Closed Bug 564421 Opened 14 years ago Closed 11 years ago

Connection reset while trying to access gmail.com or sites.google.com behind corporate proxy (tlsv1)

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
1.9.2 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: albatros_la, Unassigned)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(5 files)

ff3.6.4b gmail.com access log
111.50 KB, text/plain
Details
ff3.6 gmail.com access log
78.14 KB, application/x-zip-compressed
Details
ff3.6.9 gmail.com access log
18.00 KB, application/x-zip-compressed
Details
HTTP activity log, trying to connect to Google Apps For Your Domain mail from behind proxy/web filter. Error is Connection Interrupted.
146.73 KB, text/plain
Details
log of failure to connect through proxy.library.upenn.edu
743.55 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4b (and 3.6.3 too)

After upgrading to 3.6.3 version Firefox does not seem to be able to load gmail.com and sites.google.com pages anymore. It simply responds with the classic error page
------------------------
The connection was reset
The connection to www.google.com was reset while the page was loading.
...
------------------------
Note that it ALWAYS refers to www.google.com, despite the url loaded being gmail.com or sites.google.com. Moreover www.google.com is fully accessible.
The stated sites are fully loadable with IE or previous versions of Firefox on the same network.

(Ineffective) solutions tried so far:
- re-installation
- safe-mode
- different profile
- ipv6 disabling
- network http pipelining disabled

Firefox loads the stated pages painlessly when the machine is connected directly to the web (so just not staying behind the firewall). I have no administrative access to the firewall, so I cannot provide any information about its configuration.

Reproducible: Always

Steps to Reproduce:
1. type "http://gmail.com" or "http://sites.google.com" on url bar
2. press enter
Actual Results:  
Page loading does not occurs, connection reset error encountered indeed.

Expected Results:  
Full access to gmail.com and sites.google.com
Please try a nightly trunk build :
ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-central/

if you still get this attach a http log:
https://developer.mozilla.org/en/HTTP_Logging

I suspect the https proxy security changes in 3.6.3 and one issue got fixed on trunk.
Component: General → Networking: HTTP
Product: Firefox → Core
QA Contact: general → networking.http
Version: unspecified → 1.9.2 Branch

    
    

    
  
I have tried this nighlty build: firefox-3.7a5pre.en-US.win32.zip
It seems that SSL authentication is broken, in fact I am not able to login to the corporate network with it (in order to access to it, I have to login through a web portal whenever I open a new browser instance). Every site I try to access to, it gets me this error:
------------------------
Secure Connection Failed
An error occurred during a connection to websso.corp.thales.

Renegotiation is not allowed on this SSL socket.

(Error code: ssl_error_renegotiation_not_allowed)
------------------------
So I have switched back to the version we was talking about (3.6.4 build 20100503122926).
I have attached the log file I have produced with it while trying to access gmail.com. I have substituted the real corporate proxy url with an evocative "corporate_proxy_url", the rest of the log file is left unchanged. I hope it helps!

    
    

    
  
marking new, someone need to look at the log
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Upgraded to newer relases and still experiencing the same issue. Currently using 3.6.7 and nothing has changed. Any chance to see it solved? I do not want to be pedantic, but I am really missing the connectivity to those sites, thus I am forced to use IE to access them and that is pretty annoying.

    
    

    
  
Have you tried a new profile that you can test to check against the proxy setting change?  Automatically choose system proxy?   how about clearing caches and cookies for those sites?

    
    

    
  
I am forced to use the corporate proxy, so I cannot change that setting if I want to access the corporate network. Gmail sites stated above are the unique sites to which I am not able to access, that is surely an anomaly which cannot be linked to those sites nor to the proxy behavior. In fact, as previously said, I can access to those sites just using IE. I have just tried all what you are suggesting with no improvements. The fact is that the problem raised just upgrading to 3.6.3 version (and later) and if I switch back to 3.6.2 I can have the network fully working again (losing all the other improvements the browser has experienced since then, of course). So something is truly different from versions > 3.6.3 and the previous releases. I am not into the coding matter enough to study the source and understand which is actually different, that is why I am asking some support hoping someone can correct what is going wrong with the code. I understand that there are not so many people experiencing this problem out there (and so - maybe - this is considered a minor bug since it has not been corrected in the last 5 releases), but where I am used to work everyone is currently unable to access gmail by firefox because of this bug and that sounds pretty embarassing.

