Firefox 46 tax portal secure connection failed

60 views
Skip to first unread message

Michael Pope

unread,
Apr 4, 2017, 11:56:31 PM4/4/17
to aus...@googlegroups.com
I've just started getting the following error under Firefox 46 with 'Java 8 update 11' today when accessing the ATO tax portal

   
   

The service was working yesterday and nothing system wise has changed. Multiple users use this same computer and all have not been able to login to the tax portal.

I've cleared the cache. I also checked connecting on a Windows box under Firefox 52 (32bit) and that worked.

from
Michael

Jayen

unread,
Apr 5, 2017, 12:02:01 AM4/5/17
to aus...@googlegroups.com
Hi Michael,

Can you provide the URL you were on when you saw this error?  I did two BAS's today without an issue (Firefox 52 debian 32-bit).

--
--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Michael Pope

unread,
Apr 5, 2017, 12:04:36 AM4/5/17
to aus...@googlegroups.com
I went to https://tap.ato.gov.au/ and clicked 'Login' then I ended up with the error on the following url;

https://authentication.business.gov.au/S001v4.0/authenticate/g3
from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Alan Hopkins

unread,
Apr 5, 2017, 12:13:16 AM4/5/17
to aus...@googlegroups.com

Hi Michael

I have also had no problem (at least so far!) with PCLinuxOS (a RedHat/Fedora branch) and Firefox 51 (I have locked that version due to the perceived issues with FF v52 - although Jayen doesn't seem to have any with 52).

Are you logging in from the https://bp.ato.gov.au/  link or are you using a bookmark?

Cheers

Alan

Michael Pope

unread,
Apr 5, 2017, 12:14:35 AM4/5/17
to aus...@googlegroups.com
I'm using my bookmark, but I just tried clicking on the link you sent me and I get the same problem.
from
Michael

Alan Hopkins

unread,
Apr 5, 2017, 12:14:46 AM4/5/17
to aus...@googlegroups.com

Woops .... sorry.... didn't realise you were logging in via the Tax agent portal


On 05/04/17 14:04, Michael Pope wrote:

Michael Pope

unread,
Apr 5, 2017, 12:16:46 AM4/5/17
to aus...@googlegroups.com

Just tried firefox 52 (installed in a separate directory on the same machine), same problem.

from
Michael

Jayen

unread,
Apr 5, 2017, 12:17:52 AM4/5/17
to aus...@googlegroups.com
Hi Michael,

I just downloaded FF46 and it works for me (still debian 32-bit).  Could it be your internet connection combined with your computer?
snapshot6.png

Michael Pope

unread,
Apr 5, 2017, 12:19:34 AM4/5/17
to aus...@googlegroups.com

The internet is working fine and a Windows computer which is on the same network can access the tax portal, just the Linux machines cannot.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Alan Hopkins

unread,
Apr 5, 2017, 12:23:07 AM4/5/17
to aus...@googlegroups.com

Think it might be a Java issue - ver 8 update 121 here - maybe go to https://www.java.com/en/download/help/troubleshoot_java.xml and run a test on your browser - you may need to update java.


On 05/04/17 14:14, Michael Pope wrote:

Jayen

unread,
Apr 5, 2017, 12:25:19 AM4/5/17
to aus...@googlegroups.com
I've seen weird issues like you describe before (not with the ATO).  You might take the linux machine home or via a 3g hotspot and it'll work fine, but it doesn't work in your office where your windows machine works.

Sometimes playing with the MTU helps (e.g. sudo ifconfig wlan0 mtu 1500) but you could also screw up your computer this way.

Doesn't look like you are getting to a point where firefox is even attempting java.  Looks like an issue with the SSL connection.  I see the certificate was recently changed, so maybe some other settings on the server changed, too?

