Post Reply 
exception error raised in sslstart
Dec. 03, 2008, 08:11 PM
Post: #1
exception error raised in sslstart
Hi,
I tried searching for previous posts regarding this error but couldn't find any. When I googled I found a page with some info - on Sidki's website -, but couldn't download the "fixes". Sorry if I've missed the answer if it was mentioned before. I'm using Proxo v4.5 with a mix of JD's and Sidki's filters.

This error mostly occurs when I'm accessing my mobile phone bills on the vodafone site, although it occasionally happens when I'm accessing my email at Yahoo as well.
I have just updated my proxo cert, so I don't think that can be the problem.
If anyone can help, I'd be grateful, or if someone can just point me to a previous solution, I'll sort it out from there.
Thanks for your time.
Momnewbie
Add Thank You Quote this message in a reply
Dec. 03, 2008, 10:52 PM
Post: #2
RE: exception error raised in sslstart
Someone may be able to help if provided with additional information. I assume it was Proxo that got the error (not your browser) and Proxo wasn't doing SSL pass-through.

What was the SSL site that took it down? Does the error happen consistently or only occasionally? Does it happen when first visiting the SSL site or after you've been using that site for a while?

What browser(s) were you using when the error happened?

What versions of libeay32.dll and ssleay32.dll are you using (in explorer, right-click and select Properties) ? Are they the ones from http://www.geocities.com/sidki3003/prox-ssl.html or some other version? Have you tried other DLL versions? Note that there is an incompatibility with recent openSSL versions.
Add Thank You Quote this message in a reply
Dec. 04, 2008, 02:12 AM
Post: #3
RE: exception error raised in sslstart
I came cross the same issue too since I began to filter https 2 weeks ago.

I am using the dll files from sidki's site. The issue seems to be related to the dll files while have nothing to do with the browser.

So far I am filtering only one https site and the error happened occasionally. It usually happened after I have been using that site for a while. Some day it worked and some day the error rose up. Each time the error rose up, I have to restart Prox to be able to filter https again.

I had been trying to google for this issue but didn't get valueable information. I was hoping to rebuild the dlls based on the latest source but it is not documented in sidki's readme on how to keep it compatible with Prox. Sad

.png  ssl_error.png (Size: 7.77 KB / Downloads: 960)
Add Thank You Quote this message in a reply
Dec. 04, 2008, 10:39 AM
Post: #4
RE: exception error raised in sslstart
i've not received any of these errors and i do surf quite a bit of secure sites... i'm wondering it this error is site-specific...

it does add to the conclusion that we "need" a 'how to' guide so that we can all upgrade our own .dll's and .pem's...
Add Thank You Quote this message in a reply
Dec. 04, 2008, 03:01 PM
Post: #5
RE: exception error raised in sslstart
Hi,
The site I consistently have problems with is http://www.vodafone.co.uk. I am able to log in to my account without a problem, but when I try to move within that site, I click the link and Prox comes up with the SSl error. I click OK and try again but the same thing happens. It used only to happen when I tried to access Vodafone's online shop, but now it seems to be every link after the initial log in. If the error occurs 2 or 3 times, Firefox protests and then Prox closes down.
I use Prox without a problem on many other secure sites, but the Vodafone one seems to be getting worse.
The libeay32.dll file is V0.9.8.0 and the ssleay.dll is also v0.9.8.0. and they are Open SSl files.
I used to use the JD config exclusively but when I started to have problems - I can't remember what they were as it's too long ago - someone recommended Sidki's filters so I switched to them, but had a few conflicts with them. Eventually they settled down after I began to use the above open ssl files and began renewing the Prox certificate myself - tho' I do find that it doesn't last a year and I do have to renew every few months or some sites - particularly Yahoo mail - start to complain.
I would hate to have to stop using Prox to filter secure sites so would appreciate any help with the problems I'm having. I discovered today that I was unalbe to log in to my account on Play.com if I kept Prox enabled. Anyone else had, and been able to solve this problem? I tried using a very basic config, but it wouldn't play at all until I bypassed Prox completely - and Santa really needed to access the site, so there was not really an alternative!
Thanks,
Momnewbie
Add Thank You Quote this message in a reply
Dec. 04, 2008, 06:18 PM (This post was last modified: Dec. 04, 2008 06:37 PM by Graycode.)
Post: #6
RE: exception error raised in sslstart
I don't know enough about OpenSSL coding to speculate on exactly which API aspects are incompatible with Proxo. I started coding for SSL not long after Scott did, but soon yanked it from my proxy. I've reviewed some of my old notes about it but none of that was helpful.