    
    

    
  
I see in the log that your proxy returns "The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied."  This appears to be an error of "Microsoft Internet Security and Acceleration Server Enterprise Edition"
http://technet.microsoft.com/en-gb/library/cc767787.aspx
Are you able to work out what version of the proxy you are using?

It looks like your bug report could be related to bug 360102.

Can you reproduce the problem with Firefox 2.0?
Is the problem fixed with Firefox 1.5.0.6?

Old versions available here: 
http://www.oldapps.com/firefox.php

p.s. Can you reproduce bug 553979?

    
    

    
  
Well, I will test those versions of Firefox if it helps, but now I will be away from my job place for three weeks, so I will post the results when I will get back there. However, as said above, it's all working with 3.6.3 version, but not with newer versions, so I do not understand which is the point on testing old 1.5.x and 2.x versions. I will check the log of 3.6.3 version in order to see if there is the same issue with the ISA server (maybe that's not the trouble blocking gmail, we will see). I will try to find out which is the version of the proxy too.
Bug 553979 is not reproducible: other sites are fully accessible and there are no hangs on connection.

    
    

    
  
(In reply to comment #9)
> However, as said above, it's all working with 3.6.3 version,
> but not with newer versions,
> so I do not understand which is the point on testing old 1.5.x and 2.x versions.

As seen in bug 575915(mainly due to proxy's bug), problem due to proxy's bug is affected by Fx/Tb side change in newer version.
I recommend you to get NSPR log with Fx 3.6.3 and with a newer Fx 3 version, and compare protocol level flow, as opener of bug 575915 and us did. 
> https://developer.mozilla.org/en/HTTP_Logging
> SET NSPR_LOG_MODULES=timestamp,nsHttp:5,nsSocketTransport:5,nsHostResolver:5

    
    

    
  


  

    
    

    
  


  

    
    

    
  
Upgraded to 3.6.9, behaviour's remained the same. I've logged the protocol level flow as you have suggested and I have attached the resulting logs for 3.6.9 and 3.6 releases. The latter because I have verified that it is the last working version. I am pretty sure gmail was accessible as far as I was connecting through 3.6.2, but actually today that release gives the same problems of the most recent ones. Release 3.6 resulted fully working as you can see looking at the relevant log file. I am not enough into the matter to understand what's going on, however I have roughly looked into the log and yes: it could be something similar to which reported into bug 575915. If it will turn out to be a proxy-side bug, I will be really glad to communicate it to my system administrator if you instruct me about the problem.

    
    

    
  
Upgraded to 3.6.9, behaviour's remained the same. I've logged the protocol level flow as you have suggested and I have attached the resulting logs for 3.6.9 and 3.6 releases. The latter because I have verified that it is the last working version. I am pretty sure gmail was accessible as far as I was connecting through 3.6.2, but actually today that release gives the same problems of the most recent ones. Release 3.6 resulted fully working as you can see looking at the relevant log file. I am not enough into the matter to understand what's going on, however I have roughly looked into the log and yes: it could be something similar to which reported into bug 575915. If it will turn out to be a proxy-side bug, I will be really glad to communicate it to my system administrator if you instruct me about the problem.

    
    

    
  
Things seem going from bad to worse! After upgrading to 3.6.10 I have lost the capability to access to bugzilla too, thus I am currently using firefox 3.6 in no-remote mode on a different profile in order to access bugzilla, gmail, google sites, etc... Running two Firefox versions simultaneously is the unique solution I have found so far in order to maintain the improvements of latest versions while having the chance to access gmail & co.

