�
Report forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#109735; Package links-ssl.
�
�
debian-bugs-dist@lists.debian.org�Peter Gervai
�
Subject: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...
Reply-To: Marcin Kasperski , 109735@bugs.debian.org
Resent-From: Marcin Kasperski
Orignal-Sender: marcink@softax.pl
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Peter Gervai
Resent-Date: Thu, 23 Aug 2001 09:03:03 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 109735
X-Debian-PR-Package: links-ssl
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by submit@bugs.debian.org id=B.99855712931330
(code B ref -1); Thu, 23 Aug 2001 09:03:03 GMT
Sender: marcink@softax.pl
Message-ID: <3B84C5B5.CEF3F5C0@softax.com.pl>
Date: Thu, 23 Aug 2001 10:58:29 +0200
From: Marcin Kasperski
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.17 i686)
X-Accept-Language: pl, Polish, en
MIME-Version: 1.0
To: Debian Bugs
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
Delivered-To: bugs@bugs.debian.org
Package: links-ssl
Version: 0.96
links-ssl 0.92 has some important advantage over links-ssl 0.96 (and
probably other versions): the 0.92 version works correctly with the
popular Polish internet bank 'Inteligo' (http://www.inteligo.pl) while
the 0.96 does not (for some reason bank software looses in some
situations the 'session context' what causes most of the bank
application not to work any more). Look below for the more detailistic
discussion.
If I understand correctly, links-ssl 0.92 is based on some custom SSL
patch to links while links-ssl 0.96 contains original author
implementation.
It is hard to say 'who is responsible' (fairly possible that this is the
bank software bug/limitation) but for the Polish Linux users it would be
really nice to keept the ability of using inteligo... Maybe
'links-ssl-old package' (if the problem happens impossible to track
down)?
As I possess the account in the bank mentioned, I can perform some tests
in case someone is interested. Unfortunately I will not publish my
account and password - this is my real bank account. In case someone is
able formulate the real hypotesis 'what could be wrong', I should be
able to report the bank software error. Contact me at
mailto:Marcin.Kasperski@bigfoot.com if you like.
Let me know describe in detail what happens. Inteligo software performs
some strict checking whether the session has not timed out or has not
been messed somehow. When someone (using officially supported browser
like IE or NN) presses Back and attempts to do something with the form
got this way, he or she gets the login form with the information 'please
log again, something with your session is wrong' (the main reasoning
behind it is to protect users which did something in the app and logged
out from problems when someone else comes, presses Back some times and
has access to the account). I got exactly the same effect while using
links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
that maybe links-ssl 0.96 implements things like 'keeping more than one
connection and switching between them' or something similar.
Regards
--
http://www.mk.w.pl /
Marcin.Kasperski | Rekomendacja narzędzi dla programistów:
@softax.com.pl | http://www.mk.w.pl/narzedzia
@bigfoot.com \
�
�
Acknowledgement sent to Marcin Kasperski <Marcin.Kasperski@softax.com.pl>:
New Bug report received and forwarded. Copy sent to Peter Gervai <grin@tolna.net>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Marcin Kasperski
Subject: Bug#109735: Acknowledgement (links-ssl 0.92 is sometimes so better than 0.96...)
Message-ID:
In-Reply-To: <3B84C5B5.CEF3F5C0@softax.com.pl>
References: <3B84C5B5.CEF3F5C0@softax.com.pl>
X-Debian-PR-Message: ack 109735
Thank you for the problem report you have sent regarding Debian.
This is an automatically generated reply, to let you know your message has
been received. It is being forwarded to the developers mailing list for
their attention; they will reply in due course.
Your message has been sent to the package maintainer(s):
Peter Gervai
If you wish to submit further information on your problem, please send
it to 109735@bugs.debian.org (and *not* to
submit@bugs.debian.org).
