Discussion:
A few questions about 4.1.6 for Release Notes
Kay Schenk
2018-11-14 23:48:10 UTC
Permalink
Two things --
* I see localization was set up for Kabyle. So is this a new language
addition?

* some discussion and commits about Java 8,
see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
Changes were committed to the 4.1.6 branch near as I can tell.
So...does AOO require Java 8 now or can Java 7 still be used?

I may have more questions coming in the next day or so, but hopefully not
many. I will make every attempt to get this ready by Fri afternoon, PST.

--
----------------------------------------------------------------------
MzK

"Less is MORE."
Matthias Seidel
2018-11-15 00:01:12 UTC
Permalink
Hi Kay,

Am 15.11.18 um 00:48 schrieb Kay Schenk:
> Two things --
> * I see localization was set up for Kabyle. So is this a new language
> addition?

No, only locale data were added internally.

> * some discussion and commits about Java 8,
> see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
> Changes were committed to the 4.1.6 branch near as I can tell.
> So...does AOO require Java 8 now or can Java 7 still be used?

Changes for Java 8 were revoked, but that did only affect the building
process.

Java 8 as well as Java 7 can still be used like before.

>
> I may have more questions coming in the next day or so, but hopefully not
> many. I will make every attempt to get this ready by Fri afternoon, PST.
>
Thanks!

Matthias
Don Lewis
2018-11-15 05:29:15 UTC
Permalink
On 15 Nov, Matthias Seidel wrote:
> Hi Kay,
>
> Am 15.11.18 um 00:48 schrieb Kay Schenk:
>> Two things --
>> * I see localization was set up for Kabyle. So is this a new language
>> addition?
>
> No, only locale data were added internally.
>
>> * some discussion and commits about Java 8,
>> see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
>> Changes were committed to the 4.1.6 branch near as I can tell.
>> So...does AOO require Java 8 now or can Java 7 still be used?
>
> Changes for Java 8 were revoked, but that did only affect the building
> process.
>
> Java 8 as well as Java 7 can still be used like before.

Yes, but at least on Windows, if you build with Java 8, the resulting
binaries will not recognize Java 7. This is only true for 4.1.x and
does not affect trunk for some reason even though the code is
essentially identical. I haven't had a time to dig into this problem.

The fix in this bug report is to allow ODK to be built with Java 8.
Since the fix was revoked, if you want to build ODK, then you must build
with Java 7.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-15 17:46:02 UTC
Permalink
Hi all

Any news on fixing the "Checking for an update failed." problem?

Regards,
Pedro
Andrea Pescetti
2018-11-16 00:10:12 UTC
Permalink
On 15/11/2018 Pedro Lino wrote:
> Any news on fixing the "Checking for an update failed." problem?

I was never able to reproduce it. Any time I believed I had reproduced
it, I found out it was due to local DNS caching on my system (something
that is not common for an ordinary user to do).

So, even if I see old and new reports about it, I have no way to check
the issue.

The most common explanation would be a DNS issue, but:
$ host ooo-updates.apache.org
ooo-updates.apache.org has address 40.79.78.1
ooo-updates.apache.org has address 95.216.24.32

and if I force either of the two IPv4 addresses everything works normally.

The only thing that I haven't tested is IPv6, but there are no signs
that we have a permanent issue here (well, if the server is down for one
hour some users will likely get the warning and report it, but this is
something that can simply happen).

If someone can provide a predictable way to reproduce the issue
consistently, solving it will likely be trivial.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-16 10:56:08 UTC
Permalink
Hi Andrea, all
> On November 16, 2018 at 12:10 AM Andrea Pescetti <***@apache.org> wrote:

> If someone can provide a predictable way to reproduce the issue
> consistently, solving it will likely be trivial.

I receive the error message daily on any computer I use,regardless of location, AOO version or OS (Windows 7 or Ubuntu)
This happens with a fresh profile or any profile.

I'm surprised it's not reproducible for others. I assumed this was a server side malfunction.

Is there any command I can run to help fixing this?

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-16 11:54:09 UTC
Permalink
Pedro Lino wrote:
> I receive the error message daily on any computer I use,regardless of location, AOO version or OS (Windows 7 or Ubuntu)
> This happens with a fresh profile or any profile.