Michael Pope

unread,
Apr 5, 2017, 12:33:11 AM4/5/17
to aus...@googlegroups.com

Just upgraded java and tested that it's loading in Firefox 46. Still have the issue with the ATO portal.


from
Michael

Michael Pope

unread,
Apr 5, 2017, 1:28:51 AM4/5/17
to aus...@googlegroups.com

I get this error when doing a wget could other people try this for me please;

~/.java/deployment/log % wget https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-05 15:26:33--  https://authentication.business.gov.au/S001v4.0/authenticate/q3
Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.

from
Michael

Michael Pope

unread,
Apr 5, 2017, 1:40:30 AM4/5/17
to aus...@googlegroups.com

Here is what I've tried so far;

- [X] Try clearing cache = fail
- [X] Try my user = fail
- [X] Disable security.ssl.enable_ocsp_stapling in settings = fail
  I reset this back to true.
- [X] Test compiling firefox 52 in /opt/firefox52 = fail
- [X] Try and fake the OS through the browser. = fail
  Using User Agent Plugin I changed it to IE8 and also tried iPhone 3.0
- [X] Upgrade Java to 8u121 = fail
  Java install worked, but I still have the problem
- [X] Upgraded tzdata-java = fail
- [X] Add exceptions in jcontrol -> security = fail
- [X] Try wget = fail
  : ~/.java/deployment/log % wget https://authentication.business.gov.au/S001v4.0/authenticate/q3


  : --2017-04-05 15:26:33--  https://authentication.business.gov.au/S001v4.0/authenticate/q3
  : Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
  : Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
  : GnuTLS: A TLS packet with unexpected length was received.
  : Unable to establish SSL connection.

- [X] Try on the test rig (Running Debian Jessie instead of Wheezy) = fail
- [X] Reboot the router = fail
- [X] Try in google-chrome = fail

from
Michael

Skeetgoesskiing

unread,
Apr 5, 2017, 1:58:17 AM4/5/17
to aus...@googlegroups.com
Wow Michael! You've tried a lot of things!! Sorry but I'm out of my league now. Don't  want to sound like the IT Crowd but have you tried turning it off & turning it back on again 😀 Sorry I cant be of any help... look forward to the solution!  Cheers. Alan 

Michael Pope

unread,
Apr 5, 2017, 2:11:25 AM4/5/17
to aus...@googlegroups.com
Yes I've tried a reboot and that didn't help. I do enjoy IT Crowd so a reboot is always somewhere in the list of things to do.
from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 2:20:31 AM4/5/17
to aus...@googlegroups.com
(same on 32-bit debian stable and 64-bit (docker container debian testing)) so the SSL part is working for me.

- [ ] Is it plugged in?  (If you are on WiFi try wired)
- [ ] Can you try another route?  (e.g. via 3g)
- [ ] Are you willing to play with the MTU?
- [ ] Have you tried a VM or another baremetal OS on the same machine?
- [ ] Have you tried a Linux VM or baremetal Linux on the windows machine?

Onno Benschop

unread,
Apr 5, 2017, 2:27:13 AM4/5/17
to aus...@googlegroups.com
Another data point:

Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-04-05 14:25:47 ERROR 404: Not Found.

Onno Benschop

()/)/)()        ..ASCII for Onno..
|>>?            ..EBCDIC for Onno..
--- -. -. ---   ..Morse for Onno..

If you need to know: "What computer should I buy?" http://goo.gl/spsb66

ITmaze   -   ABN: 56 178 057 063   -  ph: 04 1219 8888   -   on...@itmaze.com.au

Onno Benschop

unread,
Apr 5, 2017, 2:30:02 AM4/5/17
to aus...@googlegroups.com
Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.
HTTP request sent, awaiting response... 
  HTTP/1.1 404 Not Found
  Cache-Control: private
  Transfer-Encoding: chunked
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 4.0.30319
  Set-Cookie: Prod__CurrentStateId=M1F8qVNknhKgYB+D2zUOFyrZpJ0WJAYWMLD+w/e6l4N2tIVRVdOLPMp6go/VLx1q6J0k+FNsn6M6R8u6R5FC0lwKHKW9H/IkcwgT8PFg9D2qmfd/CmYbUFRH5anGyrYqLeFYdJNj/WLpbU3p+7KwokzzRB3bPZfy+FzRUco9tPgW; domain=authentication.business.gov.au; path=/; secure; HttpOnly
  X-Powered-By: ASP.NET
  Date: Wed, 05 Apr 2017 06:29:16 GMT
2017-04-05 14:29:17 ERROR 404: Not Found.