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at bugs) by bugs.debian.org; 23 Aug 2001 08:58:49 +0000
From Marcin.Kasperski@softax.com.pl Thu Aug 23 03:58:49 2001
Return-path:
Received: from bozon.softax.com.pl (bozon.softax.pl) [212.45.246.130] (postfix)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15ZqK9-000899-00; Thu, 23 Aug 2001 03:58:49 -0500
Received: from softax.com.pl (atlas.softax.com.pl [212.45.246.141])
by bozon.softax.pl (Postfix) with ESMTP id F0DC072F6B
for ; Thu, 23 Aug 2001 10:56:38 +0200 (CEST)
Sender: marcink@softax.pl
Message-ID: <3B84C5B5.CEF3F5C0@softax.com.pl>
Date: Thu, 23 Aug 2001 10:58:29 +0200
From: Marcin Kasperski
X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.17 i686)
X-Accept-Language: pl, Polish, en
MIME-Version: 1.0
To: Debian Bugs
Subject: links-ssl 0.92 is sometimes so better than 0.96...
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
Delivered-To: bugs@bugs.debian.org
Package: links-ssl
Version: 0.96
links-ssl 0.92 has some important advantage over links-ssl 0.96 (and
probably other versions): the 0.92 version works correctly with the
popular Polish internet bank 'Inteligo' (http://www.inteligo.pl) while
the 0.96 does not (for some reason bank software looses in some
situations the 'session context' what causes most of the bank
application not to work any more). Look below for the more detailistic
discussion.
If I understand correctly, links-ssl 0.92 is based on some custom SSL
patch to links while links-ssl 0.96 contains original author
implementation.
It is hard to say 'who is responsible' (fairly possible that this is the
bank software bug/limitation) but for the Polish Linux users it would be
really nice to keept the ability of using inteligo... Maybe
'links-ssl-old package' (if the problem happens impossible to track
down)?
As I possess the account in the bank mentioned, I can perform some tests
in case someone is interested. Unfortunately I will not publish my
account and password - this is my real bank account. In case someone is
able formulate the real hypotesis 'what could be wrong', I should be
able to report the bank software error. Contact me at
mailto:Marcin.Kasperski@bigfoot.com if you like.
Let me know describe in detail what happens. Inteligo software performs
some strict checking whether the session has not timed out or has not
been messed somehow. When someone (using officially supported browser
like IE or NN) presses Back and attempts to do something with the form
got this way, he or she gets the login form with the information 'please
log again, something with your session is wrong' (the main reasoning
behind it is to protect users which did something in the app and logged
out from problems when someone else comes, presses Back some times and
has access to the account). I got exactly the same effect while using
links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
that maybe links-ssl 0.96 implements things like 'keeping more than one
connection and switching between them' or something similar.
Regards
--
http://www.mk.w.pl /
Marcin.Kasperski | Rekomendacja narzędzi dla programistów:
@softax.com.pl | http://www.mk.w.pl/narzedzia
@bigfoot.com \
�
�
Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#109735; Package links-ssl.
�
�
debian-bugs-dist@lists.debian.org�Peter Gervai
�
Subject: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...
Reply-To: grin@tolna.net, 109735@bugs.debian.org
Resent-From: Peter Gervai
Orignal-Sender: Peter Gervai
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Peter Gervai
Resent-Date: Thu, 23 Aug 2001 11:18:02 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 109735
X-Debian-PR-Package: links-ssl
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by 109735-submit@bugs.debian.org id=B109735.99856510518074
(code B ref 109735); Thu, 23 Aug 2001 11:18:02 GMT
Date: Thu, 23 Aug 2001 13:11:29 +0200
From: Peter Gervai
To: Marcin Kasperski ,
109735@bugs.debian.org
Message-ID: <20010823131129.A18909@Yikes.Tolna.net>
References: <3B84C5B5.CEF3F5C0@softax.com.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B84C5B5.CEF3F5C0@softax.com.pl>
User-Agent: Mutt/1.3.20i
Sender: Peter Gervai
Delivered-To: 109735@bugs.debian.org
Czesc,
On Thu, Aug 23, 2001 at 10:58:29AM +0200, Marcin Kasperski wrote:
> links-ssl 0.92 has some important advantage over links-ssl 0.96 (and
> probably other versions): the 0.92 version works correctly with the
[...]
