Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

SOLVED:Cannot connect to https site

by wongo (Initiate)
on Feb 07, 2013 at 02:25 UTC ( #1017543=perlquestion: print w/ replies, xml ) Need Help??
wongo has asked for the wisdom of the Perl Monks concerning the following question:

Good evening, most excellent experts,

I have a script that uses WWW::Mechanize to fetch data from a secure web server. Upon moving that script to a new computer, the script appears to hang for 60 seconds, then fails with the following error:

Error GETing https://sourceselfservice2.ceridian.com/elbitsystemsofamerica: Can't connect to sourceselfservice2.ceridian.com:443 at bin/perl/gpa_fail line 14

If I substitute a different https site (e.g. google mail), the program connects within a couple seconds with no problem.

Here's a simplified version of the program:

#!/usr/bin/perl -w use strict; use WWW::Mechanize; use LWP::UserAgent; use HTTP::Cookies; my $fail_url = "https://sourceselfservice2.ceridian.com/elbitsystemsof +america"; my $work_url = "https://accounts.google.com/ServiceLogin?service=mail" +; my $mech = WWW::Mechanize->new(); #$mech->agent_alias('Windows Mozilla'); $mech->get( $fail_url );

In the failure case, Wireshark seems to show an initial handshake of three TCP packets (SYN out; SYN, ACK in; ACK out), then an SSL Client Hello. The last packet before the 60s "hang" is a TCP ACK from the remote server.

Connecting to an https site that works, Wireshark shows the same first five packets, leading up to the SSL Client Hello and TCP ACK. The next packet is a TSLv1.1 Server Hello from the remote machine.

I believe I've verified that I have all the same packages on both systems, but of course, they are typically newer versions on the newer system.

I'd appreciate any help in tracking down the discrepancy.

SOLVED (20 Apr 2013):

I used perl -d:Trace failing_program to identify all modules used by the program, and then used cpan to update all those modules to the latest. This did not resolve the problem.

I then found this link giving a solution to the same problem with a different site. It seems to boil down to failure of the site to accept the TLS negotiation when certain cipher alternatives are offered by the client. Restricting the available ciphers in IO::Socket::SSL results in a successsful handshake with the site.

I added the following two lines at the beginning of my program:

use IO::Socket::SSL; IO::Socket::SSL::set_defaults(SSL_cipher_list => 'ALL:!3DES:!DES:!ADH: +!SRP:!AESGCM:!SHA256:!SHA384');

And there was much rejoicing.

Comment on SOLVED:Cannot connect to https site
Select or Download Code
Re: Cannot connect to https site
by syphilis (Canon) on Feb 07, 2013 at 03:39 UTC
    When I try to browse to
    https://sourceselfservice2.ceridian.com/elbitsystemsofamerica
    I get a login box.
    Does your problem go away if you pass a valid username and password via your script?

    Cheers,
    Rob

      I don't get the login box. The full script passes username and password, or would if it could download that first page.

        Yeah, it's hard to perform any meaningful test from here without a valid username and password.
        Even if I change the url (in the script you provided) to:
        https://sourceselfservice2.ceridian.com
        I still can't even browse to that. All I get is a redirect to:
        https://sourceselfservice2.ceridian.com/en-us/Invalid.asp
        and an error message that says:
        This request is not valid. Please close this window and log back in. If you feel that you have reached this page in error, please contact y +our administrator.
        Sort of suggests to me that you have to be logged in *before* you can even get to that page ... seems odd, but I don't know much about the way these things work. (Magic, I expect ;-)

        Maybe you need to shift your investigation to trying to understand how on earth it is that the old connection worked.

        Cheers,
        Rob
Re: Cannot connect to https site
by dvwright (Initiate) on Feb 07, 2013 at 04:14 UTC

    Maybe check/compare the versions of Mechanize, LWP and Net::SSL

    "The Crypt::SSLeay package provides Net::SSL, which is loaded by LWP::Protocol::https for https requests and provides the necessary SSL glue" - Crypt--SSLeay

    Seems like the new box can't speak the TLSv1.1 protocol

      Thanks for the tip. WWW::Mechanize is the same version at 1.71. LWP::Protocol::HTTPS moved from 6.02 to 6.03. From what I can tell, the changes are insignificant. Crypt::SSLeay moved from 0.57 to 0.58. From what I can see, only minor changes there too.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1017543]
Approved by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (7)
As of 2014-12-28 20:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (182 votes), past polls