OK, let's try with Ubuntu (but you can run the equivalent commands on
Windows too).

Can you provide output of the following commands?

$ host ooo-updates.apache.org

$ traceroute ooo-updates.apache.org

$ ncat ooo-updates.apache.org 443 # If it is still running after 30
seconds, abort with CTRL-C

$ curl https://ooo-updates.apache.org/

$ curl https://ooo-updates.apache.org/aoo416/check.Update

Note that the traceroute output will contain some information on your
(home or office) network structure. You may omit the first lines if you
consider this to be sensitive information.

If you are using IPv6, I would also give this a try: disable IPv6, and
retry the OpenOffice check, then enable IPv6 again.

If it's easier for you, you can also copy this discussion to one of the
Bugzilla issues about this bug, but I'd rather avoid asking everybody to
do a test until we have more specific information.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-16 12:19:08 UTC
Permalink
> On November 16, 2018 at 11:54 AM Andrea Pescetti <***@apache.org> wrote:

> Can you provide output of the following commands?
>
> $ host ooo-updates.apache.org

ooo-updates.apache.org has address 40.79.78.1
ooo-updates.apache.org has address 95.216.24.32
ooo-updates.apache.org has IPv6 address 2a01:4f9:2a:185f::2
ooo-updates.apache.org mail is handled by 10 mx1-lw-us.apache.org.
ooo-updates.apache.org mail is handled by 10 mx1-lw-eu.apache.org.


> $ traceroute ooo-updates.apache.org

1 10.14.200.253 0,781ms 0,762ms 0,784ms
2 172.20.160.130 6,994ms 7,097ms 7,069ms
3 172.26.5.98 7,297ms 7,272ms 7,217ms
4 172.26.5.102 7,813ms 7,214ms 7,282ms
5 89.115.229.50 7,945ms 7,442ms 7,484ms
6 213.30.41.107 8,786ms 8,535ms 8,368ms
7 195.10.57.9 13,527ms 13,329ms 13,600ms
8 195.2.30.230 22,605ms 22,097ms 21,585ms
9 195.2.30.85 21,602ms 21,385ms 21,541ms
10 80.239.128.181 21,119ms 20,662ms 20,775ms
11 62.115.139.142 74,831ms 74,266ms 74,852ms
12 62.115.123.12 79,536ms 78,767ms 79,159ms
13 62.115.138.236 77,503ms 76,979ms 77,420ms
14 80.91.246.85 80,889ms 78,677ms 78,648ms
15 213.248.66.77 79,809ms 79,104ms 78,957ms
16 213.239.224.26 76,883ms 76,297ms 76,402ms
17 213.239.224.138 79,299ms 78,710ms 78,084ms
18 95.216.24.32 75,832ms 75,126ms 75,984ms


> $ ncat ooo-updates.apache.org 443 # If it is still running after 30 seconds, abort with CTRL-C

No output. Aborted after 30"

> $ curl https://ooo-updates.apache.org/

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<title>Apache OpenOffice Product Update Service for installed AOO (4.0 and later) instances</title>
</head>
<body>
<h1>Apache OpenOffice Product Update Service for installed AOO (4.0 and later) instances</h1>
<h2>Folder containing update service feeds for users performing the update check and getting the message about an available new version.</h2>
</body>
</html>

> $ curl https://ooo-updates.apache.org/aoo416/check.Update

<?xml version="1.0" encoding="UTF-8"?>
<!-- Product Update Feed for AOO 4.1.6 instances -->
<inst:description xmlns:inst="http://installation.openoffice.org/description">
</inst:description>


> Note that the traceroute output will contain some information on your
> (home or office) network structure. You may omit the first lines if you
> consider this to be sensitive information.

Thank you for the warning. I have no problem.

> If you are using IPv6, I would also give this a try: disable IPv6, and
> retry the OpenOffice check, then enable IPv6 again.

Disabled IPv6. Check still fails.

> If it's easier for you, you can also copy this discussion to one of the
> Bugzilla issues about this bug, but I'd rather avoid asking everybody to
> do a test until we have more specific information.

