLS connections, inspects traffic both ways, and re-encrypts. (I have end-to-end privacy, EXCEPT that the beneficent "man in the middle" can see and filter everything.) At first it blocked all of my HTTPS browsing, with a security warning, until I registered a special certificate that lets the firewall pretend to be every domain, "dpi-ssl-2048-sha2.cer". If I add the cert to Firefox, only Firefox can browse HTTPS sites. If I add it only to Windows, that lets Firefox, Filezilla, and more visit secure servers. But BOINC didn't like it - it said "Info: SSL certificate problem: self signed certificate in certificate chain" and/or "HTTP error: Peer certificate cannot be authenticated with given CA certificates". I fixed that by opening "dpi-ssl-2048-sha2.cer" and re-saving it as base64, and then copying and pasting that text (in matching format) into "C:\Program Files\BOINC\ca-bundle.crt", just before the other certs in that "bundle". Now it has to work? Nope.

I think the firewall tries to upgrade the connection security, but apparently the app or the project servers don't like it.

Following are two logs, with each line stripped of the date+time. (That makes WinDiff show only the differences.) And differences in color.

The first difference is tiny: "DHE-RSA-AES256-GCM-SHA384" versus "ECDHE-RSA-AES256-GCM-SHA384".

This wakeup text is common to both:
Starting BOINC client version 7.16.20 for windows_x86_64
log flags: file_xfer, sched_ops, task, file_xfer_debug, http_debug, work_fetch_debug
Libraries: libcurl/7.47.1 OpenSSL/1.0.2s zlib/1.2.8
Data directory: C:\ProgramData\BOINC
Running under account me2
CUDA: NVIDIA GPU 0: NVIDIA GeForce GTX 1050 Ti (driver version 471.68, CUDA version 11.4, compute capability 6.1, 4096MB, 3038MB available, 2138 GFLOPS peak)
OpenCL: NVIDIA GPU 0: NVIDIA GeForce GTX 1050 Ti (driver version 471.68, device version OpenCL 3.0 CUDA, 4096MB, 3038MB available, 2138 GFLOPS peak)
Windows processor group 0: 8 processors
Host name: BoatAnchor
Processor: 8 GenuineIntel Intel(R) Xeon(R) CPU X5450 @ 3.00GHz [Family 6 Model 23 Stepping 6]
Processor features: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss htt tm pni ssse3 cx16 sse4_1 syscall nx lm vmx tm2 dca pbe
OS: Microsoft Windows 7: Professional x64 Edition, Service Pack 1, (06.01.7601.00)
Memory: 32.00 GB physical, 48.60 GB virtual
Disk: 122.32 GB total, 30.68 GB free
Local time is UTC -4 hours
No WSL found.
VirtualBox version: 6.0.14
etta@home | General prefs: from Rosetta@home (last modified 13-Jul-2017 13:03:05)
etta@home | Host location: none
etta@home | General prefs: using your defaults
Reading preferences override file
Preferences:
max memory usage when active: 26212.52 MB
max memory usage when idle: 29489.09 MB
max disk usage: 38.10 GB
don't compute while active
don't use GPU while active
suspend work if non-BOINC CPU load exceeds 75%
max download rate: 524288 bytes/sec
max upload rate: 262144 bytes/sec
(to change preferences, visit a project web site or select Preferences in the Manager)
[work_fetch] Request work fetch: Prefs update
[work_fetch] Request work fetch: Startup
Setting up project and slot directories
Checking active tasks
stein@Home | URL https://einstein.phys.uwm.edu/; Computer ID 900000; resource share 100
etta@home | URL https://boinc.bakerlab.org/rosetta/; Computer ID 2000000; resource share 100
Setting up GUI RPC socket
Checking presence of 616 project files
Suspending computation - computer is in use

Success, via the wireless guest LAN (apparently bypasses firewall):
[http] HTTP_OP::init_get(): https://einsteinathome.org/rss_main.php
[http] HTTP_OP::libcurl_exec(): ca-bundle 'C:\Program Files\BOINC\ca-bundle.crt'
[http] HTTP_OP::libcurl_exec(): ca-bundle set
[http] [ID#0] Info: Trying 130.75.116.40...
[http] [ID#0] Info: Connected to einsteinathome.org (130.75.116.40) port 443 (#0)
[http] [ID#0] Info: ALPN, offering http/1.1
[http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
[http] [ID#0] Info: successfully set certificate verify locations:
[http] [ID#0] Info: CAfile: C:\Program Files\BOINC\ca-bundle.crt
[http] [ID#0] Info: CApath: none
[http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
[http] [ID#0] Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Finished (20):
[http] [ID#0] Info: SSL connection using TLSv1.2 / DHE-RSA-AES256-GCM-SHA384
[http] [ID#0] Info: ALPN, server accepted to use http/1.1

