Firefox 46 tax portal secure connection failed

[Michael Pope]

I've just started getting the following error under Firefox 46 with 'Java 8 update 11' today when accessing the ATO tax portal

   
   

The service was working yesterday and nothing system wise has changed. Multiple users use this same computer and all have not been able to login to the tax portal.

I've cleared the cache. I also checked connecting on a Windows box under Firefox 52 (32bit) and that worked.

from
Michael

[Jayen]

Hi Michael,

Can you provide the URL you were on when you saw this error?  I did two BAS's today without an issue (Firefox 52 debian 32-bit).

--
--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael Pope]

I went to https://tap.ato.gov.au/ and clicked 'Login' then I ended up with the error on the following url;

https://authentication.business.gov.au/S001v4.0/authenticate/g3

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Alan Hopkins]

Hi Michael

I have also had no problem (at least so far!) with PCLinuxOS (a RedHat/Fedora branch) and Firefox 51 (I have locked that version due to the perceived issues with FF v52 - although Jayen doesn't seem to have any with 52).

Are you logging in from the https://bp.ato.gov.au/  link or are you using a bookmark?

Cheers

Alan

[Michael Pope]

I'm using my bookmark, but I just tried clicking on the link you sent me and I get the same problem.

from
Michael

[Alan Hopkins]

Woops .... sorry.... didn't realise you were logging in via the Tax agent portal

On 05/04/17 14:04, Michael Pope wrote:

[Michael Pope]

Just tried firefox 52 (installed in a separate directory on the same machine), same problem.

from
Michael

[Jayen]

Hi Michael,

I just downloaded FF46 and it works for me (still debian 32-bit).  Could it be your internet connection combined with your computer?

[Michael Pope]

The internet is working fine and a Windows computer which is on the same network can access the tax portal, just the Linux machines cannot.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Alan Hopkins]

Think it might be a Java issue - ver 8 update 121 here - maybe go to https://www.java.com/en/download/help/troubleshoot_java.xml and run a test on your browser - you may need to update java.

On 05/04/17 14:14, Michael Pope wrote:

[Jayen]

I've seen weird issues like you describe before (not with the ATO).  You might take the linux machine home or via a 3g hotspot and it'll work fine, but it doesn't work in your office where your windows machine works.

Sometimes playing with the MTU helps (e.g. sudo ifconfig wlan0 mtu 1500) but you could also screw up your computer this way.

Doesn't look like you are getting to a point where firefox is even attempting java.  Looks like an issue with the SSL connection.  I see the certificate was recently changed, so maybe some other settings on the server changed, too?

[Michael Pope]

Just upgraded java and tested that it's loading in Firefox 46. Still have the issue with the ATO portal.

from
Michael

[Michael Pope]

I get this error when doing a wget could other people try this for me please;

~/.java/deployment/log % wget https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-05 15:26:33--  https://authentication.business.gov.au/S001v4.0/authenticate/q3
Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
GnuTLS: A TLS packet with unexpected length was received.
Unable to establish SSL connection.

from
Michael

[Michael Pope]

Here is what I've tried so far;

- [X] Try clearing cache = fail
- [X] Try my user = fail
- [X] Disable security.ssl.enable_ocsp_stapling in settings = fail
  I reset this back to true.
- [X] Test compiling firefox 52 in /opt/firefox52 = fail
- [X] Try and fake the OS through the browser. = fail
  Using User Agent Plugin I changed it to IE8 and also tried iPhone 3.0
- [X] Upgrade Java to 8u121 = fail
  Java install worked, but I still have the problem
- [X] Upgraded tzdata-java = fail
- [X] Add exceptions in jcontrol -> security = fail
- [X] Try wget = fail
  : ~/.java/deployment/log % wget https://authentication.business.gov.au/S001v4.0/authenticate/q3

  : --2017-04-05 15:26:33--  https://authentication.business.gov.au/S001v4.0/authenticate/q3
  : Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
  : Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.
  : GnuTLS: A TLS packet with unexpected length was received.
  : Unable to establish SSL connection.

- [X] Try on the test rig (Running Debian Jessie instead of Wheezy) = fail
- [X] Reboot the router = fail
- [X] Try in google-chrome = fail

from
Michael

[Skeetgoesskiing]

Wow Michael! You've tried a lot of things!! Sorry but I'm out of my league now. Don't  want to sound like the IT Crowd but have you tried turning it off & turning it back on again 😀 Sorry I cant be of any help... look forward to the solution!  Cheers. Alan 

[Michael Pope]

Yes I've tried a reboot and that didn't help. I do enjoy IT Crowd so a reboot is always somewhere in the list of things to do.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

jayen@eeyore:/tmp$ wget https://authentication.business.gov.au/S001v4.0/authenticate/q3
https://authentication.business.gov.au/S001v4.0/authenticate/q3:
2017-04-05 16:15:33 ERROR 404: Not Found.