You might want to try replacing your DLL versions with versions contained in the attached zips. Hopefully one or more of them will get around the error, and in doing so maybe we'll all learn a bit more about the issue from your feedback.

Each zip contains a matched set of "ssleay32.dll" and "libeay32.dll". Here is the internal dates of each version and where they came from:

v_096g = 09 Aug 2002 - Mailwasher Pro v 3.0
v_096k = 30 Sep 2003 - TaxCut 2003 through 2007 (present)
v_097b = 10 Mar 2003 - Sonicwall VPN
v_097d = 17 Mar 2004 - A file I had laying around named "proxomitron-Gryphen-5-1-2005.zip"

Please be sure to save both DLL that you're currently using before overlaying them.


(Dec. 04, 2008 02:12 AM)whenever Wrote:  The issue seems to be related to the dll files while have nothing to do with the browser.

The reason I asked about the browser was to determine if the problem has anything to to with Pipelining. IE may not be doing pipelining yet, it's optional in Firefox, and done by default in Opera.

Opera very aggressively pipelines, too much so in my opinion. If it's pipelined a request through a connection it's likely to Re-request it through another connection without giving the original request a reasonable chance to complete. Then later it abruptly terminates the connection that it originally used, usually while the proxy is communicating with the server or is in the midst of sending back the requested content to that browser.

Firefox is a bit better at managing its pipelined requests, though not all that perfect. It also does the occasional abrupt connection terminations.

I was wondering if the SSL was being pipelined and if that might be causing Proxo / OpenSSL to get confused about the state of the connection's conversation.


Attached File(s)
.zip  v_096g.zip (Size: 371.38 KB / Downloads: 831)
.zip  v_096k.zip (Size: 364.11 KB / Downloads: 787)
.zip  v_097b.zip (Size: 435.43 KB / Downloads: 827)
.zip  v_097d.zip (Size: 435.35 KB / Downloads: 869)
Add Thank You Quote this message in a reply
Dec. 04, 2008, 10:33 PM
Post: #7
RE: exception error raised in sslstart
Hi Graycode,
Thanks for the zip files. I've downloaded them and will try each set out, but I will make sure I rename the original files first - thanks for the reminder!
I don't know what you mean by "pipelining". Certainly when Prox raises the error, if I try to reload the page, Firefox claims that the reloading cannot be carried out as there was an interruption in contact with the site.

As I mentioned before, I am unable to log on to the http://www.play.com secure site using Prox. I have various configurations which strip away the privacy filters to varying degrees, but the Play site will not let me log in to my account via Prox. Even if I disable my webbug filter (which I *never* do ordinarily) and ensure cookies for Play are enabled in Firefox, I'm sent to a page which states that cookies are not enabled and gives instructions on how to enable them in a variety of browsers. According to Prox Play.com wants to put a bugged cookie on my machine, but even if it is allowed to do so, I still have to bypass Prox to access my account. Any suggestions to get around it, please? Smile!

Will try the different versions of files you put up for download and post back with the results. Thank you very much for your help and suggestions,
Momnewbie
Add Thank You Quote this message in a reply
Dec. 05, 2008, 12:09 AM
Post: #8
RE: exception error raised in sslstart
(Dec. 04, 2008 10:33 PM)Momnewbie Wrote:  I don't know what you mean by "pipelining".

http://en.wikipedia.org/wiki/HTTP_pipelining

Pipelining jams in any number of multiple requests at the same time, then the browser expects the responses streamed back in the precise sequence as originally requested and without any intermediate "here's the next one" indication.

Generally it tends to break some servers and proxies. It takes extra consideration to separate the stream of headers precicely, and then it can be even harder to isolate each set of responses for possible filtering. Setup and Cleanup tasks can get complicated when the browser decides to just drop its connection with the proxy during the midst of all that.

{Begin_Rant}
Even when it works properly (which it usually does), the benefits of hoped-for speed are often negated by aspects of queueing theory. Not all requests are the same size, they don't all require the same server resources, and they don't all require the same transmission resource. In my own personal and probably biased experience and testing, a handful of conventional reusable TCP connections beats the heck out of pipelining. Unless you're using a slow satellite service with huge latency then a browser's use of pipelining actually slows down your page loading. Yet some people on the internet recommend using it for (supposed) speed increase without knowing enough about it.
{End_Rant}

If pipelining was involved in the SSL problem you're having, then disabling it may have been a potential cure. I know how my proxy handles pipelining but I don't know any details about what Proxo does with it. I've seen pipelining be the cause various problems with other proxies like Privoxy and Squid in the past.