[http] [ID#0] Info: Server certificate:
((blank line))
[http] [ID#0] Info: start date: Jan 24 00:00:00 2022 GMT
[http] [ID#0] Info: expire date: Jan 24 23:59:59 2023 GMT
[http] [ID#0] Info: subjectAltName: einsteinathome.org matched
[http] [ID#0] Info: issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Organization Validation Secure Server CA
[http] [ID#0] Info: SSL certificate verify ok.
[http] [ID#0] Sent header to server: GET /rss_main.php HTTP/1.1
[http] [ID#0] Sent header to server: Host: einsteinathome.org
[http] [ID#0] Sent header to server: User-Agent: BOINC client (windows_x86_64 7.16.20)
[http] [ID#0] Sent header to server: Accept: */*
[http] [ID#0] Sent header to server: Accept-Encoding: deflate, gzip
[http] [ID#0] Sent header to server: Accept-Language: en_US
[http] [ID#0] Sent header to server:
[http] [ID#0] Received header from server: HTTP/1.1 200 OK
[http] [ID#0] Received header from server: Date: Fri, 25 Mar 2022 01:02:43 GMT
[http] [ID#0] Received header from server: Server: Apache
[http] [ID#0] Received header from server: Last-Modified: Fri, 25 Mar 2022 01:02:07 GMT
[http] [ID#0] Received header from server: ETag: "a6a767327ed7b0f614c2e9cf927a9b06-gunzip-gzip"
[http] [ID#0] Received header from server: Expires: Sun, 19 Nov 1978 05:00:00 GMT
[http] [ID#0] Received header from server: Cache-Control: must-revalidate
[http] [ID#0] Received header from server: X-Content-Type-Options: nosniff
[http] [ID#0] Received header from server: X-Frame-Options: sameorigin
[http] [ID#0] Received header from server: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
[http] [ID#0] Received header from server: Content-Type: application/rss+xml; charset=utf-8
[http] [ID#0] Received header from server: Set-Cookie: SESS3e8888888888888888f7f6d21b=8888btfadsdehhsshh8888c5s2z; expires=Sun, 17-Apr-2022 04:36:03 GMT; Max-Age=2000000; path=/; domain=einsteinathome.org; secure
[http] [ID#0] Received header from server: Vary: Accept-Encoding
[http] [ID#0] Received header from server: Content-Encoding: gzip
[http] [ID#0] Received header from server: Content-Length: 226
[http] [ID#0] Received header from server:
((blank line))
[http] [ID#0] Info: Connection #1 to host boinc.bakerlab.org left intact


Failure, through the wired LAN (via DPI-SSL firewall):
((The wake-up text is identical, so no need to repeat it.)
[http] HTTP_OP::init_get(): https://einsteinathome.org/rss_main.php
[http] HTTP_OP::libcurl_exec(): ca-bundle 'C:\Program Files\BOINC\ca-bundle.crt'
[http] HTTP_OP::libcurl_exec(): ca-bundle set
[http] [ID#0] Info: Trying 130.75.116.40...
[http] [ID#0] Info: Connected to einsteinathome.org (130.75.116.40) port 443 (#0)
[http] [ID#0] Info: ALPN, offering http/1.1
[http] [ID#0] Info: Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
[http] [ID#0] Info: successfully set certificate verify locations:
[http] [ID#0] Info: CAfile: C:\Program Files\BOINC\ca-bundle.crt
[http] [ID#0] Info: CApath: none
[http] [ID#0] Info: TLSv1.2 (OUT), TLS header, Certificate Status (22):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server hello (2):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS change cipher, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
[http] [ID#0] Info: TLSv1.2 (IN), TLS change cipher, Client hello (1):
[http] [ID#0] Info: TLSv1.2 (IN), TLS handshake, Finished (20):
[http] [ID#0] Info: SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
[http] [ID#0] Info: ALPN, server did not agree to a protocol

[http] [ID#0] Info: Server certificate:
((blank line))
[http] [ID#0] Info: start date: Jan 24 00:00:00 2022 GMT
[http] [ID#0] Info: expire date: Jan 24 23:59:59 2023 GMT
[http] [ID#0] Info: subjectAltName: einsteinathome.org matched
[http] [ID#0] Info: issuer: C=US; ST=CA; L=San Jose; O=SonicWALL Inc.; CN=SonicWALL Firewall DPI-SSL
[http] [ID#0] Info: SSL certificate verify ok.
[http] [ID#0] Sent header to server: GET /rss_main.php HTTP/1.1
[http] [ID#0] Sent header to server: Host: einsteinathome.org
[http] [ID#0] Sent header to server: User-Agent: BOINC client (windows_x86_64 7.16.20)
[http] [ID#0] Sent header to server: Accept: */*
[http] [ID#0] Sent header to server: Accept-Encoding: deflate, gzip
[http] [ID#0] Sent header to server: Accept-Language: en_US
[http] [ID#0] Sent header to server:
[http] [ID#0] Info: SSL read: error:00000000:lib(0):func(0):reason(0), errno 10054
[http] [ID#0] Info: Closing connection 0
[http] HTTP error: Failure when receiving data from the peer




Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.