(same on 32-bit debian stable and 64-bit (docker container debian testing)) so the SSL part is working for me.

- [ ] Is it plugged in?  (If you are on WiFi try wired)

- [ ] Can you try another route?  (e.g. via 3g)

- [ ] Are you willing to play with the MTU?

- [ ] Have you tried a VM or another baremetal OS on the same machine?

- [ ] Have you tried a Linux VM or baremetal Linux on the windows machine?

[Onno Benschop]

Another data point:

$ wget https://authentication.business.gov.au/S001v4.0/authenticate/q3

--2017-04-05 14:25:46--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 143.174.192.33

Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.

HTTP request sent, awaiting response... 404 Not Found

2017-04-05 14:25:47 ERROR 404: Not Found.

Onno Benschop

()/)/)()        ..ASCII for Onno..
|>>?            ..EBCDIC for Onno..
--- -. -. ---   ..Morse for Onno..

If you need to know: "What computer should I buy?" http://goo.gl/spsb66

ITmaze   -   ABN: 56 178 057 063   -  ph: 04 1219 8888   -   on...@itmaze.com.au

[Onno Benschop]

Also:

$ wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3

--2017-04-05 14:29:16--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 143.174.192.33

Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.

HTTP request sent, awaiting response... 

  HTTP/1.1 404 Not Found

  Cache-Control: private

  Transfer-Encoding: chunked

  Server: Microsoft-IIS/7.5

  X-AspNet-Version: 4.0.30319

  Set-Cookie: Prod__CurrentStateId=M1F8qVNknhKgYB+D2zUOFyrZpJ0WJAYWMLD+w/e6l4N2tIVRVdOLPMp6go/VLx1q6J0k+FNsn6M6R8u6R5FC0lwKHKW9H/IkcwgT8PFg9D2qmfd/CmYbUFRH5anGyrYqLeFYdJNj/WLpbU3p+7KwokzzRB3bPZfy+FzRUco9tPgW; domain=authentication.business.gov.au; path=/; secure; HttpOnly

  X-Powered-By: ASP.NET

  Date: Wed, 05 Apr 2017 06:29:16 GMT

2017-04-05 14:29:17 ERROR 404: Not Found.

[Michael Pope]

Jayen,

The computer is wired to the network and it's also running 10 thin clients with different businesses hanging off it so I cannot easily play around with the network or change routes. Everything else mind you works. We have VPN links, and logged into many different https services it's really just the ATO which is not working here.

I have just tried a Debian Wheezy VM under this same computer and it gets futher and tells me I have to download software. So if this had Java & the AUSkey it would most likely work. So it must be something on the main computer stopping it.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

Is the VM using bridged or NAT networking?

I think given your situation, it won't be possible to fix the host, so you'll have to use the guest.

[Michael Pope]

The VM is using bridged networking. It was working fine yesterday, and
has been for a few years now.

[Onno Benschop]

Hi Michael,

You said that it works on Windows. Can you confirm that it still is working? You might also consider turning on a network monitor, or seeing if you can track a console from a browser to see if the two platforms go to the same URL.

I'm running:

• Firefox ESR, 45.7.0
• Java Version 8 Update 121

I don't have a TAP account, but I can log-in normally and can also log into the normal end-user account at bp.ato.gov.au.

This makes me think that your issue is local.

On 5 April 2017 at 14:37, Michael Pope <map...@gmail.com> wrote:

The VM is using bridged networking. It was working fine yesterday, and
has been for a few years now.

--
--
You received this message because you are subscribed to the "AUSkey" group.

To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au

To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.
To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Michael Pope]

Well it also gets to the login screen on a debian 7 vm on the same machine this would be easier to compare with the main system.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Onno Benschop]

Have you created a new user account on the thin client? I wonder if the browser profile is corrupt.

--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

[Michael Pope]

Just tried with a brand new user and it still failed.

I think it has something to do with this 'GnuTLS: A TLS packet with unexpected length was received.' error. I don't get this error on the debian VM which works.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

Did you try a network monitor like Wireshark or tcpdump?

Can you use the VM as a proxy?

[Onno Benschop]

My google-fu suggests that this is a gnutls issue. The hits I'm seeing are over a year old.