Whatever is more efficient. Emailing to this list seems to be the most responsive channel these days ;)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-16 16:02:30 UTC
Permalink
Pedro Lino wrote:
>> On November 16, 2018 at 11:54 AM Andrea Pescetti wrote:
>> $ curl https://ooo-updates.apache.org/aoo416/check.Update
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!-- Product Update Feed for AOO 4.1.6 instances -->
> <inst:description xmlns:inst="http://installation.openoffice.org/description">
> </inst:description>

The network diagnostics are absolutely perfect (the fact that ncat had
to be terminated meant that it had managed to connect and it was waiting
for input, so that one is good too).

In particular, the last output above shows that you can successfully
download the update feed to your computer. You can replace "416" in the
URL with the OpenOffice version you are actually running if you wish to
be 100% sure. In this case you will get a longer XML file for 4.1.4 and
earlier, since for 4.1.6 (and 4.1.5 as of today) we have the short empty
feed shown above, but for earlier versions we have the full update
information.

Is the behavior above consistent? Like, if you alternate 5 times the
"curl, open OpenOffice, try updates, close OpenOffice" sequence, does
curl always succeed and OpenOffice always fail in downloading the feed?

If yes, can you provide your OpenOffice version and Ubuntu version, so
that I can test with the same versions and see if I start seeing errors?

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-16 16:46:18 UTC
Permalink
> On November 16, 2018 at 4:02 PM Andrea Pescetti <***@apache.org> wrote:

> In particular, the last output above shows that you can successfully
> download the update feed to your computer. You can replace "416" in the
> URL with the OpenOffice version you are actually running if you wish to
> be 100% sure. In this case you will get a longer XML file for 4.1.4 and
> earlier, since for 4.1.6 (and 4.1.5 as of today) we have the short empty
> feed shown above, but for earlier versions we have the full update
> information.

Yes, it worked for 414 as expected

>
> Is the behavior above consistent? Like, if you alternate 5 times the
> "curl, open OpenOffice, try updates, close OpenOffice" sequence, does
> curl always succeed and OpenOffice always fail in downloading the feed?

Yes, it is consistent. I tested 5 times. curl always succeeds, Check always fails.
I would be surprised if I got success With Check. It hasn't been working for very long (weeks?)

> If yes, can you provide your OpenOffice version and Ubuntu version, so
> that I can test with the same versions and see if I start seeing errors?

I was testing with 4.1.5
AOO415m1(Build:9789) - Rev. 1817496
2017-12-11 15:46 - Linux x86_64

but the same happens with 4.1.4 and 4.1.6RC1

On this PC I'm running Ubuntu 18.04.1 LTS (Linux Lino-OptiPlex-790 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux)

but the same happens under Windows 7 Pro x64 and Ubuntu 16.04.5 x64

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Branko Čibej
2018-11-16 19:53:17 UTC
Permalink
On Fri, 16 Nov 2018, 17:02 Andrea Pescetti <***@apache.org wrote:

> Pedro Lino wrote:
> >> On November 16, 2018 at 11:54 AM Andrea Pescetti wrote:
> >> $ curl https://ooo-updates.apache.org/aoo416/check.Update
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <!-- Product Update Feed for AOO 4.1.6 instances -->
> > <inst:description xmlns:inst="
> http://installation.openoffice.org/description">
> > </inst:description>
>
> The network diagnostics are absolutely perfect (the fact that ncat had
> to be terminated meant that it had managed to connect and it was waiting
> for input, so that one is good too).
>
> In particular, the last output above shows that you can successfully
> download the update feed to your computer. You can replace "416" in the
> URL with the OpenOffice version you are actually running if you wish to
> be 100% sure. In this case you will get a longer XML file for 4.1.4 and
> earlier, since for 4.1.6 (and 4.1.5 as of today) we have the short empty
> feed shown above, but for earlier versions we have the full update
> information.
>
> Is the behavior above consistent? Like, if you alternate 5 times the
> "curl, open OpenOffice, try updates, close OpenOffice" sequence, does
> curl always succeed and OpenOffice always fail in downloading the feed?
>
> If yes, can you provide your OpenOffice version and Ubuntu version, so
> that I can test with the same versions and see if I start seeing errors?
>
> Regards,
> Andrea.



I tried this today, just for fun. My curl etc. used the same IPv4 address
as the other published results. Maybe the OO updater picks the other server
and only that one has problems?

