On Friday 16 February 2018 11:53:44 Reco wrote: > Hi. > > On Fri, Feb 16, 2018 at 10:38:49AM -0500, Greg Wooledge wrote: > > On Fri, Feb 16, 2018 at 10:30:31AM -0500, Gene Heskett wrote: > > > On Friday 16 February 2018 07:08:57 Rodary Jacques wrote: > > > > Le vendredi 16 février 2018, 06:42:52 CET rhkra...@gmail.com a écrit : > > > > > On Thursday, February 15, 2018 08:42:14 PM Rodary Jacques wrote: > > > > > > Why can't I access wikis from a Debian box: > > > > > > Forbidden > > > > > > <p>You are not allowed to access this!</p> > > > > > > is the message I get. > > > > > > > > > > I think we need more information--which wiki are you having > > > > > trouble with? (What is its URL?) > > > > > > > > I first had this message on https://wiki.debian.org, then on > > > > various problems. > > > > > > Old but uptodate wheezy install here. firefox had no problems > > > navigating the site. > > > Perhaps your http->S<- is defective somehow. > > > > The original message was so incredibly vague that it could mean > > anything. > > > > But. > > > > If the actual complaint is "I get 403 Forbidden on > > https://wiki.debian.org"; then we need additional detail: what > > version of Debian the OP is using, what browser, and any unusual > > aspects of the OP's network that could be relevant (workplace > > firewall, China firewall, etc.). > > My crystal ball says that OP is using home connection, and no, these > details aren't needed. tcpdump/wireshark capture, combined with the > SSL session key - that's what needed. > Or someone from 11AS12322 willing to provide a temporary shell > account. > > E-mail headers say that e-mail came from 11AS12322 belonging to some > French provider: > > Received: from ns.rodary.net (unknown [88.170.1.143]) > by smtp5-g21.free.fr (Postfix) with ESMTP id 154405FF27 > for <debian-user@lists.debian.org>; Fri, 16 Feb 2018 02:42:15 > +0100 (CET) > > With MUA which is uncommon in dull enterprise world: > > User-Agent: KMail/5.2.3 (Linux/4.9.0-5-amd64; KDE/5.28.0; x86_64; ; ) > > I believe we can exclude such possibilities as China Great Firewall > (unless they installed it in France for some reason), or workplace SSL > Bump (else OP won't see HTTP 403). > > > There have been several similar complaints in #debian IRC over the > > last year or two, with random people coming in and saying that they > > get a "403 Forbidden" on the Debian wiki, but the one thing they all > > have in common is a LACK OF DETAIL. > > Whose who know they way around don't have such problems. Whose who > don't are unable to describe it. I see nothing unusual in this. > > My suggestion to OP - try Tor, see if it works. > > > At this point nobody knows how to diagnose the problem, because > > nobody who HAS the problem is willing or able to come forward and > > just say what is happening and why. Is it a DNS resolution error, > > in which they're getting the wrong IP address? > > No. Browsers do certificate validation, "wrong IP address" would be > possible if the third party somehow produced a valid certificate for > wiki.debian.org (you have to be a CA *or* the government to do this) > and faked a DNS record (that's easy part). > > > Does the wiki or its front-end web server have a firewall that > > blacklists certain IP address ranges? > > Even if it did, the firewall have not come into play. > Since the user saw HTTP 403 it means that HTTPS connection was > established successfully, and a front-end (or back-end) webserver gave > 403 code, which was transferred to a user. > > > Is it a web browser bug? Nobody knows! > > Hardly. Of course OP could use some ancient toy browser that does not > do SNI, but wiki.debian.org provides a correct certificate even for > *those*. It's easy to check with (openssl does not use SNI unless you > ask for it): > > openssl s_client -host wiki.debian.org -port 443 > > Reco
That is quite a verbose tool, thank you Reco for enlightening me. -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>
