Comment 1 by PZajda on 2015-01-14 12:41
Changes:
Changed title from "Error when checking for update with last next snapshot" to "Error when checking for update with next snapshot"

Comment 2 by briang1 on 2015-01-14 13:21
I have just made a check with the last next snapshot, from an installed copy in xp and it told me there was no newer snapshot available with no errors, Was this from a portable version, as I would need to make one to test this out.
As I say, it works here in testing.

Comment 4 by msuch (in reply to comment 2) on 2015-01-14 13:35
Hi,
It also fails here, using an installed copy under W7

Replying to briang1:

I have just made a check with the last next snapshot, from an installed copy in xp and it told me there was no newer snapshot available with no errors, Was this from a portable version, as I would need to make one to test this out.

As I say, it works here in testing.

Comment 5 by briang1 (in reply to comment 4) on 2015-01-14 14:21
Replying to msuch:

Hi,

It also fails here, using an installed copy under W7

Replying to briang1:

I have just made a check with the last next snapshot, from an installed copy in xp and it told me there was no newer snapshot available with no errors, Was this from a portable version, as I would need to make one to test this out.

OK it has something to do with Windows 7's annoying security regime by the looks of it. On the windows 7 machine it will also fail as a portable version though, which I find a bit strange as none of nvda is then in a protected area.
If as appears from the log it has to do with certificate mismatch on https connections, good luck with that one. I've had problems on other web sites with this issue.

Comment 7 by nvdakor on 2015-01-14 18:15
Hi,
Yes, this came about after #4716 was implemented. Thanks.

Comment 8 by jteh on 2015-01-14 23:24
Are people for whom this is failing behind some sort of proxy? The fact that certificate validation is failing is actually very concerning. It suggests that something is intercepting the secure connection and potentially modifying data, which is precisely what this new code is supposed to detect. If that is happening, whatever is doing this could even be sending you an infected copy of NVDA, though that would be an extreme case and is unlikely.

What happens if you go to https://www.nvaccess.org/ with your browsers? Do you get a security warning?

Comment 9 by nvdakor on 2015-01-14 23:27
Hi,
When I go to the HTTPS URL, I don't get any security warnings.
Thanks.

Comment 10 by nvdakor on 2015-01-15 01:20
Hi,
Google searches point to a common error: this happens when a self-signed certificate is in use. For now, a possible workaround would be to manually install next snapshot builds.
Thanks.

Comment 11 by jteh on 2015-01-15 01:31
It's not a self-signed certificate.

Comment 12 by tspivey on 2015-01-15 01:43
I'm not running next, however, I can't get to the HTTPS version of the website with Firefox. IE works.

www.nvaccess.org uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

Provide the issuer chain on your end, and it should start working.

Comment 13 by nvdakor on 2015-01-15 01:54
Hi,
I can access HTTPS URL fine on Firefox (it could be just my computer, as I'm using Firefox 34).
Thanks.

Comment 14 by nvdakor (in reply to comment 12) on 2015-01-15 02:00
Replying to tspivey:

I'm not running next, however, I can't get to the HTTPS version of the website with Firefox. IE works.

www.nvaccess.org uses an invalid security certificate.

The certificate is not trusted because no issuer chain was provided.

Provide the issuer chain on your end, and it should start working.

I guess the following page confirms this:
https://www.sslshopper.com/ssl-checker.html#hostname=https://www.nvaccess.org
Thanks.

Comment 15 by jteh (in reply to comment 12) on 2015-01-15 02:56
Replying to tspivey:

I'm not running next, however, I can't get to the HTTPS version of the website with Firefox.

Oddly, I didn't have this issue in Firefox. However:

Provide the issuer chain on your end, and it should start working.

Now done. Thanks. I wonder if this will fix the issue with updates, although I don't think so.

Comment 16 by jteh on 2015-01-15 03:02
Actually, maybe it will. Can someone experiencing this please test now and report? Thanks.