0.92 did contain, for example, the htpasswd authentication, while 0.96
lacks of it, because of the buggy implementation which was backed out.
> If I understand correctly, links-ssl 0.92 is based on some custom SSL
> patch to links while links-ssl 0.96 contains original author
> implementation.
As far as I know both uses the same implementation, but 0.96's SSL is
integrated into the code, so it's using cache for example.
> It is hard to say 'who is responsible' (fairly possible that this is the
> bank software bug/limitation) but for the Polish Linux users it would be
> really nice to keept the ability of using inteligo... Maybe
> 'links-ssl-old package' (if the problem happens impossible to track
> down)?
There is no "old-ssl-patch" anymore, so I cannot craft a version with it.
But it would not help anyway, I think.
> Let me know describe in detail what happens. Inteligo software performs
> some strict checking whether the session has not timed out or has not
> been messed somehow. When someone (using officially supported browser
> like IE or NN) presses Back and attempts to do something with the form
> got this way, he or she gets the login form with the information 'please
> log again, something with your session is wrong' (the main reasoning
> behind it is to protect users which did something in the app and logged
> out from problems when someone else comes, presses Back some times and
> has access to the account). I got exactly the same effect while using
> links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
> that maybe links-ssl 0.96 implements things like 'keeping more than one
> connection and switching between them' or something similar.
I suspect it's about caching, but hard to tell. I forward the problem to
upstream, but it will be really hard to spot this since we do not have
a bank account there, and testing is pretty hard without one. We'll see.
Peter
�
�
Acknowledgement sent to grin@tolna.net:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: grin@tolna.net
Subject: Bug#109735: Info received (was Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...)
Message-ID:
In-Reply-To: <20010823131129.A18909@Yikes.Tolna.net>
References: <20010823131129.A18909@Yikes.Tolna.net>
X-Debian-PR-Message: ack-info-maintonly 109735
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.
Your message has been sent to the package maintainer(s):
Peter Gervai
If you wish to continue to submit further information on your problem,
please send it to 109735@bugs.debian.org, as before.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at 109735) by bugs.debian.org; 23 Aug 2001 11:11:45 +0000
From grin@yikes.tolna.net Thu Aug 23 06:11:45 2001
Return-path:
Received: from yikes.exabit.hu (Yikes.tolna.net) [193.227.196.2] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15ZsOm-0004gz-00; Thu, 23 Aug 2001 06:11:45 -0500
Received: from grin by Yikes.tolna.net with local (Exim 3.32 #1 (Debian))
for (multiple recipients)
id 15ZsOX-0005QV-00; Thu, 23 Aug 2001 13:11:29 +0200
Date: Thu, 23 Aug 2001 13:11:29 +0200
From: Peter Gervai
To: Marcin Kasperski ,
109735@bugs.debian.org
Subject: Re: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...
Message-ID: <20010823131129.A18909@Yikes.Tolna.net>
Reply-To: grin@tolna.net
References: <3B84C5B5.CEF3F5C0@softax.com.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B84C5B5.CEF3F5C0@softax.com.pl>
User-Agent: Mutt/1.3.20i
Sender: Peter Gervai
Delivered-To: 109735@bugs.debian.org
Czesc,
On Thu, Aug 23, 2001 at 10:58:29AM +0200, Marcin Kasperski wrote:
> links-ssl 0.92 has some important advantage over links-ssl 0.96 (and
> probably other versions): the 0.92 version works correctly with the
[...]
