You are not logged in.

#1 2013-10-09 11:47:12

Sarek23
Member
Registered: 2009-04-18
Posts: 5

wget, curl & transparent HTTPS proxy

I have just installed a new Arch system and have run into trouble using AUR.
My system is behind a transparent HTTPS proxy I have no access to (it is provided by my company's network provider). When I try to download a package from AUR using curl or wget the connection simply times out:

curl https://aur.archlinux.org/packages/ya/yaourt/yaourt.tar.gz
curl: (28) Operation timed out after 300286 milliseconds with 0 out of 0 bytes received

I was able to narrow the problem down to the SSL negotiation: As soon as I force wget or curl to use a specific version, either SSLv3 or TLSv1 (which apparently includes automatic negotiation whether to use TLS 1.0, 1.1, or 1.2) I am able to download files. So far so good.

Unfortunately, the pacman/AUR frontend I use, yaourt, has no option to force an SSL version. I also tried setting up a SSH tunnel using an external server in order to bypass that proxy, but to no avail: The AUR webserver returns an HTTP 301 error code, probably because of the wrong server name I am sending. I have also tried using paktahn, but it has the same issues.

Do any of you have an idea on how I could use AUR? Is there a possibility to make curl always use the -1 option to force TLSv1? Is there a way to access AUR without HTTPS?

Offline

#2 2013-10-09 17:45:06

andy123
Member
Registered: 2011-11-04
Posts: 169
Website

Re: wget, curl & transparent HTTPS proxy

Sarek23 wrote:

I also tried setting up a SSH tunnel using an external server in order to bypass that proxy, but to no avail: The AUR webserver returns an HTTP 301 error code, probably because of the wrong server name I am sending. I have also tried using paktahn, but it has the same issues.

Do any of you have an idea on how I could use AUR? Is there a possibility to make curl always use the -1 option to force TLSv1? Is there a way to access AUR without HTTPS?

Hi,
a few things: 301 is no error message (see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), it's "Moved Permanently". Second, I have no problem using yaourt or cower through a transparet ssh proxy using redsocks. Third, what exactly is failing, the helper or makepkg? You can configure makepkg with /etc/makepkg.conf for example.


i'm sorry for my poor english wirting skills…

Offline

#3 2013-10-09 18:35:02

jasonwryan
Forum & Wiki Admin
From: .nz
Registered: 2009-05-09
Posts: 19,383
Website

Re: wget, curl & transparent HTTPS proxy

Not a Sysadmin issue, moving to AUR issues...


Arch + dwm   •   Mercurial repos  •   Github

Registered Linux User #482438

Offline

#4 2013-10-14 08:04:09

Sarek23
Member
Registered: 2009-04-18
Posts: 5

Re: wget, curl & transparent HTTPS proxy

andy123 wrote:
Sarek23 wrote:

I also tried setting up a SSH tunnel using an external server in order to bypass that proxy, but to no avail: The AUR webserver returns an HTTP 301 error code, probably because of the wrong server name I am sending. I have also tried using paktahn, but it has the same issues.

Do any of you have an idea on how I could use AUR? Is there a possibility to make curl always use the -1 option to force TLSv1? Is there a way to access AUR without HTTPS?

Hi,
a few things: 301 is no error message (see: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), it's "Moved Permanently". Second, I have no problem using yaourt or cower through a transparet ssh proxy using redsocks. Third, what exactly is failing, the helper or makepkg? You can configure makepkg with /etc/makepkg.conf for example.

Responses to your questions:

1. Yes, I suppose I should have written "response code". What I meant to express was that trying to circumvent that transparent proxy using an SSH tunnel does not work, as the AUR web server automatically redirects me to aur.archlinux.org which puts me back on the proxy...

2. Well, I do :-) Unfortunately I do not know what proxy my provider is using. It seems that the problems are caused by the TLS version used by aur.archlinux.org.

3. The download fails. yaourt and paktahn both use curl to download the PKGBUILD. curl fails to download the file because of a timeout. Also, wget fails because of a timeout when I try to manually download the PKGBUILD. Funnily enough, downloading the file or accessing the webpages on aur.archlinux.org using Firefox works perfectly.

Offline

#5 2013-10-16 19:05:00

mikeserv
Member
Registered: 2013-08-17
Posts: 8

Re: wget, curl & transparent HTTPS proxy

Wild guess, but maybe?

curl -Lk "${HTTPS}"

I think that's how I do it... You can double-check with:

curl --help

And there's similar stuff for wget:

wget "${HTTPS}" --no-certificate-check

I'm less certain about that last, but --help might help there, too.

Anyway, it would be a rather nasty proxy that spied on your SSL connections. Probably instead it just intercepts responses from those that don't authenticate in its/your default web-of-trust so the end-user is never given the chance to "Trust Anyway" and hand over their banking sign-on to USAA-com.info or something.

-Mike

Offline

Board footer

Powered by FluxBB