Michael Pope

unread,
Apr 5, 2017, 2:33:19 AM4/5/17
to aus...@googlegroups.com

Jayen,

The computer is wired to the network and it's also running 10 thin clients with different businesses hanging off it so I cannot easily play around with the network or change routes. Everything else mind you works. We have VPN links, and logged into many different https services it's really just the ATO which is not working here.

I have just tried a Debian Wheezy VM under this same computer and it gets futher and tells me I have to download software. So if this had Java & the AUSkey it would most likely work. So it must be something on the main computer stopping it.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 2:37:57 AM4/5/17
to aus...@googlegroups.com
Is the VM using bridged or NAT networking?

I think given your situation, it won't be possible to fix the host, so you'll have to use the guest.

Michael Pope

unread,
Apr 5, 2017, 2:39:05 AM4/5/17
to aus...@googlegroups.com
The VM is using bridged networking. It was working fine yesterday, and
has been for a few years now.

Onno Benschop

unread,
Apr 5, 2017, 3:00:54 AM4/5/17
to aus...@googlegroups.com
Hi Michael,

You said that it works on Windows. Can you confirm that it still is working? You might also consider turning on a network monitor, or seeing if you can track a console from a browser to see if the two platforms go to the same URL.

I'm running:
  • Firefox ESR, 45.7.0
  • Java Version 8 Update 121
I don't have a TAP account, but I can log-in normally and can also log into the normal end-user account at bp.ato.gov.au.

This makes me think that your issue is local.


On 5 April 2017 at 14:37, Michael Pope <map...@gmail.com> wrote:
The VM is using bridged networking. It was working fine yesterday, and
has been for a few years now.
--
--
You received this message because you are subscribed to the "AUSkey" group.

To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au

To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Michael Pope

unread,
Apr 5, 2017, 3:14:15 AM4/5/17
to aus...@googlegroups.com
Well it also gets to the login screen on a debian 7 vm on the same machine this would be easier to compare with the main system.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Onno Benschop

unread,
Apr 5, 2017, 3:18:57 AM4/5/17
to aus...@googlegroups.com
Have you created a new user account on the thin client? I wonder if the browser profile is corrupt.

--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

Michael Pope

unread,
Apr 5, 2017, 7:02:12 PM4/5/17
to aus...@googlegroups.com
Just tried with a brand new user and it still failed.

I think it has something to do with this 'GnuTLS: A TLS packet with unexpected length was received.' error. I don't get this error on the debian VM which works.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 7:03:53 PM4/5/17
to aus...@googlegroups.com
Did you try a network monitor like Wireshark or tcpdump?

Can you use the VM as a proxy?

Onno Benschop

unread,
Apr 5, 2017, 7:10:17 PM4/5/17
to aus...@googlegroups.com
My google-fu suggests that this is a gnutls issue. The hits I'm seeing are over a year old.

Alternatively, it's possible that the ATO certificate is newer than your machine knows what to do with, but that's speculation at this time.

o

Michael Pope

unread,
Apr 5, 2017, 7:13:15 PM4/5/17
to aus...@googlegroups.com
Some packages may of been updated I'll have to check. I've applied updates yesterday to try and fix the issue, but that didn't help. The old VM with debian which works hasn't been updated for a long time. Maybe it's running the versions I need.
from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Onno Benschop

unread,
Apr 5, 2017, 7:18:26 PM4/5/17
to aus...@googlegroups.com
Random question.

Is the clock set correctly on the machine?


--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

Michael Pope

unread,
Apr 5, 2017, 7:22:08 PM4/5/17
to aus...@googlegroups.com
Here is the date off the broken machine
Thursday 6 April  09:20:07 AEST 2017

Here is the date off the machine which works.
Thursday 6 April  09:20:30 EST 2017
from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Onno Benschop

unread,
Apr 5, 2017, 7:34:44 PM4/5/17
to aus...@googlegroups.com
Where are you seeing the gnutls error?


--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

Michael Pope

unread,
Apr 5, 2017, 7:39:45 PM4/5/17
to aus...@googlegroups.com
On the broken server when I do the following command;

wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-06 09:36:17--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.