Comment 17 by jteh on 2015-01-15 03:33
Hmm. I can now reproduce this on a different machine. It looks like even with the intermediate certificates installed on the server, Python doesn't seem to be using them. However, if I load the URL in IE (which automatically installs the intermediate certs), Python then works fine. I don't understand why. Perhaps Python doesn't verifying certificate chains for https? That would be very odd, surely.

Comment 18 by nvdakor on 2015-01-15 04:15
Hi,
At least with 11486, I can check for updates and right now it shows no updates. Thanks.

Comment 19 by briang1 on 2015-01-15 08:02
Obviously there is something odd going on. The Windows 7 machine I'm using has Firefox 35 as default browser. I don't understand this, and obviously this situationwould be no use in a release version as it would create a huge number of queries.
Can someone explain how one goes to the https version manually? Is it just a case of using https?

As I have said already, I've seen odd messages like this when being redirected from other download sites, but often a retry seems to work, but I never connected it to certificates before.

Comment 20 by k_kolev1985 on 2015-01-15 09:25
I was having the same issue yesterday - I wasn't able to check for updates with that "next" snapshot. Today however, the problem was gone - I was able to check for updates with the same "next" snapshot. There was an update and I was able to download and install it directly from within NVDA. I was able to open the HTTPS link from you Jamie with no problems or alerts in both Internet Explorer 11 and Firefox 35 (default browser).

Comment 21 by PZajda on 2015-01-15 09:47
Hi,

Updating seems to work fine now for me too, I had an update today (next-11486,57a75e4) and everything worked fine.
Manual checking seems to work for me too (without surprize), now I have the version next-11491,0bb9ef0 available.
I've just tried to update it and everything worked fine too.
So for me, the issue with updates is now solved.

When I go to https://www.nvaccess.org/ I have no warning, I am only redirected to http://www.nvaccess.org

I use Firefox 35.0 on Windows 7.

Comment 22 by jteh on 2015-01-15 11:41
If you visited https://www.nvaccess.org/ with IE, it would have downloaded the intermediate certificates, so the problem will go away. The problem only occurs if you haven't visited a site using this certificate authority with IE before.

As noted in comment:17, I can now reproduce this and am trying to find a solution.

Comment 23 by jteh on 2015-01-15 12:16
Ug. It looks like not all root certificates are bundled with Windows. Rather, Windows fetches and installs a given cert from Microsoft Update automatically when a site that requires it is visited. See this article for details. I don't know if/how we can fix this one yet. I guess in the worst case, we might have to bundle the StartCom root certificate.

In addition, it looks like OpenSSL has a bug whereby validation will fail if the root certificate is included in the chain provided by the server. See this thread for details. This one is easy enough to fix and I've just done so on the server.

Comment 24 by jteh on 2015-01-15 12:24
Ah. This is PythonIssue:20916.

Comment 25 by msuch (in reply to comment 24) on 2015-01-15 16:29
Replying to jteh:
Very strange! the problem seemed to be fixed some hours ago, since I updated my version without any problem, but just now, I retried to force an update and the error occured.
I can access the https link with no problem using Firefox 35.
Could it be due to the fact there is no newer snapshot?

Ah. This is PythonIssue:20916.

Comment 26 by PZajda (in reply to comment 25) on 2015-01-15 16:51
Replying to msuch:

Very strange! the problem seemed to be fixed some hours ago, since I updated my version without any problem, but just now, I retried to force an update and the error occured.

I can access the https link with no problem using Firefox 35.

Could it be due to the fact there is no newer snapshot?

The issue is back for me too, I cannot check for update, but I still can access the HTTPS link with Firefox or Internet Explorer.

Comment 27 by nvdakor on 2015-01-15 19:33
Hi,
It's a Python/SSL certificate issue, so it may or may not have to do with newer snapshots.
Update: like others, I cannot get update check to work, and the SSL validation issue is back.
Thanks.