-- Brane
Andrea Pescetti
2018-11-16 20:25:25 UTC
Permalink
Branko Čibej wrote:
> I tried this today, just for fun. My curl etc. used the same IPv4 address
> as the other published results. Maybe the OO updater picks the other server
> and only that one has problems?

In my tests yesterday I tried with both IPs (one at a time) in my hosts
file and both worked - but, again, connection just works for me.

So indeed we could try that way too: Pedro, can you run
$ sudo gedit /etc/hosts

and append to the bottom, one at a time (so, alternative to each other,
never together), the two following lines?

40.79.78.1 ooo-updates.apache.org

95.216.24.32 ooo-updates.apache.org

Just restart OpenOffice after each edit and check if now the update
server can be found. Then you should go back to the original version of
the file to avoid that further testing is influenced by the change.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-16 20:50:49 UTC
Permalink
Hi Andrea, Branko, all

> On November 16, 2018 at 8:25 PM Andrea Pescetti <***@apache.org> wrote:

> Just restart OpenOffice after each edit and check if now the update
> server can be found. Then you should go back to the original version of
> the file to avoid that further testing is influenced by the change.

Tested with both IP adresses. Still didn't work. I am currently running AOO 4.1.4 under Ubuntu 16.04.5 x64

Can you check the logs on the server if it received any pings from 4.1.4? (I can send you my current IP in a personal email if that helps)

Thanks!
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-16 22:40:31 UTC
Permalink
Pedro Lino wrote:
> Can you check the logs on the server if it received any pings from 4.1.4?

I don't have access to server logs or any kind of statistics; but I
recall someone (Matthias?) monitoring how much traffic we got from older
versions, so maybe someone has access to them.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Matthias Seidel
2018-11-16 22:55:35 UTC
Permalink
Hi Andrea,

Am 16.11.18 um 23:40 schrieb Andrea Pescetti:
> Pedro Lino wrote:
>> Can you check the logs on the server if it received any pings from
>> 4.1.4?
>
> I don't have access to server logs or any kind of statistics; but I
> recall someone (Matthias?) monitoring how much traffic we got from
> older versions, so maybe someone has access to them.

I only have access to Google Analytics for openoffice.org and
openoffice.apache.org.
All I can see there are users constantly updating from older versions
via update feed.
This tells me, that some people can connect to the update server
(obviously you can). Other (like me) can not.

ooo-updates.apache.org seems to be a subdomain from Apache, maybe Infra
has more insight?

Regards,

   Matthias

>
> Regards,
>   Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>
Pedro Lino
2018-11-16 23:36:14 UTC
Permalink
Hi Andrea, all

I don't know if this is relevant but ping to 40.79.78.1 does not work. I can only send/receive packets to/from 95.216.24.32

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Dave Fisher
2018-11-17 00:14:15 UTC
Permalink
Hi -

These IPs are the same as www.apache.org

I can only think that there is something flakey on one of these two.

I would suggest discussing with Infra on Hipchat.

Regards,
Dave

> On Nov 16, 2018, at 3:36 PM, Pedro Lino <***@mailbox.org> wrote:
>
> Hi Andrea, all
>
> I don't know if this is relevant but ping to 40.79.78.1 does not work. I can only send/receive packets to/from 95.216.24.32
>
> Regards,
> Pedro
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Marcus
2018-11-17 09:19:44 UTC
Permalink
Am 17.11.18 um 01:14 schrieb Dave Fisher:
>
> These IPs are the same as www.apache.org
>
> I can only think that there is something flakey on one of these two.
>
> I would suggest discussing with Infra on Hipchat.

> > $ host ooo-updates.apache.org
>
> ooo-updates.apache.org has address 40.79.78.1
> ooo-updates.apache.org has address 95.216.24.32

What I've learned is that having more than 1 IP address for 1 domain can
lead to different problems and must be avoided.

So, I would expect just 1 address.

