recaptcha-not-reachable error

[Murtaza]

Hello,

I am have implement reCAPTCHA on a page that require credentials on my
site, the image and form is showing up correctly. The values of
uresponse, challenge, ip public and private keys are being passed
correctly but when I make the call to the google server to validate
the user response. It hangs for a while and then I get "recaptcha-not-
reachable". I am assuming this is because my firewall is blocking the
request from going through. My question is what do I need to open up
on the firewall side to get this request to go through and response
come back?

thanks,
Murtaza

[PJH]

http://code.google.com/apis/recaptcha/docs/verify.html

> reCAPTCHA never returns this error code. A plugin should manually
> return this code in the unlikely event that it is unable to contact the
> reCAPTCHA verify server.

You need outgoing TCP port 80 (and 443 if you're using https) unblocking.

--
You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
To post to this group, send email to reca...@googlegroups.com.
To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

--
PJH

[Murtaza]

Is there a way to provide proxy info for RECAPTCHA to make the
verification request? This is turning into a big security issue for us
because essentially we have to open up request to the qualified domain
name which is www.google.com if we cant specify a proxy for this
request to go through.

- Murtaza

> PJH- Hide quoted text -
>
> - Show quoted text -

[PJH]

About the only concession that I'm aware of that you can make is documented at http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha.

Somehow or other the server running your requests needs to access the reCAPTCHA servers, in addition to the client's. If you're going to set up Squid, for example, then you'll have to make sure it uses pass-through and not cache anything to do with reCAPTCHA.

Presumably your users are able to access the internet (otherwise they wouldn't be able to see the image to begin with) - what's the particular problem with the server they're using also being allowed to?

[Murtaza]

Well the users are able to see the CAPTCHA image that is not the
problem. The problem occurs on the server side when the CAPTCHA
verification is called by the server which sends its request through
the firewall without any proxy info. This causes the firewall to drop
the CAPTCHA packets.

My networking guys are telling me, we need to some how call this
request through the proxy server so it can go through or we would have
to open up all of google through the firewall. I dont think the second
option is something we are willing to do.

- Murtaza

On Jul 13, 10:13 am, PJH <pauljherr...@gmail.com> wrote:
> About the only concession that I'm aware of that you can make is documented

> athttp://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha.

>
> Somehow or other the server running your requests needs to access the
> reCAPTCHA servers, in addition to the client's. If you're going to set up
> Squid, for example, then you'll have to make sure it uses pass-through and
> not cache anything to do with reCAPTCHA.
>
> Presumably your users are able to access the internet (otherwise they
> wouldn't be able to see the image to begin with) - what's the particular
> problem with the server they're using also being allowed to?
>
>
>
>
>
> On Wed, Jul 13, 2011 at 3:06 PM, Murtaza <pubo...@gmail.com> wrote:
> > Is there a way to provide proxy info for RECAPTCHA to make the
> > verification request? This is turning into a big security issue for us
> > because essentially we have to open up request to the qualified domain

> > name which iswww.google.comif we cant specify a proxy for this

[Adrian Godong]

What platform are you in? You can specify proxy implementation for
.NET library, but I'm not sure for other platforms.

> --
> You received this message because you are subscribed to the Google Groups "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to recaptcha+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.
>
>

--
Adrian Godong
adrian...@gmail.com

[Murtaza]

I am using Unix/Java 1.5

- Murtaza

> adrian.god...@gmail.com- Hide quoted text -

[PJH]

Something akin to

iptables -t filter -s $server -m tcp -p tcp --dport 80 -j REDIRECT --to-port 3128 --to-destination $squidserver

on either the $server that's generating the requests or the firewall that's dropping the packets?

For more options, visit this group at http://groups.google.com/group/recaptcha?hl=en.

--
PJH

[Murtaza]

Not really sure what you mean...

I think I need to update the captcha code to make that httpPOST and
httpGet request through the proxy server. I dont really know how to do
that off hand.

- Murtaza

> PJH- Hide quoted text -

[PJH]

That's what the guys maintaining your firewall need to look at which would make it transparent to your application without you having to mess around with proxy settings; though since you earlier said:

# My networking guys are telling me, we need to some how call this
# request through the proxy server so it can go through or we would have
# to open up all of google through the firewall.

I don't hold out much hope for you finding an easy solution, since iptables is something they should have come up with themselves.

[Murtaza]

So I updated the VERIFY_URL to be https://www.google.com/recaptcha/api/verify

I also got the networking guys to open up the firewall to google on
port 443.

Now I am getting the following error:

[7/20/11 13:04:40:156 EDT] 0000003b WSX509TrustMa E CWPKI0022E: SSL
HANDSHAKE FAILURE: A signer with SubjectDN "CN=www.google.com,
O=Google Inc, L=Mountain View, ST=California, C=US" was sent from
target host:port "www.google.com:443". The signer may need to be added
to local trust store

Should I be able to use the verify URL over SSL?

- Murtaza