0.92 did contain, for example, the htpasswd authentication, while 0.96
lacks of it, because of the buggy implementation which was backed out.
> If I understand correctly, links-ssl 0.92 is based on some custom SSL
> patch to links while links-ssl 0.96 contains original author
> implementation.
As far as I know both uses the same implementation, but 0.96's SSL is
integrated into the code, so it's using cache for example.
> It is hard to say 'who is responsible' (fairly possible that this is the
> bank software bug/limitation) but for the Polish Linux users it would be
> really nice to keept the ability of using inteligo... Maybe
> 'links-ssl-old package' (if the problem happens impossible to track
> down)?
There is no "old-ssl-patch" anymore, so I cannot craft a version with it.
But it would not help anyway, I think.
> Let me know describe in detail what happens. Inteligo software performs
> some strict checking whether the session has not timed out or has not
> been messed somehow. When someone (using officially supported browser
> like IE or NN) presses Back and attempts to do something with the form
> got this way, he or she gets the login form with the information 'please
> log again, something with your session is wrong' (the main reasoning
> behind it is to protect users which did something in the app and logged
> out from problems when someone else comes, presses Back some times and
> has access to the account). I got exactly the same effect while using
> links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
> that maybe links-ssl 0.96 implements things like 'keeping more than one
> connection and switching between them' or something similar.
I suspect it's about caching, but hard to tell. I forward the problem to
upstream, but it will be really hard to spot this since we do not have
a bank account there, and testing is pretty hard without one. We'll see.
Peter
�
�
Reply sent to grin@tolna.net:
You have marked Bug as forwarded.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: grin@tolna.net
Cc: Peter Gervai
Bcc: debian-bugs-forwarded@lists.debian.org
Subject: Bug#109735: marked as forwarded (links-ssl 0.92 is sometimes so better than 0.96...)
Message-ID:
In-Reply-To: <20010823131652.B18909@Yikes.Tolna.net>
References: <20010823131652.B18909@Yikes.Tolna.net> <3B84C5B5.CEF3F5C0@softax.com.pl>
X-Debian-PR-Message: forwarded 109735
Your message dated Thu, 23 Aug 2001 13:16:52 +0200
with message-id <20010823131652.B18909@Yikes.Tolna.net>
has caused the Debian Bug report #109735,
regarding links-ssl 0.92 is sometimes so better than 0.96...
to be marked as having been forwarded to the upstream software
author(s) Links-Help Mailing List .
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at 109735-forwarded) by bugs.debian.org; 23 Aug 2001 11:16:58 +0000
From grin@yikes.tolna.net Thu Aug 23 06:16:58 2001
Return-path:
Received: from yikes.exabit.hu (Yikes.tolna.net) [193.227.196.2] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15ZsTq-00050l-00; Thu, 23 Aug 2001 06:16:58 -0500
Received: from grin by Yikes.tolna.net with local (Exim 3.32 #1 (Debian))
for (multiple recipients)
id 15ZsTk-0005Yb-00; Thu, 23 Aug 2001 13:16:52 +0200
Date: Thu, 23 Aug 2001 13:16:52 +0200
From: Peter Gervai
To: Links-Help Mailing List
Cc: 109735-forwarded@bugs.debian.org
Subject: [Marcin.Kasperski@softax.com.pl: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...]
Message-ID: <20010823131652.B18909@Yikes.Tolna.net>
Reply-To: grin@tolna.net
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.3.20i
Sender: Peter Gervai
Delivered-To: 109735-forwarded@bugs.debian.org
Hello Mikulas & all,
Here is a problem for which I am out of ideas. I suspect either caching or
SSL session problems, but I am not familiar with SSL that far. If anyone
have anything useful you can contact the guy by the email he mentioned
below.
Mikulas, please signal back whether this could be handled or not, to help
me handle the bugreport.