(Dec. 04, 2008 10:33 PM)Momnewbie Wrote:  Will try the different versions of files you put up for download and post back with the results. Thank you ...

You're welcome Wink and please do provide feedback about those for the benefit of others.

Sorry I can't answer your cookie questions, hopefully someone else will have some suggesions.
Add Thank You Quote this message in a reply
Dec. 05, 2008, 01:17 AM
Post: #9
RE: exception error raised in sslstart
I don't filter secure pages by now, but if anyone wants to help, here is how to disable/enable pipelining in firefox.
Go to "about:config", accept, and write pipelining in the bar down the tabs, you will see the next logic preferences, enable or disable both:

network.http.pipelining
network.http.proxy.pipelining
Add Thank You Quote this message in a reply
Dec. 05, 2008, 01:59 AM
Post: #10
RE: exception error raised in sslstart
I did a search at opera.com and it seems pipelining does cause some issue. Unfortunately there is no option to disable pipelining in opera. However, when used with proxy, we can disable pipelining by uncheck "Enable HTTP 1.1 for proxy". I will give that a try later.

Are http headers involved when browsers request HTTP 1.0 or 1.1? If it is, maybe we can have a http header filter to switch per site?
Add Thank You Quote this message in a reply
Dec. 05, 2008, 04:42 AM
Post: #11
RE: exception error raised in sslstart
I may have went far off-topic talking about pipelining. Don't bother turning it OFF unless you're doing that to resolve some issue. And you're better off staying with HTTP/1.1 because you'll have better reusability of TCP connections.

I know the Opera team spends time trying to identify servers that have problems with pipelining, and one of the things that browser frequently grabs when it phones home is an updated list of where to not use pipelining. For example Wikipedia link mentions that Opera drops pipelining after a "Server:" header indicates it's encountered Microsoft IIS.

Back to the issue in question: Pipelining probably isn't contributing to the Proxo / OpenSSL error. The original mention was Firefox (pipelining off by default), and Momnewbie would have probably remembered if that option had been enabled. I'm hoping one or more of the DLL sets will lead to a resolution for all browsers, and maybe we'll get more insight about Proxo and OpenSSL along the way.
Add Thank You Quote this message in a reply
Dec. 05, 2008, 10:52 AM
Post: #12
RE: exception error raised in sslstart
Hi Graycode,
Thanks for the explanation of "pipelining" - still a bit too far above my level of understanding, but thank you for the thought!
I've unzipped and installed the first of the zip files you gave and was able to surf the entire vodafone secure website without any problems whatsoever. That's the first time in months! Thank you so much for your help. Just to be clear, I used
v_096q.
I also tried to log in to my Play.com account using it, but still had the same problem. Does anyone else have a config, which gives *some* kind of privacy which a site like Play.com will accept please?
I always feel slightly unclean and abused if I have to disable Prox for any reason! Sad
Thanks for your help,
Momnewbie
Add Thank You Quote this message in a reply
Dec. 05, 2008, 11:42 AM
Post: #13
RE: exception error raised in sslstart
(Dec. 05, 2008 10:52 AM)Momnewbie Wrote:  Does anyone else have a config, which gives *some* kind of privacy which a site like Play.com will accept please?
is Play.com not working in the sense of SSL warnings? Or not working in the sense that Proxo axed something it 'needed'?


Quote:I always feel slightly unclean and abused if I have to disable Prox for any reason! Sad
lol... me too!...
Add Thank You Quote this message in a reply
Dec. 05, 2008, 01:41 PM
Post: #14
RE: exception error raised in sslstart
If not working in the sense that Proxo axed something it 'needed read the WIP thread: How to find the filter wich is causing problems
Add Thank You Quote this message in a reply
Dec. 05, 2008, 08:07 PM
Post: #15
RE: exception error raised in sslstart
Hi Inminente,
I'd already used the log window and could see that Prox was blocking a bugged cookie, amongst other things, but couldn't get beyond trying to solve the problem that way. However, after your suggestions, I discovered that disabling outgoing headers allowed me to log in.
I disabled the outgoing filters one-at-a-time, then tried groups of two, three and four. Eventually I discovered that it was "User-Agent: Hide extra details out".
Unfortunately, as I logged in, I also discovered that I suffered and ssl exception error! But I was able to click OK and continue so it was not a real problem. If it continues, I might try to install a different ssl version from Graycode's zip files.
Thank you very much for your help. I'll bookmark your help page from now one!
Momnewbie
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: