You are not logged in.

#1 2017-05-08 09:49:19

rix
Member
Registered: 2012-07-25
Posts: 238

Surf + Https

Good morning,

I'm trying to make login in the first page of my job's Juniper vpn,
with Suckless' Surf, from an up-to-date Arch, but it fails reloading
the same page.
Other browsers like Firefox works as expected but I'd like to avoid
them due their heavy weight and the brand new NPAPI concept.
There're no problems at all with connection or the like.

Notice that if I make the first login with Firefox and then continue
with Surf everything works. So i suspect certificates problems but
I can't find any useful log or messages. I'd checked dmesg, journal
and tried running it from console, gdb and also checking strace.

I'd already tried manually exporting relate certificates from Ff and adding
them as symlinks to /etc/ssl/certs. In /etc/ca-certificates/extracted/ and
/etc/ca-certificates/extracted/cadir as pem files. Put them as crt files in
/etc/ca-certificates/trust-source/anchors.
Added their keys to /etc/ssl/certs/ca-certificates.crt and /etc/ssl/cert.pem
(which is a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem),
/etc/ssl/objsign-ca-bundle.pem, email-ca-bundle.pem and ca-bundle.trust.crt.

Checked commands update-ca-trust and trust extract-compat.

I'd also searched the forum and the web but still can't solve.
Tried with a compile version of the browser and downgrading and reinstalling
ca-certificates, mozilla-certificates, Firefox, Surf and Openssl.

I hope I didn't forgot anything or made any mistakes.

Thanks in advance for any help.

Last edited by rix (2017-05-11 09:49:00)

Offline

#2 2017-05-08 13:27:46

seth
Member
Registered: 2012-09-03
Posts: 49,992

Offline

#3 2017-05-08 14:05:17

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

Forgot to mention that I'd already tried to make login into my Gmail account as https site,
which did worked but it wasn't changed yet.
I've tried again now, seen the change and it stops working for me too.

Many thanks Sir. Waiting for the update.

Last edited by rix (2017-05-08 14:25:09)

Offline

#4 2017-05-11 09:48:44

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

Good morning,

did the update but the problem persist.

Thanks in advance.

Offline

#5 2017-05-11 12:31:22

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

Only with juniper vpn or also with google services?
In case google works, that's simply not the same issue and you'll have to inquire more what's going on, eg. inspecting the shell output of surf - or try lynx

Offline

#6 2017-05-11 17:06:54

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

Gmail works, Vpn doesn't.

This is the output from shell while doing login in Vpn site with Surf.

[root@host ~]# surf https://the.site.it/
Could not read style file: /root/.surf/styles/default.css

I think Lynx doesn't work with such java apps. Should I try?

I'd already tried many things, still no clue,  and I can't copy and paste right now so if you wanna see any specs just ask please.

Thank so much.

Offline

#7 2017-05-11 19:25:36

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

"Java apps"? Does that mean java or javascript?
As of javascript - elinks would support that (to a certain degree)
As of java, nothing but firefox-esr (search in AUR) does support that.

Since it's not the same issue, we'd need to get some more details than "fails reloading the same page" - I'm not sure it's about certificates nor javascript atm. The google bug was about a spoofed useragent that did not longer work, so we need to get some error messages (since you probably cannot share/provide access the url in question, let alone credentials)

Offline

#8 2017-05-12 11:12:52

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

I meant Java not Javascript.
My Job's Vpn follow more or less these steps:
1) Login in the first page with Domain in the Login Name (domain\user and password)
2) Login again in a second page without Domain
3) In a third page click on a button which should starts a download and install process in Java of the Vpn if you don't have it yet. If you already did the installation instead it will starts the Java app which creates the Tun and starts the secure connection.

I thought about certificates problems because if you follow first step above in Ff and then continue with Surf it works.

As the Google bug was about useragent I'd also tried changing it many time with Ie and Ff ones but with no luck (surf -u 'useragent string' https://site).

I don't have any errors message that's what it's going to drive me crazy.