• https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1111882/comments/3
  
• https://arashmilani.com/post?id=21
  

Was the machine updated recently?

Alternatively, it's possible that the ATO certificate is newer than your machine knows what to do with, but that's speculation at this time.

o

[Michael Pope]

Some packages may of been updated I'll have to check. I've applied updates yesterday to try and fix the issue, but that didn't help. The old VM with debian which works hasn't been updated for a long time. Maybe it's running the versions I need.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Onno Benschop]

Random question.

Is the clock set correctly on the machine?

--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

[Michael Pope]

Here is the date off the broken machine
Thursday 6 April  09:20:07 AEST 2017

Here is the date off the machine which works.
Thursday 6 April  09:20:30 EST 2017

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Onno Benschop]

Where are you seeing the gnutls error?

--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

[Michael Pope]

On the broken server when I do the following command;

wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-06 09:36:17--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.

GnuTLS: A TLS packet with unexpected length was received.

Unable to establish SSL connection.

If I do this command on the working VM I get this;
wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3
--2017-04-06 09:39:26--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 143.174.192.33
Connecting to authentication.business.gov.au (authentication.business.gov.au)|143.174.192.33|:443... connected.
HTTP request sent, awaiting response...
  HTTP/1.1 404 Not Found
  Cache-Control: private
  Transfer-Encoding: chunked
  Server: Microsoft-IIS/7.5
  X-AspNet-Version: 4.0.30319

  Set-Cookie: Prod__CurrentStateId=A1i0+VAgENAMIvJh1Qpf0g/i1QX4jT9nXcgrKuVm+5ByjADIqTiohzub7mhwixdHdBccoe4EiduuVV2wIMPZ+VHljsiIpg9xWBl9Acbmv2a4zzoeVtQjNcbaBa6cWF7m5BTgfLQ6pCEGTwA3RBDowfj8qEM+c8PJOd8mdpkyyopR; domain=authentication.business.gov.au; path=/; secure; HttpOnly
  X-Powered-By: ASP.NET
  Date: Wed, 05 Apr 2017 23:39:27 GMT
2017-04-06 09:39:27 ERROR 404: Not Found.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Michael Pope]

I'm just going to clone my VM, apply all updates and see if I can break a working copy

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Michael Pope]

After applying all the upgrades to my working Debian Wheezy VM it still works, so I'll now compare the package/versions with the broken system which is also running Debian Wheezy. Maybe there is a clue there.

I have a feeling it's either a system package or global configuration on the failing server.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Michael Pope]

I haven't ran tcpdump/wireshark yet. What exactly would I be looking for there is a lot of traffic on this network?

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

firefox says the connection was reset, so for the given TCP connection, you would look for what is just before the reset packet, i guess.

maybe `tcpdump 'host authentication.business.gov.au'` will not get too much extra traffic.

[Michael Pope]

Here is the iinformation, I don't know what to look for here.