Thank you,
Peter
----- Forwarded message from Marcin Kasperski -----
Package: links-ssl
Version: 0.96
links-ssl 0.92 has some important advantage over links-ssl 0.96 (and
probably other versions): the 0.92 version works correctly with the
popular Polish internet bank 'Inteligo' (http://www.inteligo.pl) while
the 0.96 does not (for some reason bank software looses in some
situations the 'session context' what causes most of the bank
application not to work any more). Look below for the more detailistic
discussion.
If I understand correctly, links-ssl 0.92 is based on some custom SSL
patch to links while links-ssl 0.96 contains original author
implementation.
It is hard to say 'who is responsible' (fairly possible that this is the
bank software bug/limitation) but for the Polish Linux users it would be
really nice to keept the ability of using inteligo... Maybe
'links-ssl-old package' (if the problem happens impossible to track
down)?
As I possess the account in the bank mentioned, I can perform some tests
in case someone is interested. Unfortunately I will not publish my
account and password - this is my real bank account. In case someone is
able formulate the real hypotesis 'what could be wrong', I should be
able to report the bank software error. Contact me at
mailto:Marcin.Kasperski@bigfoot.com if you like.
Let me know describe in detail what happens. Inteligo software performs
some strict checking whether the session has not timed out or has not
been messed somehow. When someone (using officially supported browser
like IE or NN) presses Back and attempts to do something with the form
got this way, he or she gets the login form with the information 'please
log again, something with your session is wrong' (the main reasoning
behind it is to protect users which did something in the app and logged
out from problems when someone else comes, presses Back some times and
has access to the account). I got exactly the same effect while using
links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
that maybe links-ssl 0.96 implements things like 'keeping more than one
connection and switching between them' or something similar.
Regards
--
http://www.mk.w.pl /
Marcin.Kasperski | Rekomendacja narzędzi dla programistów:
@softax.com.pl | http://www.mk.w.pl/narzedzia
@bigfoot.com \
----- End forwarded message -----
�
�
Information forwarded to debian-bugs-dist@lists.debian.org, Peter Gervai <grin@tolna.net>:
Bug#109735; Package links-ssl.
�
�
debian-bugs-dist@lists.debian.org�Peter Gervai
�
Subject: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...
Reply-To: grin@tolna.net, 109735@bugs.debian.org
Resent-From: Peter Gervai
Orignal-Sender: Peter Gervai
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: Peter Gervai
Resent-Date: Thu, 23 Aug 2001 12:18:25 GMT
Resent-Message-ID:
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 109735
X-Debian-PR-Package: links-ssl
X-Debian-PR-Keywords:
X-Loop: owner@bugs.debian.org
Received: via spool by 109735-submit@bugs.debian.org id=B109735.99856895730865
(code B ref 109735); Thu, 23 Aug 2001 12:18:25 GMT
Date: Thu, 23 Aug 2001 14:15:15 +0200
From: Peter Gervai
To: Marcin Kasperski
Cc: 109735@bugs.debian.org
Message-ID: <20010823141515.A25457@Yikes.Tolna.net>
References: <3B84C5B5.CEF3F5C0@softax.com.pl> <20010823131129.A18909@Yikes.Tolna.net> <3B84EA26.EA271DCB@softax.com.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B84EA26.EA271DCB@softax.com.pl>
User-Agent: Mutt/1.3.20i
Sender: Peter Gervai
Delivered-To: 109735@bugs.debian.org
On Thu, Aug 23, 2001 at 01:33:58PM +0200, Marcin Kasperski wrote:
> >
> > > It is hard to say 'who is responsible' (fairly possible that this is the
> > > bank software bug/limitation) but for the Polish Linux users it would be
> > > really nice to keept the ability of using inteligo... Maybe
> > > 'links-ssl-old package' (if the problem happens impossible to track
> > > down)?
> >
> > There is no "old-ssl-patch" anymore, so I cannot craft a version with it.
> > But it would not help anyway, I think.