If I do this command on the working VM I get this;
wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-06 09:39:26--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 143.174.192.33
Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 404 Not Found
  Cache-Control: private
  Transfer-Encoding: chunked
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 4.0.30319
  Set-Cookie: Prod__CurrentStateId=A1i0+VAgENAMIvJh1Qpf0g/i1QX4jT9nXcgrKuVm+5ByjADIqTiohzub7mhwixdHdBccoe4EiduuVV2wIMPZ+VHljsiIpg9xWBl9Acbmv2a4zzoeVtQjNcbaBa6cWF7m5BTgfLQ6pCEGTwA3RBDowfj8qEM+c8PJOd8mdpkyyopR; domain=authentication.business.gov.au; path=/; secure; HttpOnly
  X-Powered-By: ASP.NET
  Date: Wed, 05 Apr 2017 23:39:27 GMT
2017-04-06 09:39:27 ERROR 404: Not Found.


from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 7:46:38 PM4/5/17
to aus...@googlegroups.com

I'm just going to clone my VM, apply all updates and see if I can break a working copy

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 8:13:50 PM4/5/17
to aus...@googlegroups.com

After applying all the upgrades to my working Debian Wheezy VM it still works, so I'll now compare the package/versions with the broken system which is also running Debian Wheezy. Maybe there is a clue there.

I have a feeling it's either a system package or global configuration on the failing server.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 8:47:51 PM4/5/17
to aus...@googlegroups.com

I haven't ran tcpdump/wireshark yet. What exactly would I be looking for there is a lot of traffic on this network?

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 9:51:20 PM4/5/17
to aus...@googlegroups.com
firefox says the connection was reset, so for the given TCP connection, you would look for what is just before the reset packet, i guess.

maybe `tcpdump 'host authentication.business.gov.au'` will not get too much extra traffic.

Michael Pope

unread,
Apr 5, 2017, 9:54:49 PM4/5/17
to aus...@googlegroups.com
Here is the iinformation, I don't know what to look for here.

sudo tcpdump 'host authentication.business.gov.au'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:03.071943 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [S], seq 1190707086, win 14600, options [mss 1460,sackOK,TS val 215316636 ecr 0,nop,wscale 7], length 0
11:53:03.103128 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [S.], seq 2561451118, ack 1190707087, win 4140, options [mss 1460,nop,nop,TS val 1089931629 ecr 215316636,sackOK,eol], length 0
11:53:03.103193 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316643 ecr 1089931629], length 0
11:53:03.103455 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316643 ecr 1089931629], length 208
11:53:03.120006 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [.], ack 209, win 4348, options [nop,nop,TS val 1089931647 ecr 215316643], length 0
11:53:03.120618 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [R.], seq 1, ack 209, win 4348, length 0
11:53:03.122985 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [S], seq 2282806227, win 14600, options [mss 1460,sackOK,TS val 215316648 ecr 0,nop,wscale 7], length 0
11:53:03.139553 IP authentication.business.gov.au.https > 192.168.200.4.40325: Flags [S.], seq 224403283, ack 2282806228, win 4140, options [mss 1460,nop,nop,TS val 1089931666 ecr 215316648,sackOK,eol], length 0
11:53:03.139610 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316652 ecr 1089931666], length 0
11:53:03.139959 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316653 ecr 1089931666], length 208
11:53:03.156993 IP authentication.business.gov.au.https > 192.168.200.4.40325: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.158784 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [S], seq 2801991975, win 14600, options [mss 1460,sackOK,TS val 215316657 ecr 0,nop,wscale 7], length 0
11:53:03.175232 IP authentication.business.gov.au.https > 192.168.200.4.40326: Flags [S.], seq 1599539643, ack 2801991976, win 4140, options [mss 1460,nop,nop,TS val 1089931702 ecr 215316657,sackOK,eol], length 0
11:53:03.175275 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316661 ecr 1089931702], length 0
11:53:03.175572 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316661 ecr 1089931702], length 208
11:53:03.192080 IP authentication.business.gov.au.https > 192.168.200.4.40326: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.193439 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [S], seq 1721502376, win 14600, options [mss 1460,sackOK,TS val 215316666 ecr 0,nop,wscale 7], length 0
11:53:03.211002 IP authentication.business.gov.au.https > 192.168.200.4.40327: Flags [S.], seq 1302270292, ack 1721502377, win 4140, options [mss 1460,nop,nop,TS val 1089931738 ecr 215316666,sackOK,eol], length 0
11:53:03.211047 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316670 ecr 1089931738], length 0
11:53:03.211381 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316670 ecr 1089931738], length 208
11:53:03.227092 IP authentication.business.gov.au.https > 192.168.200.4.40327: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.229084 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [S], seq 2072635664, win 14600, options [mss 1460,sackOK,TS val 215316675 ecr 0,nop,wscale 7], length 0
11:53:03.245812 IP authentication.business.gov.au.https > 192.168.200.4.40328: Flags [S.], seq 2850785357, ack 2072635665, win 4140, options [mss 1460,nop,nop,TS val 1089931773 ecr 215316675,sackOK,eol], length 0
11:53:03.245835 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316679 ecr 1089931773], length 0
11:53:03.246052 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316679 ecr 1089931773], length 208
11:53:03.261905 IP authentication.business.gov.au.https > 192.168.200.4.40328: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.263764 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [S], seq 2510720116, win 14600, options [mss 1460,sackOK,TS val 215316684 ecr 0,nop,wscale 7], length 0
11:53:03.279848 IP authentication.business.gov.au.https > 192.168.200.4.40329: Flags [S.], seq 1769876596, ack 2510720117, win 4140, options [mss 1460,nop,nop,TS val 1089931806 ecr 215316684,sackOK,eol], length 0
11:53:03.279887 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316688 ecr 1089931806], length 0
11:53:03.280229 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316688 ecr 1089931806], length 208
11:53:03.296137 IP authentication.business.gov.au.https > 192.168.200.4.40329: Flags [R.], seq 1, ack 1, win 4140, length 0