Comment 28 by briang1 on 2015-01-15 19:56
It is as I said fine in xp, but then I suppose that is a less secure environment. The Windows 7 error is back as I just downloaded the latest snap in xp and ran and made a portable version on Windows 7, and the error is exactly the same as originally reported in that new snap.

Comment 29 by briang1 (in reply to comment 22) on 2015-01-15 20:07
Replying to jteh:

If you visited https://www.nvaccess.org/ with IE, it would have downloaded the intermediate certificates, so the problem will go away. The problem only occurs if you haven't visited a site using this certificate authority with IE before.

As noted in comment:17, I can now reproduce this and am trying to find a solution.

So just to be clear, this has to be in IE, not in Firefox as its Firefox I have as default browser in the 7 machine.

Comment 30 by jteh (in reply to comment 29) on 2015-01-15 22:31
Replying to briang1:

So just to be clear, this has to be in IE, not in Firefox as its Firefox I have as default browser in the 7 machine.

Yes. Firefox uses its own certificate validation framework. IE uses the Windows framework, which is what Python uses for certificates (though Python doesn't trigger automatic download/installation of new certificates).

Comment 31 by brandon15 on 2015-01-16 00:30
Hello,

Is it confirmed that this is a python issue, and not with a snapshot itself?

Also, I got an untrusted connection warning when trying to load the https page into Firefox. I didn't try it with Ie. Is this the problem? I used to be able to at least check for updates when we were using this https, I think, but at the time it said there were no updates available, so I don't know whether downloading would work. That was last night when I got it to work, but a few hours before that I had gotten this error. This is on a windows 8.1 machine 64 bit with 12 gb of RAM.

Comment 32 by jteh (in reply to comment 31) on 2015-01-16 01:13
Replying to brandon15:

Is it confirmed that this is a python issue, and not with a snapshot itself?

Well, it's a Python deficiency, but we're going to need to work around it or revert this change.

Also, I got an untrusted connection warning when trying to load the https page into Firefox.

Apparently, i messed up yesterday when recreating the certificate. I've fixed this now. Also, it seems the second part of comment:23 doesn't affect us for some reason. On a system with all the correct certificates, it just works.

Comment 33 by brandon15 on 2015-01-16 01:14
Hello,

Interestingly, I tried it again now, and it worked, about 40 minutes after my posting of the last comment.

I don't know if that has anything to do with it.

Comment 34 by brandon15 (in reply to comment 32) on 2015-01-16 01:19
Replying to jteh:

Replying to brandon15:

Is it confirmed that this is a python issue, and not with a snapshot itself?

Well, it's a Python deficiency, but we're going to need to work around it or revert this change.

If we revert the change, then won't we run the risk of users getting infected copies of NVDA?

Also, I got an untrusted connection warning when trying to load the https page into Firefox.

Apparently, i messed up yesterday when recreating the certificate. I've fixed this now. Also, it seems the second part of comment:23 doesn't affect us for some reason. On a system with all the correct certificates, it just works.

Comment 35 by jteh (in reply to comment 34) on 2015-01-16 03:18
Replying to brandon15:

If we revert the change, then won't we run the risk of users getting infected copies of NVDA?

Yes. However, this was always the case. Also, it's worth noting that man-in-the-middle (MITM) attacks aren't trivial to pull off. An attacker has to have control of at least one point between you and our server. It's important that we improve this, but if users stop being able to get updates at all, that isn't an acceptable fix.

Comment 36 by James Teh <jamie@... on 2015-01-16 07:11
In [ce5dd50]:

Fix certificate verification errors when checking for updates on some systems.

Windows fetches trusted root certificates on demand, but Python doesn't trigger this. Therefore, when verification fails, try to trigger a root cert update ourselves and then retry the update check.
Re #4803.

Comment 37 by James Teh <jamie@... on 2015-01-16 07:11
In [5950250]:

Merge branch 't4716' into next

Incubates #4716. Fixes #4803.

Changes:
State: closed