Sadly nope I can't share informations about the company. Another person in it already got troubles for that asking for an issue about Sap  in the Sap forum. smile

Many thanks.

Offline

#9 2017-05-12 13:43:09

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

Does it work with other webkit2gtk based browsers (notably midori or epiphany)?

The process sounds more like you post login and the other side opens a slot for your IP.
Since the critical part seems the first step, I'd try to perform that with lynx/links/elinks.
If that works, you might even be able to auto-perform that step with curl (before starting the browser - it much depends on whether the logindata is submitted via some http post or via javascript. The java applet does not seem to be required at this point)

Offline

#10 2017-05-12 14:59:16

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

Tried Midori which goes segfault. Didn't tried Epiphany due to its Gnome dependencies.

Lynx + Surf couple works great and I like that. Do you have any tips on how to use Curl to do the same as Lynx here or even the whole process till the Java part?

Thanks a lot.

Offline

#11 2017-05-12 15:33:59

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

"lynx -trace https:///www.example.com" will get you a ~/Lynx.trace that looks somewhat like https://gist.github.com/sio/867566
Translating this to a curl request is a matter of its own - and unfortunately you cannot just share the log ...
In the most simple case you'll find some static POST request which you can "curl -d" but this can become arbitrarily complex :-\

Offline

#12 2017-05-13 05:51:28

sekret
Member
Registered: 2013-07-22
Posts: 283

Re: Surf + Https

seth wrote:

As of java, nothing but firefox-esr (search in AUR) does support that.

Palemoon also still supports the java plugin!

Offline

#13 2017-05-13 06:58:08

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

actually do does webkit2gtk - yet.

However neither has that been the problem here (it even sounds as if the java driven vpn would run as a local process and not as a plugin) and also there're no non-npapi efforts for a java plugin, so the important term is "still" and everybody should really seek for non-java solutions rather than which browser still supports - virtually unmaintained, dying - npapi for (at least some) plugins.

Offline

#14 2017-05-15 16:58:36

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

@ sekret
Never tried Palemoon. Use Java as a plugin as "the old way" or as the new NPAPI way?

@ seth
Agree but I must use a browser for launch the local Java app. Company policy. Sure of it.
But, I think I could start (if not a browser) with something like curl and than manually launch the app.

Here the censored trace you ask for.
https://pastebin.com/Mg2rQ3ri

@ both
Thank you.

Last edited by rix (2017-05-15 16:59:46)

Offline

#15 2017-05-15 19:23:16

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

I didn't exactly ask for it ;-)

This will require some forth and back communication - you need to get the login page, because you'll have to use an up-to-date au_pxytimetag value, then apparently post the first two blocks (look for "POST /" strings) with apparently a slightly different "Host" field.
Next you probably need a cookie ("DSSIGNIN=url_default", though it expires 2037, so you can probably just use a static one) then post the 3rd "POST /" block (uses the cookie but looks static) and finally that gets you a 302 to get a page that contains the postfixSID and the DSIDFormDataStr which you need to post back with the last "POST /" block.

As said: this can become arbitrarily complex :-(

Offline

#16 2017-05-16 15:56:39

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

seth wrote:

[...]
As said: this can become arbitrarily complex :-(
[...]

I don't get it indeed. :S

Offline

#17 2017-05-16 17:11:26

seth
Member
Registered: 2012-09-03
Posts: 49,992

Re: Surf + Https

Unfortunately my skills are limited to poking the server until a solution emerges, ie. try to send data, see whether I get responses or just sleep a while and then just fetch stuff expecting it will come - ie. i'm personally not able to write such script for forth and back communication down just by looking at a trace, sorry :-(

Offline

#18 2017-05-17 16:02:56

rix
Member
Registered: 2012-07-25
Posts: 238

Re: Surf + Https

Thank so much, you'd helped me anyway.
I'm going to make some new researches based on the new informations. In the meanwhile if anyone can help is welcomed.

Thanks again.

Offline

Board footer

Powered by FluxBB