sudo tcpdump 'host authentication.business.gov.au'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:03.071943 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [S], seq 1190707086, win 14600, options [mss 1460,sackOK,TS val 215316636 ecr 0,nop,wscale 7], length 0
11:53:03.103128 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [S.], seq 2561451118, ack 1190707087, win 4140, options [mss 1460,nop,nop,TS val 1089931629 ecr 215316636,sackOK,eol], length 0
11:53:03.103193 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316643 ecr 1089931629], length 0
11:53:03.103455 IP 192.168.200.4.40324 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316643 ecr 1089931629], length 208
11:53:03.120006 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [.], ack 209, win 4348, options [nop,nop,TS val 1089931647 ecr 215316643], length 0
11:53:03.120618 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [R.], seq 1, ack 209, win 4348, length 0
11:53:03.122985 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [S], seq 2282806227, win 14600, options [mss 1460,sackOK,TS val 215316648 ecr 0,nop,wscale 7], length 0
11:53:03.139553 IP authentication.business.gov.au.https > 192.168.200.4.40325: Flags [S.], seq 224403283, ack 2282806228, win 4140, options [mss 1460,nop,nop,TS val 1089931666 ecr 215316648,sackOK,eol], length 0
11:53:03.139610 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316652 ecr 1089931666], length 0
11:53:03.139959 IP 192.168.200.4.40325 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316653 ecr 1089931666], length 208
11:53:03.156993 IP authentication.business.gov.au.https > 192.168.200.4.40325: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.158784 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [S], seq 2801991975, win 14600, options [mss 1460,sackOK,TS val 215316657 ecr 0,nop,wscale 7], length 0
11:53:03.175232 IP authentication.business.gov.au.https > 192.168.200.4.40326: Flags [S.], seq 1599539643, ack 2801991976, win 4140, options [mss 1460,nop,nop,TS val 1089931702 ecr 215316657,sackOK,eol], length 0
11:53:03.175275 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316661 ecr 1089931702], length 0
11:53:03.175572 IP 192.168.200.4.40326 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316661 ecr 1089931702], length 208
11:53:03.192080 IP authentication.business.gov.au.https > 192.168.200.4.40326: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.193439 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [S], seq 1721502376, win 14600, options [mss 1460,sackOK,TS val 215316666 ecr 0,nop,wscale 7], length 0
11:53:03.211002 IP authentication.business.gov.au.https > 192.168.200.4.40327: Flags [S.], seq 1302270292, ack 1721502377, win 4140, options [mss 1460,nop,nop,TS val 1089931738 ecr 215316666,sackOK,eol], length 0
11:53:03.211047 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316670 ecr 1089931738], length 0
11:53:03.211381 IP 192.168.200.4.40327 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316670 ecr 1089931738], length 208
11:53:03.227092 IP authentication.business.gov.au.https > 192.168.200.4.40327: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.229084 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [S], seq 2072635664, win 14600, options [mss 1460,sackOK,TS val 215316675 ecr 0,nop,wscale 7], length 0
11:53:03.245812 IP authentication.business.gov.au.https > 192.168.200.4.40328: Flags [S.], seq 2850785357, ack 2072635665, win 4140, options [mss 1460,nop,nop,TS val 1089931773 ecr 215316675,sackOK,eol], length 0
11:53:03.245835 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316679 ecr 1089931773], length 0
11:53:03.246052 IP 192.168.200.4.40328 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316679 ecr 1089931773], length 208
11:53:03.261905 IP authentication.business.gov.au.https > 192.168.200.4.40328: Flags [R.], seq 1, ack 1, win 4140, length 0
11:53:03.263764 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [S], seq 2510720116, win 14600, options [mss 1460,sackOK,TS val 215316684 ecr 0,nop,wscale 7], length 0
11:53:03.279848 IP authentication.business.gov.au.https > 192.168.200.4.40329: Flags [S.], seq 1769876596, ack 2510720117, win 4140, options [mss 1460,nop,nop,TS val 1089931806 ecr 215316684,sackOK,eol], length 0
11:53:03.279887 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [.], ack 1, win 14600, options [nop,nop,TS val 215316688 ecr 1089931806], length 0
11:53:03.280229 IP 192.168.200.4.40329 > authentication.business.gov.au.https: Flags [P.], seq 1:209, ack 1, win 14600, options [nop,nop,TS val 215316688 ecr 1089931806], length 208
11:53:03.296137 IP authentication.business.gov.au.https > 192.168.200.4.40329: Flags [R.], seq 1, ack 1, win 4140, length 0

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

On Thu, Apr 6, 2017 at 11:54 AM, Michael Pope <map...@gmail.com> wrote:

11:53:03.120618 IP authentication.business.gov.au.https > 192.168.200.4.40324: Flags [R.], seq 1, ack 209, win 4348, length 0

The lines with [R.] look suspect to me (and i'm not getting them on my system).  Not really sure why the server resets the connection on your host but not any other system.  Also assumed you used wget or otherwise retried 5 times?

Do you mind adding `-w filename` and sending me the file?  I can then open it in wireshark.

Here's what I get:
12:00:57.804806 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [S], seq 1735871134, win 29200, options [mss 1460,sackOK,TS val 134282396 ecr 0,nop,wscale 7], length 0
12:00:57.813737 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [S.], seq 2882600639, ack 1735871135, win 4140, options [mss 1380,nop,nop,TS val 1090406428 ecr 134282396,sackOK,eol], length 0
12:00:57.813782 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [.], ack 1, win 29200, options [nop,nop,TS val 134282399 ecr 1090406428], length 0
12:00:57.814180 IP 192.168.11.249.60508 > 143.174.192.33.https: Flags [P.], seq 1:345, ack 1, win 29200, options [nop,nop,TS val 134282399 ecr 1090406428], length 344
12:00:57.822951 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [.], ack 345, win 4484, options [nop,nop,TS val 1090406437 ecr 134282399], length 0
12:00:57.827928 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [P.], seq 1:1449, ack 345, win 4484, options [nop,nop,TS val 1090406441 ecr 134282399], length 1448
12:00:57.827954 IP 143.174.192.33.https > 192.168.11.249.60508: Flags [P.], seq 1449:2897, ack 345, win 4484, options [nop,nop,TS val 1090406441 ecr 134282399], length 1448

[Michael Pope]

Yes I have tried many times and get the same response both going through the browser and using wget. The attached file is with wget.

from
Michael

[Jayen]

Can you do that again but add --secure-protocol=TLSv1_2 to your wget?  yours is using SSLv3 and mine is using TLSv1_2.  The system i'm on today (ubuntu 16.04 64-bit) won't let me try SSLv3.