But I'm not an expert for IP adresses and the DNS system. So, maybe
there were improvemnts in the last 10 to 15 years that I've not seen. ;-)

Marcus



>> On Nov 16, 2018, at 3:36 PM, Pedro Lino <***@mailbox.org> wrote:
>>
>> Hi Andrea, all
>>
>> I don't know if this is relevant but ping to 40.79.78.1 does not work. I can only send/receive packets to/from 95.216.24.32
>>
>> Regards,
>> Pedro


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-17 09:56:43 UTC
Permalink
Pedro Lino wrote:
> I don't know if this is relevant but ping to 40.79.78.1 does not work. I can only send/receive packets to/from 95.216.24.32

This would have been a good clue, but unfortunately it is exactly the
same for me (and in my case updates work).

Another crazy test while at it: you probably know that, if you switch to
the OpenOffice dialog windows in Preferences - OpenOffice - General, you
can open URLs directly from within the application.

If you open (File - Open, then paste the URL in the filename field)

https://ooo-updates.apache.org/aoo416/index.html

can OpenOffice successfully retrieve the document?

You should read something like "Apache OpenOffice Product Update Service
for installed AOO 4.1.6 instances" if it works.

The actual update XML file seems not to be recognized and it is expected
to give a parsing error; but if your OpenOffice can read the index.html
that sits next to it, we can confirm that OpenOffice can access the server.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Marcus
2018-11-17 10:10:24 UTC
Permalink
Am 17.11.18 um 10:56 schrieb Andrea Pescetti:
> Pedro Lino wrote:
>> I don't know if this is relevant but ping to 40.79.78.1 does not work.
>> I can only send/receive packets to/from 95.216.24.32

the same for me. Ping works only for 95.216.24.32.

> This would have been a good clue, but unfortunately it is exactly the
> same for me (and in my case updates work).
>
> Another crazy test while at it: you probably know that, if you switch to
> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
> can open URLs directly from within the application.
>
> If you open (File - Open, then paste the URL in the filename field)
>
> https://ooo-updates.apache.org/aoo416/index.html
>
> can OpenOffice successfully retrieve the document?
>
> You should read something like "Apache OpenOffice Product Update Service
> for installed AOO 4.1.6 instances" if it works.
>
> The actual update XML file seems not to be recognized and it is expected
> to give a parsing error; but if your OpenOffice can read the index.html
> that sits next to it, we can confirm that OpenOffice can access the server.

I get the document in the webview of Writer without any (error) message.

Content:

Apache OpenOffice Product Update Service for installed AOO 4.1.6 instances

Folder containing update service feed for AOO 4.1.6 users performing the
update check and getting the message about an available new version.
contents...check.Update ... xml feed

Marcus


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-17 10:26:37 UTC
Permalink
> On November 17, 2018 at 9:56 AM Andrea Pescetti <***@apache.org> wrote:

> Another crazy test while at it: you probably know that, if you switch to
> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
> can open URLs directly from within the application.

I use that feature daily to edit files in a webdav folder and it does work

> If you open (File - Open, then paste the URL in the filename field)
>
> https://ooo-updates.apache.org/aoo416/index.html
>
> can OpenOffice successfully retrieve the document?

No. I get exactly the same error message shown in the Check for Updates dialog
"Error reading data from the Internet.
Server error message: ."

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Matthias Seidel
2018-11-17 12:31:45 UTC
Permalink
Hi Pedro,

Am 17.11.18 um 11:26 schrieb Pedro Lino:
>> On November 17, 2018 at 9:56 AM Andrea Pescetti <***@apache.org> wrote:
>> Another crazy test while at it: you probably know that, if you switch to
>> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
>> can open URLs directly from within the application.
> I use that feature daily to edit files in a webdav folder and it does work
>
>> If you open (File - Open, then paste the URL in the filename field)
>>
>> https://ooo-updates.apache.org/aoo416/index.html
>>
>> can OpenOffice successfully retrieve the document?
> No. I get exactly the same error message shown in the Check for Updates dialog
> "Error reading data from the Internet.
> Server error message: ."

I get exactly the same with AOO 4.1.6.

Regards,

   Matthias

>
> Regards,
> Pedro
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>
>
Dave Fisher
2018-11-17 16:02:20 UTC
Permalink
Hi -

I’ve been on with Infra on HipChat and both servers are the same with the same content internally,

I’m being asked for IP addresses to share so that can see if there is an IP ban happening. There are circumstances where that would happen in only one location.