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 10:02:55 PM4/5/17
to aus...@googlegroups.com
On Thu, Apr 6, 2017 at 11:54 AM, Michael Pope <map...@gmail.com> wrote:
11:53:03.120618 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [R.], seq 1, ack 209, win 4348, length 0

The lines with [R.] look suspect to me (and i'm not getting them on my system).  Not really sure why the server resets the connection on your host but not any other system.  Also assumed you used wget or otherwise retried 5 times?

Do you mind adding `-w filename` and sending me the file?  I can then open it in wireshark.

Here's what I get:
12:00:57.804806 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [S], seq 1735871134, win 29200, options [mss 1460,sackOK,TS val 134282396 ecr 0,nop,wscale 7], length 0
12:00:57.813737 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [S.], seq 2882600639, ack 1735871135, win 4140, options [mss 1380,nop,nop,TS val 1090406428 ecr 134282396,sackOK,eol], length 0
12:00:57.813782 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [.], ack 1, win 29200, options [nop,nop,TS val 134282399 ecr 1090406428], length 0
12:00:57.814180 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [P.], seq 1:345, ack 1, win 29200, options [nop,nop,TS val 134282399 ecr 1090406428], length 344
12:00:57.822951 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [.], ack 345, win 4484, options [nop,nop,TS val 1090406437 ecr 134282399], length 0
12:00:57.827928 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [P.], seq 1:1449, ack 345, win 4484, options [nop,nop,TS val 1090406441 ecr 134282399], length 1448
12:00:57.827954 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [P.], seq 1449:2897, ack 345, win 4484, options [nop,nop,TS val 1090406441 ecr 134282399], length 1448

Michael Pope

unread,
Apr 5, 2017, 10:08:09 PM4/5/17
to aus...@googlegroups.com

Yes I have tried many times and get the same response both going through the browser and using wget. The attached file is with wget.



from
Michael
auskey_issue_tcpdump.log

Jayen

unread,
Apr 5, 2017, 10:23:43 PM4/5/17
to aus...@googlegroups.com
Can you do that again but add --secure-protocol=TLSv1_2 to your wget?  yours is using SSLv3 and mine is using TLSv1_2.  The system i'm on today (ubuntu 16.04 64-bit) won't let me try SSLv3.

Although I'd imagine your firefox is using TLSv1_2 already and the server's not supposed to reset the connection in any case, so I'm not sure all this diagnostic will help in the end.