    
    

    
  
I think I'm suffering from this at work, too.  Our web access is filtered by a Blue Coat proxy, I believe.  GMail (more specifically, GAFYD) works fine with older (< 3.6) versions of Firefox and Internet Explorer 6-8 but does not work with the latest versions of Firefox.

All I see is the error:

"The connection was interrupted

The connection to mail.google.com was interrupted while the page was loading."

Given the site works fine with IE and, anecdotally, other browsers in use in the company as well as older versions of Firefox, I think the problem is with Firefox.

I appreciate this issue only affects people who are behind a corporate web filter/proxy, but I think the priority should be considered high, to ensure adoption in large corporate environments.  With this bug in place, it's impossible to advocate the use of Firefox at work.

Thanks.

    
    

    
  
(In reply to comment #16)
> I think I'm suffering from this at work, too.  Our web access is filtered by a
> Blue Coat proxy, I believe.

Does your proxy require authentication?
Could you find out which Blue Coat proxy you are using (i.e. product name & version), and also attach a http log:
https://developer.mozilla.org/en/HTTP_Logging

    
    

    
  
No authentication required, just an Automatic Proxy Configuration URL to an internal .pac file.

I'll try and get the rest of the information together.

Thanks.

        Attachment #481166 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
I've attached a HTTP Activity log of the connection interrupted failure using
Firefox 3.6.10 on Windows 7 Enterprise 32-bit.  Note that it used to be a
connection reset message but at some point that's changed to be connection
interrupted.

After asking around, I think we're running Blue Coat ProxySG appliances (Full
Proxy Edition) which are probably running version 5.4 or version 5.5 of SGOS. 
Still trying to confirm that.

Like the original reporter, I've tried most of the usual workarounds to no
avail. 

- re-installation
- safe-mode
- different profile
- ipv6 disabling
- network http pipelining disabled

    
    

    
  
Right, I've had it confirmed by our auto proxy team that our web filter/proxy infrastructure is based around Blue Coat ProxySG appliances Full Proxy Edition running roxysg 8100/20 sgos 5.3.3.1.

If I can supply anything else to help get this fixed, please let me know.  It's been a problem in our environment for quite a few FF releases now, unfortunately.  Thanks.

    
    

    
  
Typo:

Blue Coat ProxySG appliances Full Proxy Edition running proxysg 8100/20 sgos 5.3.3.1.

    
    

    
  
I tried installing Firefox 4 Beta 6.  Same issue.  :/

    
    

    
  
I don't know which is the proxy my company is actually using. However, I found this thread related to Blue Coat Proxy SG:
https://kb.bluecoat.com/index?page=content&id=FAQ969&actp=LIST
Let me know if that solution works for you.

    
    

    
  
I've tried with TLS v1 option enabled and disabled.  Neither works.  The connection is still reported as being interrupted.  :/

    
    

    
  
Well, yes, but on that thread they also suggest a configuration trick for the same proxy. Maybe that will solve your problem.

    
    

    
  
Well, yes, but I have no access to the proxy configuration to test such things.  Our firm officially don't support Firefox so the official team won't try it out either.  It's hard to argue the point when IE copes with this corporate proxy out of the box, and Firefox doesn't (in it's latest versions).

    
  
Keywords: regression

    
    

    
  
Finally good news! Today I have tested version 4.0b7 and I can confirm it actually works as expected (I am currently typing from Mozilla/5.0 [Windows NT 5.1; rv:2.0b7] Gecko/20100101 Firefox/4.0b7). I can now access google services again. In order to do that I have re-enabled the TLS 1.0 support (that change was uneffective with previous versions).
Moreover, the corporate network settings fully block net access if SSL renegotiation is enabled. It is a problem which seems to be unrelated with the gmail access which has lead to this bug report. However, I would like report hereafter the solution since it is possibile that users encountering that problem have also to face with this one: setting of the environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1 is needed. This solution surely raises some security issues, but as said above it is sometimes required in order to be able to gain net access while being connected to really restrictive corporate networks.
I do not switch to SOLVED the bug since I cannot be sure anything has changed server-side, thus I think other users feedback would represent a more reasonable approach.