Regards,
Dave

> On Nov 17, 2018, at 4:31 AM, Matthias Seidel <***@hamburg.de> wrote:
>
> Hi Pedro,
>
> Am 17.11.18 um 11:26 schrieb Pedro Lino:
>>> On November 17, 2018 at 9:56 AM Andrea Pescetti <***@apache.org> wrote:
>>> Another crazy test while at it: you probably know that, if you switch to
>>> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
>>> can open URLs directly from within the application.
>> I use that feature daily to edit files in a webdav folder and it does work
>>
>>> If you open (File - Open, then paste the URL in the filename field)
>>>
>>> https://ooo-updates.apache.org/aoo416/index.html
>>>
>>> can OpenOffice successfully retrieve the document?
>> No. I get exactly the same error message shown in the Check for Updates dialog
>> "Error reading data from the Internet.
>> Server error message: ."
>
> I get exactly the same with AOO 4.1.6.
>
> Regards,
>
> Matthias
>
>>
>> Regards,
>> Pedro
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-***@openoffice.apache.org
>> For additional commands, e-mail: dev-***@openoffice.apache.org
>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-17 16:15:57 UTC
Permalink
Hi Dave

> I’ve been on with Infra on HipChat and both servers are the same with the same content internally,

But some configuration must be different because one responds to pings and the other doesn't

> I’m being asked for IP addresses to share so that can see if there is an IP ban happening. There are circumstances where that would happen in only one location.

This happens both at home and at work with different ISPs
I'm sending my current IP by private email.

Thanks!
Pedro

> > On Nov 17, 2018, at 4:31 AM, Matthias Seidel <***@hamburg.de> wrote:
> >
> > Hi Pedro,
> >
> > Am 17.11.18 um 11:26 schrieb Pedro Lino:
> >>> On November 17, 2018 at 9:56 AM Andrea Pescetti <***@apache.org> wrote:
> >>> Another crazy test while at it: you probably know that, if you switch to
> >>> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
> >>> can open URLs directly from within the application.
> >> I use that feature daily to edit files in a webdav folder and it does work
> >>
> >>> If you open (File - Open, then paste the URL in the filename field)
> >>>
> >>> https://ooo-updates.apache.org/aoo416/index.html
> >>>
> >>> can OpenOffice successfully retrieve the document?
> >> No. I get exactly the same error message shown in the Check for Updates dialog
> >> "Error reading data from the Internet.
> >> Server error message: ."
> >
> > I get exactly the same with AOO 4.1.6.
> >
> > Regards,
> >
> > Matthias
> >
> >>
> >> Regards,
> >> Pedro
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> >> For additional commands, e-mail: dev-***@openoffice.apache.org
> >>
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Dave Fisher
2018-11-17 16:22:47 UTC
Permalink
It is weird.

They checked the logs and since the last log role:

since the last log roll, the 40 box had 3667 hits to aoo415/check.Update and the 95 box got 6570

Regards,
Dave

> On Nov 17, 2018, at 8:15 AM, Pedro Lino <***@mailbox.org> wrote:
>
> Hi Dave
>
>> I’ve been on with Infra on HipChat and both servers are the same with the same content internally,
>
> But some configuration must be different because one responds to pings and the other doesn't
>
>> I’m being asked for IP addresses to share so that can see if there is an IP ban happening. There are circumstances where that would happen in only one location.
>
> This happens both at home and at work with different ISPs
> I'm sending my current IP by private email.
>
> Thanks!
> Pedro
>
>>> On Nov 17, 2018, at 4:31 AM, Matthias Seidel <***@hamburg.de> wrote:
>>>
>>> Hi Pedro,
>>>
>>> Am 17.11.18 um 11:26 schrieb Pedro Lino:
>>>>> On November 17, 2018 at 9:56 AM Andrea Pescetti <***@apache.org> wrote:
>>>>> Another crazy test while at it: you probably know that, if you switch to
>>>>> the OpenOffice dialog windows in Preferences - OpenOffice - General, you
>>>>> can open URLs directly from within the application.
>>>> I use that feature daily to edit files in a webdav folder and it does work
>>>>
>>>>> If you open (File - Open, then paste the URL in the filename field)
>>>>>
>>>>> https://ooo-updates.apache.org/aoo416/index.html
>>>>>
>>>>> can OpenOffice successfully retrieve the document?
>>>> No. I get exactly the same error message shown in the Check for Updates dialog
>>>> "Error reading data from the Internet.
>>>> Server error message: ."
>>>
>>> I get exactly the same with AOO 4.1.6.
>>>
>>> Regards,
>>>
>>> Matthias
>>>
>>>>
>>>> Regards,
>>>> Pedro
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-***@openoffice.apache.org
>>>> For additional commands, e-mail: dev-***@openoffice.apache.org
>>>>
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-***@openoffice.apache.org
>> For additional commands, e-mail: dev-***@openoffice.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>
Andrea Pescetti
2018-11-17 17:32:24 UTC
Permalink
Dave Fisher wrote:
> I’ve been on with Infra on HipChat and both servers are the same with the same content internally,