>
> The 'links-ssl 0.92' I mention is of course the version from 'potato
> non-US'. FTPsearch found the sources for this version for instance at
> ftp://ftp.rz.uni-karlsruhe.de/pub/mirror/kde.debian.net/pub/kde/debian/dists/potato/optional/source/
I know what you mean, but the ssl patch there was later incorporated into
the mainstream links, so the patch is the same, just got integrated to
the system more deeply. That's why I cannot apply it to 0.96 since it already
"have it".
Meanwhile the patch was changed several times to fix bugs in ssl code...
some of those could have break your sessions. I am not even sure it is a
bug in links, but defintely shall be looked into.
> > > Let me know describe in detail what happens. Inteligo software performs
> > > some strict checking whether the session has not timed out or has not
> > > been messed somehow. When someone (using officially supported browser
> > > like IE or NN) presses Back and attempts to do something with the form
> > > got this way, he or she gets the login form with the information 'please
> > > log again, something with your session is wrong' (the main reasoning
> > > behind it is to protect users which did something in the app and logged
> > > out from problems when someone else comes, presses Back some times and
> > > has access to the account). I got exactly the same effect while using
> > > links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
> > > that maybe links-ssl 0.96 implements things like 'keeping more than one
> > > connection and switching between them' or something similar.
> >
> > I suspect it's about caching, but hard to tell. I forward the problem to
> > upstream, but it will be really hard to spot this since we do not have
> > a bank account there, and testing is pretty hard without one. We'll see.
> >
>
> In case you (or some other maintainer) would like me to test something
> (say, to recompile some links-ssl version and try it or run some version
> with some tracing), let me know (the wrong behaviour is completely
> reproducible, in fact any attempt to perform payment fails). I would be
> happy to help.
Yes, I forwarded your amil to the developers' list, and I strongly hope
anyone more familiar with ssl interns will contact either me or you.
> By the way: inteligo (which is backed by Bank Geselschaft Berlin)
> loosely claimed interest in 'cloning' their virtual bank to other
> countries in our region. the future, with Hungary and Czech Republic as
> first named targets. So far I have not heard about any real work made on
> this task but maybe some time you will be able to try it out...
Could you ask them whether it is possible to use a "demo" account or making
it possible to debug the problem without using a real person's account?
I doubt they'll help, but worths a try.
I think I would create some ssl session debug output, including session keys
with 0.92 and 0.96, and see what changed in behaviour, but I am not that
deep in the actual ssl code (and free time). You can try it, if you feel
brave enough :-)
Peter
�
�
Acknowledgement sent to grin@tolna.net:
Extra info received and forwarded to list. Copy sent to Peter Gervai <grin@tolna.net>.
�
�
-t
�
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: grin@tolna.net
Subject: Bug#109735: Info received (was Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...)
Message-ID:
In-Reply-To: <20010823141515.A25457@Yikes.Tolna.net>
References: <20010823141515.A25457@Yikes.Tolna.net>
X-Debian-PR-Message: ack-info-maintonly 109735
Thank you for the additional information you have supplied regarding
this problem report. It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.
Your message has been sent to the package maintainer(s):
Peter Gervai
If you wish to continue to submit further information on your problem,
please send it to 109735@bugs.debian.org, as before.
Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.
Darren Benham
(administrator, Debian Bugs database)
�
�
Received: (at 109735) by bugs.debian.org; 23 Aug 2001 12:15:57 +0000
From grin@yikes.tolna.net Thu Aug 23 07:15:56 2001
Return-path:
Received: from yikes.exabit.hu (Yikes.tolna.net) [193.227.196.2] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 15ZtOu-00081i-00; Thu, 23 Aug 2001 07:15:56 -0500
Received: from grin by Yikes.tolna.net with local (Exim 3.32 #1 (Debian))
for (multiple recipients)
id 15ZtOF-0006sf-00; Thu, 23 Aug 2001 14:15:15 +0200
Date: Thu, 23 Aug 2001 14:15:15 +0200
From: Peter Gervai
To: Marcin Kasperski
Cc: 109735@bugs.debian.org
Subject: Re: Bug#109735: links-ssl 0.92 is sometimes so better than 0.96...