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 11:01:18 PM4/5/17
to aus...@googlegroups.com
/etc/apt % wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=TLSv1_2
wget: --secure-protocol: Invalid value `TLSv1_2'.

I also tried the supported wget secure protocols

% wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=TLSv1  
--2017-04-06 12:59:10--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.


Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: GnuTLS internal error.

Unable to establish SSL connection.


Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: GnuTLS internal error.

Unable to establish SSL connection.


from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 11:03:00 PM4/5/17
to aus...@googlegroups.com

wget --version
GNU Wget 1.13.4 built on linux-gnu.

So it might not have it.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Michael Pope

unread,
Apr 5, 2017, 11:05:37 PM4/5/17
to aus...@googlegroups.com

I use the same 1.13 version of wget on the working machine, so I don't think it's this.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 5, 2017, 11:06:53 PM4/5/17
to aus...@googlegroups.com
can you send a tcpdump from the working machine?

Michael Pope

unread,
Apr 5, 2017, 11:10:45 PM4/5/17
to aus...@googlegroups.com

Attached. This VM is a Debian Wheezy 7 machine with all the updates on.

from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.
auskey_working_tcpdump_from_VM.log

Jayen

unread,
Apr 5, 2017, 11:27:13 PM4/5/17
to aus...@googlegroups.com
Hey what's 210.193.176.72 and why is the host connecting to that instead of 143.174.192.33 like the guest (and my machine)?

Michael Pope

unread,
Apr 6, 2017, 12:37:36 AM4/6/17
to aus...@googlegroups.com, Jayen
Thats it ah. Years ago i had a work around in hosts file. I took that out and it all came to life!

Thanks guys, i was going crazy.

From
Michael

Alan Hopkins

unread,
Apr 6, 2017, 3:17:21 AM4/6/17
to aus...@googlegroups.com

Well sorted Jayen!

Now I know how useful tcpdump can be!!

Amazing how things we did ages ago (and forgotten about) can come back to haunt us.....

Sent from my Android device with K-9 Mail. Please excuse my brevity. --
--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 6, 2017, 3:25:04 AM4/6/17
to aus...@googlegroups.com
it took me a while to notice the difference, even with the two traces side-by-side.  first i was like, "why is wireshark showing ssl3 even though it's the same client hello packet?" then i realized that wireshark must be looking ahead at the negotiation and sorting it out, so i started to look for other differences.  really we could have figured it out by comparing michael's wget output and onno's.

Jayen

unread,
Apr 6, 2017, 3:26:32 AM4/6/17
to Michael Pope, aus...@googlegroups.com
not sure why you put it in, but once i configured dnsmasq with all-servers some years ago, all my dns problems went away.

Alan Hopkins

unread,
Apr 6, 2017, 3:29:23 AM4/6/17
to aus...@googlegroups.com

Hi Jayden

I'm just learning how handy Wireshark is!

Hey - I noticed you had no problem using FF 52 - is that with Linux or Windoze?  If with Linux, does that mean all is ok to update to it?

Cheers

Alan

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Jayen

unread,
Apr 6, 2017, 3:33:35 AM4/6/17
to aus...@googlegroups.com
Linux, but I'm not a Tax Agent, so I am able to use myGov.

Michael Pope

unread,
Apr 6, 2017, 9:10:26 PM4/6/17
to aus...@googlegroups.com
I just tried two versions of Firefox 52 with the tax agent portal, the None ESR version and the ESR version. The None ESR version doesn't work, whilst the ESR version (which still allows us to use the java plugin) works with the tax agent portal. I'm doing this on Debian Wheezy 64bit with Oracle Java 8 browser plugin.


from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Onno Benschop

unread,
Apr 6, 2017, 9:26:03 PM4/6/17
to aus...@googlegroups.com
That is expected behaviour.


--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

Michael Pope

unread,
Apr 6, 2017, 9:40:37 PM4/6/17
to aus...@googlegroups.com
What happens next year when firefox drops support for 52-ESR?
from
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

Onno Benschop

unread,
Apr 6, 2017, 9:43:32 PM4/6/17
to aus...@googlegroups.com
Based on the information that I have there should be a fix for this before then. The website shows all the information that I'm able to publish at this time.

o
Reply all
Reply to author
Forward
0 new messages