    
    

    
  
I'm delighted to report that Firefox 4.0b7 also appears to work here too, with TLS enabled.  I'll continue to monitor over the next few days, but it has been working consistently with GMail over https for the last 24 hours.  I haven't had to set any environment variables.

Great stuff.

    
    

    
  
OK, further comments following a few days monitoring.

A colleague experiencing the same issue remained on Firefox 3.6.12 and discovered that his gmail problems also disappeared.  He thinks things weren't working when he first upgraded to 3.6.12 but then suddenly overnight they were (possible change in our company's proxy server?).  So it's also possible that the change which fixed my Gmail problems was also not related to the browser - it might also have been said proxy change.

On my FF 4b7 installation, I've discovered however that encrypted Google search [https://encrypted.google.com/] requests still do not work - I get "The connection was interrupted" message for any such attempts, just as I used to for Gmail.  Gmail tho continues to work - I even logged out, deleted all mail.google.com cookies and restarted the browser.  I was still able to log back in to Gmail.

I'm not sure this is making things any clearer, but it looks like there's still something clashing between FF 4b7 and our proxy setup.  Why it effects encrypted.google.com and not gmail, I have yet to uncover.

    
    

    
  
Just to add my experience; 

Gmail definitely wasn't working with 3.6.11 via our corporate proxy when that release first came out.

Gmail is now working with 3.6.12 - I suspect it wasn't when it first came out (I probably would have checked), but can't be 100% sure.

https://www.google.com is giving the same "The connection was interrupted" error that Gmail used to. 

I've checked all the above with a new profile, so I know Google isn't using a cookie from anywhere.

It would be interesting to know if others suffering from this problem can now access it with 3.6.12; in which case it looks like something at Google has changed. If it's still a problem, then something with our corporate proxy has changed.

    
    

    
  


  
About the first half of this log is just starting up, loading my home page, and getting my bookmark for the library proxy server for google-scholar. I think the trouble begins when the word "scholar" first appears.

    
    

    
  
I think I have a similar problem, so I am reporting it here rather than opening a new report. I'm using nightly 13.0a1 (2012-02-02), for x86_64 linux. As of the build for 2012-01-28, everything was fine, but either 1/29, 1/30, or 1/31 stopped being able to connect to a proxy server that allows me to use the University of Pennsylvania library from home. I get "The connection to proxy.library.upenn.edu:2122 was interrupted while the page was loading." This is of course after typing my login and password. The problem occurs on two different machines, but google-chrome works fine. I will try to attach a log.
Summary: Connection reset while trying to access gmail.com or sites.google.com behind corporate proxy → Connection reset while trying to access gmail.com or sites.google.com behind corporate proxy (tlsv1)

    
    

    
  
(In reply to Jonathan Baron from comment #33)
> I think I have a similar problem, so I am reporting it here rather than
> opening a new report.

It turns out that I was able to fix my problem by deleting permissions.sqlite. I discovered this by starting with a new profile and moving pieces of the old one, one by one.

So I think this bug is probably fixed, but I'm not changing it, because I'm not sure my bug was the same.

    
    

    
  
WFM per comment 28
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME

    
    

    
  
Just as additional information:

Jonathan Baron seems to have "EZproxy", while samwise and albatros_la have the "Blue Coat Proxy" in their corporate network. From the attached log files I can see that albatros_la worked for Thales. Thales uses a Blue Coat Proxy with SSL interception. This means the proxy breaks your secure connections to gmail and can read your mail password in plaintext. My urgent advice is to not use the corporate network for secure connections and private mail.

Read more at https://bluecoatproxy.wordpress.com

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: