Topic: https blocked

[jugglingphil]

Hi, long time user of SME, 1st time poster.
Recently upgraded SME server to 7.5.1. This was a fresh install on new hardware. Since moving to 7.5.1 https sites can not be accessed, while http sites can. If I go out via another gateway, https and http work ok.
I can not see what is blocking this access. An pointers and help, greatly appreciated.
 
I have installed the dmc-mitel-portopening contrib, ports 80 and 443 are open. Squid.conf also lists port 443 as safe

Thanks in advance, Phil

[janet]

jugglingphil
 

I have installed the dmc-mitel-portopening contrib

That is a very old contrib for sme5. You should uninstall it immediately.

SME server has a built in port opening and forwarding panel since sme6 I think.

While you might be a long time user, you have certainly not kept track of development.

In normal default use you do not need to open or forward any ports.
Remove the rpm and see if you still have problems.
If so, please explain more precisely what access from where to where that you have problems with.

[CharlieBrady]

SME server has a built in port opening and forwarding panel since sme6 I think.

Port forwarding, yes, since before sme6. Port opening is implicit in service enabling/disabling.

OP however seems to be reporting a problem with outbound access. SME server blocks no outbound accesses. I suspect that OP's problem might be default gateway configuration and/or proxy configuration on client machines.

If this command on the server shows content, then https is not being blocked outbound from the server:

lynx -dump https://www.contribs.org/

[jugglingphil]

I have removed port-opening.
still can not access https sites.
I know that this isn't normal, and I doubt it's a bug as there are no other reports (as I can see) to this happening for anyone else.

From a PC on the network, with DNS and Default gateway pointing to SME server (server and gateway) can access http but not https.
http proxy is enable on SME server but not on PC.

If http proxy disabled can not access http or https, same if proxy set on PC (internet options)
PC config did not change from old SME server runnning 7.0

From SME server, lynx -dump command shows plenty of content.

[Igi2003]

I had this Problem too when my WAN Connection is enabled in the configuration db. After Update I must disable WAN, because my SME connects via ppp0.

Code: [Select]

db configuration setprop wan status disabled signal-event....post....and reboot... don´t forget
Only if your WAN Connection is setup via adsl-setup, not console...

Igi

[CharlieBrady]

Only if your WAN Connection is setup via adsl-setup, not console...

Why are you using adsl-setup and not the console?

[Igi2003]

Because my connection was not established automatically when using PPPoE Setup over console. Then I tried over adsl-setup, and then the PPPoE connection comes up after bootup SME. Even when WAN Connection (wan status enabled in config db) is enabled too, I have Problems with https (SSL) Sites. My Provider drop the first connection wenn the second comes up. So the two connections kicks one the other permanently till I disable wan connection.

Igi

[CharlieBrady]

Because my connection was not established automatically when using PPPoE Setup over console.

You should have reported the problem via the bug tracker, so that whatever the problem was could be diagnosed, and fix in the SME server software if required.

I would expect you will have a variety of problems if you attempt to use server-gateway mode with the WAN service disabled, and custom adsl_setup configuration.

[axessit]

I have my router setup with DHCP for LAN client, only client is SME, with SME as DHCP client using MAC address as identifier on it's external NIC. I have port forward rule for 443 on my router so I can access my webmail from internet. Maybe the router is blocking or forwarding 443 to another IP as a new server will have a new ethernet MAC address and may not have the same IP as the old hardware. You can see your external IP on the SME server manager "review configuration" screen.

I have also heard of the wrong MTU setting on your router, without getting into a debate, this should be defaulted to 1500 if you can see anywhere to adjust it. It makes SSL sessions break if set wrong, normal browsing is OK. But I wouldn't go here first.

When you say if you use another gateway all is OK, is this using the same adsl router or another?

[Igi2003]

You should have reported the problem via the bug tracker, so that whatever the problem was could be diagnosed, and fix in the SME server software if required.

I would expect you will have a variety of problems if you attempt to use server-gateway mode with the WAN service disabled, and custom adsl_setup configuration.

My SME works fine since three years with this config. Only afer Update if wan is enabled, he had Problems. And he works in Server and Gateway mode.

[Stefano]

My SME works fine since three years with this config. Only afer Update if wan is enabled, he had Problems. And he works in Server and Gateway mode.

fine.. but if something doesn't work out of the box it should be reported in bugzilla..
other people could expreinece this issue
thank you

[jugglingphil]

Gone a bit off topic here, I definitely don't want to disable my WAN side.

The PCs, router and ADSL line has not changed.
The old SME 7.0 server was moved to a new Local IP address, while the new 7.5.1 server given the old local IP of the 7.0 server. Both set the same on the external side. At that point I have started to experience problems with https access.
So problem is either with 7.5.1 (unlikely as on a different company I'm involved with 7.5.1 works no problem), or with the way I set it up. I'm thinking best to wipe the new 7.5.1 server and start again, however I won't be able to physically get to the server to do this until next week.

[Stefano]

I'm thinking best to wipe the new 7.5.1 server and start again, however I won't be able to physically get to the server to do this until next week.

worst way to act.. you should discover and understand WHY you have such an issue, then, eventually, open a bug

[jugglingphil]

Stefano, that's what I've been trying all week, unfortunately I'm not getting anywhere.

[Stefano]

ok..

you say that
- from SME console you can reach https sites (you can try again with elinks https://a_test_site)
- from internal/lan clients you can't.

is your SME http proxy in transparent mode? did you try to disable (if enabled) squid?
did you try to see from SME console and iptraf and/or tcpdump if there's https traffic?