~lioploum/offpunk-devel

2 2

Servers refusing connections from Offpunk

Details
Message ID
<170464059150.7.18160008822603165028.244275989@ploum.eu>
DKIM signature
missing
Download raw message
It looks like a faire amount of gemini and http servers are refusing 
connections from Offpunk. Symptoms are "connection refused" or "timeout" 
while it works well with other browsers.

The only hypothesis I have for that kind of behaviour is offpunk being 
considered as a bot/spam/crawler.

I would like to launch a discussion and a thread to identify servers 
that are not accessible by offpunk and discuss about what we could do to 
mitigate this problem.

Today, I cam accross gemini://gemini.dimakrasner.com/ which was working 
well in 2022 (it was in my cache) but is not accessible today despites 
working well with Lagrange.

Any idea on how to solve that? Any other hypothesis to explain the 
problem?

-- Ploum - Lionel Dricot
Blog: https://www.ploum.net
Livres: https://ploum.net/livres.html
Details
Message ID
<sx5eipe7p5in6dgsuiermfrwajg7t4rnwurhtdw2wds527ruyt@iildhbkrehog>
In-Reply-To
<170464059150.7.18160008822603165028.244275989@ploum.eu> (view parent)
DKIM signature
missing
Download raw message
Ploum wrote:

> The only hypothesis I have for that kind of behaviour is offpunk
> being considered as a bot/spam/crawler.

How would the site know that? Offpunk doesn't set/send anything like HTTP's User-Agent, does it?

> Any other hypothesis to explain the problem?

I would assume that I had made an error, rather than thinking that the world is against me.

I can see in netcache.py that offpunk does all sorts of things in order to set up a TLS connection. Specifically I see that it attempts to set the ciphers

  "AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH"

What ciphers do we get if we just accept the context calculated from the protocol?

What do the browsers that work use here when they succeed where offpunk fails?

Cheers,

-- 
Kʟᴀᴜꜱ Aʟᴇxᴀɴᴅᴇʀ Sᴇɪꜱᴛʀᴜᴘ 🇩🇰
https://magnetic-ink.dk/kas
Details
Message ID
<170464713527.7.939372964211893571.244322174@ploum.eu>
In-Reply-To
<sx5eipe7p5in6dgsuiermfrwajg7t4rnwurhtdw2wds527ruyt@iildhbkrehog> (view parent)
DKIM signature
missing
Download raw message
On 24/01/07 05:31, Klaus Alexander Seistrup wrote:
>Ploum wrote:
>
>> The only hypothesis I have for that kind of behaviour is offpunk
>> being considered as a bot/spam/crawler.
>
>How would the site know that? Offpunk doesn't set/send anything like HTTP's User-Agent, does it?

It is clear that some HTTP servers reject Offpunk as a bot (I’ve 
witnessed it several times, sometimes explicitely, sometimes when 
debugging the problem with server admins).

You are right that this makes little sense on Gemini. My only potential 
hypothesis is that Offpunk, during a sync, may make lot of requests at 
the same time which may be perceived as a DOS attempt by some low-level 
tools like fail2ban.
>
>> Any other hypothesis to explain the problem?
>
>I would assume that I had made an error, rather than thinking that the world is against me.

You are right. That’s why I always think out loud on this mailing-list. 
It helps me gain other insights ;-)
>
>I can see in netcache.py that offpunk does all sorts of things in order to set up a TLS connection. Specifically I see that it attempts to set the ciphers
>
>  "AESGCM+ECDHE:AESGCM+DHE:CHACHA20+ECDHE:CHACHA20+DHE:!DSS:!SHA1:!MD5:@STRENGTH"
>
>What ciphers do we get if we just accept the context calculated from the protocol?
>
>What do the browsers that work use here when they succeed where offpunk fails?

That’s a good question and, to be honest, I have no the faintest idea. 
This ciphers is straight from AV-98 and has never been changed as far as 
I know.

Also, I don’t see why a wrong SSL setup would return a timeout error 
instead of a more straightforwarld SSL error. 

The first thing is to investigate if other Offpunk users have the same 
problem.
Reply to thread Export thread (mbox)