Although I'd imagine your firefox is using TLSv1_2 already and the server's not supposed to reset the connection in any case, so I'm not sure all this diagnostic will help in the end.

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+unsubscribe@googlegroups.com.

[Michael Pope]

/etc/apt % wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=TLSv1_2
wget: --secure-protocol: Invalid value `TLSv1_2'.

I also tried the supported wget secure protocols

% wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=TLSv1  
--2017-04-06 12:59:10--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.

GnuTLS: A TLS packet with unexpected length was received.

Unable to establish SSL connection.

% wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=SSLv2
--2017-04-06 12:59:16--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.

GnuTLS: GnuTLS internal error.

Unable to establish SSL connection.

% wget --server-response https://authentication.business.gov.au/S001v4.0/authenticate/q3 --secure-protocol=SSLv3
--2017-04-06 12:59:17--  https://authentication.business.gov.au/S001v4.0/authenticate/q3

Resolving authentication.business.gov.au (authentication.business.gov.au)... 210.193.176.72
Connecting to authentication.business.gov.au (authentication.business.gov.au)|210.193.176.72|:443... connected.

GnuTLS: GnuTLS internal error.

Unable to establish SSL connection.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Michael Pope]

wget --version
GNU Wget 1.13.4 built on linux-gnu.

So it might not have it.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Michael Pope]

I use the same 1.13 version of wget on the working machine, so I don't think it's this.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

can you send a tcpdump from the working machine?

[Michael Pope]

Attached. This VM is a Debian Wheezy 7 machine with all the updates on.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

Hey what's 210.193.176.72 and why is the host connecting to that instead of 143.174.192.33 like the guest (and my machine)?

[Michael Pope]

Thats it ah. Years ago i had a work around in hosts file. I took that out and it all came to life!

Thanks guys, i was going crazy.

From
Michael

[Alan Hopkins]

Well sorted Jayen!

Now I know how useful tcpdump can be!!

Amazing how things we did ages ago (and forgotten about) can come back to haunt us.....

Sent from my Android device with K-9 Mail. Please excuse my brevity. --

--
You received this message because you are subscribed to the "AUSkey" group.
 
To post to this group, send email to aus...@itmaze.com.au
To subscribe from this group, send email to auskey-s...@itmaze.com.au
To unsubscribe from this group, send email to auskey-un...@itmaze.com.au
 
To use the web-forum, visit: http://auskey.itmaze.com.au/

---
You received this message because you are subscribed to the Google Groups "AUSkey" group.

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

it took me a while to notice the difference, even with the two traces side-by-side.  first i was like, "why is wireshark showing ssl3 even though it's the same client hello packet?" then i realized that wireshark must be looking ahead at the negotiation and sorting it out, so i started to look for other differences.  really we could have figured it out by comparing michael's wget output and onno's.

[Jayen]

not sure why you put it in, but once i configured dnsmasq with all-servers some years ago, all my dns problems went away.

[Alan Hopkins]

Hi Jayden

I'm just learning how handy Wireshark is!

Hey - I noticed you had no problem using FF 52 - is that with Linux or Windoze?  If with Linux, does that mean all is ok to update to it?

Cheers

Alan

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Jayen]

Linux, but I'm not a Tax Agent, so I am able to use myGov.

[Michael Pope]

I just tried two versions of Firefox 52 with the tax agent portal, the None ESR version and the ESR version. The None ESR version doesn't work, whilst the ESR version (which still allows us to use the java plugin) works with the tax agent portal. I'm doing this on Debian Wheezy 64bit with Oracle Java 8 browser plugin.

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Onno Benschop]

That is expected behaviour.

--
finger painting on glass is an inexact art - apologies for any errors in this scra^Hibble

()/)/)() ..ASCII for Onno..

[Michael Pope]

What happens next year when firefox drops support for 52-ESR?

from
Michael

To unsubscribe from this group and stop receiving emails from it, send an email to auskey+un...@googlegroups.com.

[Onno Benschop]

Based on the information that I have there should be a fix for this before then. The website shows all the information that I'm able to publish at this time.

o