Message-ID: <20010823141515.A25457@Yikes.Tolna.net>
Reply-To: grin@tolna.net
References: <3B84C5B5.CEF3F5C0@softax.com.pl> <20010823131129.A18909@Yikes.Tolna.net> <3B84EA26.EA271DCB@softax.com.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B84EA26.EA271DCB@softax.com.pl>
User-Agent: Mutt/1.3.20i
Sender: Peter Gervai
Delivered-To: 109735@bugs.debian.org
On Thu, Aug 23, 2001 at 01:33:58PM +0200, Marcin Kasperski wrote:
> >
> > > It is hard to say 'who is responsible' (fairly possible that this is the
> > > bank software bug/limitation) but for the Polish Linux users it would be
> > > really nice to keept the ability of using inteligo... Maybe
> > > 'links-ssl-old package' (if the problem happens impossible to track
> > > down)?
> >
> > There is no "old-ssl-patch" anymore, so I cannot craft a version with it.
> > But it would not help anyway, I think.
>
> The 'links-ssl 0.92' I mention is of course the version from 'potato
> non-US'. FTPsearch found the sources for this version for instance at
> ftp://ftp.rz.uni-karlsruhe.de/pub/mirror/kde.debian.net/pub/kde/debian/dists/potato/optional/source/
I know what you mean, but the ssl patch there was later incorporated into
the mainstream links, so the patch is the same, just got integrated to
the system more deeply. That's why I cannot apply it to 0.96 since it already
"have it".
Meanwhile the patch was changed several times to fix bugs in ssl code...
some of those could have break your sessions. I am not even sure it is a
bug in links, but defintely shall be looked into.
> > > Let me know describe in detail what happens. Inteligo software performs
> > > some strict checking whether the session has not timed out or has not
> > > been messed somehow. When someone (using officially supported browser
> > > like IE or NN) presses Back and attempts to do something with the form
> > > got this way, he or she gets the login form with the information 'please
> > > log again, something with your session is wrong' (the main reasoning
> > > behind it is to protect users which did something in the app and logged
> > > out from problems when someone else comes, presses Back some times and
> > > has access to the account). I got exactly the same effect while using
> > > links-ssl 0.96 in the 'normal' way. I am not HTTPS expert but I suspect
> > > that maybe links-ssl 0.96 implements things like 'keeping more than one
> > > connection and switching between them' or something similar.
> >
> > I suspect it's about caching, but hard to tell. I forward the problem to
> > upstream, but it will be really hard to spot this since we do not have
> > a bank account there, and testing is pretty hard without one. We'll see.
> >
>
> In case you (or some other maintainer) would like me to test something
> (say, to recompile some links-ssl version and try it or run some version
> with some tracing), let me know (the wrong behaviour is completely
> reproducible, in fact any attempt to perform payment fails). I would be
> happy to help.
Yes, I forwarded your amil to the developers' list, and I strongly hope
anyone more familiar with ssl interns will contact either me or you.
> By the way: inteligo (which is backed by Bank Geselschaft Berlin)
> loosely claimed interest in 'cloning' their virtual bank to other
> countries in our region. the future, with Hungary and Czech Republic as
> first named targets. So far I have not heard about any real work made on
> this task but maybe some time you will be able to try it out...
Could you ask them whether it is possible to use a "demo" account or making
it possible to debug the problem without using a real person's account?
I doubt they'll help, but worths a try.
I think I would create some ssl session debug output, including session keys
with 0.92 and 0.96, and see what changed in behaviour, but I am not that
deep in the actual ssl code (and free time). You can try it, if you feel
brave enough :-)
Peter