Yes, I don't see this as a major issue either. It is probably too early
for Infra to jump in, since we haven't identified major network-related
issues so far (yes, one of the two server does not respond to ping and
traceroute, but I can get updates from it nevertheless). I mean, of
course it doesn't harm but we need to shed more light, see below.

> I’m being asked for IP addresses to share so that can see if there is an IP ban happening.

A ban is for sure not the case.

Indeed, I have interesting news: I can reproduce the bug on an Ubuntu
system. My best bet at the moment is that something in the SSL
negotiation is wrong.

A nice additional benefit is that this gives us a simple way to
reproduce the bug, equivalent to the update notification.

$ soffice https://ooo-updates.apache.org/index.html

(this fails on Ubuntu, succeeds on Fedora)

Note that

$ soffice https://www.google.com/

will work in all cases (so this is not an HTTPS bug per se) and

$ soffice http://ooo-updates.apache.org/index.html

will work in all cases (so this not a network issue but rather an SSL
issue).

Now, debugging SSL issues is not easy, but can the people who don't get
updates at least confirm the three results above, i.e., that only the
first one fails?

Further tests show that problematic systems have issues with ASF sites
in HTTPS, like:
$ soffice https://www.apache.org/ # Fails
$ soffice http://www.apache.org/ # Succeeds
$ soffice https://www.openoffice.org/ # Fails
$ soffice http://www.openoffice.org/ # Succeeds
$ soffice https://... # Succeeds for any site I put there, except ASF
sites, but I'd love to see a non-ASF example of a failing HTTPS site.

If this is confirmed we are really close to a point where we could
actually get useful information from Infra.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Matthias Seidel
2018-11-17 17:42:57 UTC
Permalink
Hi Andrea,

Am 17.11.18 um 18:32 schrieb Andrea Pescetti:
> Dave Fisher wrote:
>> I’ve been on with Infra on HipChat and both servers are the same with
>> the same content internally,
>
> Yes, I don't see this as a major issue either. It is probably too
> early for Infra to jump in, since we haven't identified major
> network-related issues so far (yes, one of the two server does not
> respond to ping and traceroute, but I can get updates from it
> nevertheless). I mean, of course it doesn't harm but we need to shed
> more light, see below.
>
>> I’m being asked for IP addresses to share so that can see if there is
>> an IP ban happening.
>
> A ban is for sure not the case.
>
> Indeed, I have interesting news: I can reproduce the bug on an Ubuntu
> system. My best bet at the moment is that something in the SSL
> negotiation is wrong.
>
> A nice additional benefit is that this gives us a simple way to
> reproduce the bug, equivalent to the update notification.
>
> $ soffice https://ooo-updates.apache.org/index.html
>
> (this fails on Ubuntu, succeeds on Fedora)
>
> Note that
>
> $ soffice https://www.google.com/
>
> will work in all cases (so this is not an HTTPS bug per se) and
>
> $ soffice http://ooo-updates.apache.org/index.html
>
> will work in all cases (so this not a network issue but rather an SSL
> issue).
>
> Now, debugging SSL issues is not easy, but can the people who don't
> get updates at least confirm the three results above, i.e., that only
> the first one fails?
>
> Further tests show that problematic systems have issues with ASF sites
> in HTTPS, like:
> $ soffice https://www.apache.org/ # Fails
> $ soffice http://www.apache.org/  # Succeeds
> $ soffice https://www.openoffice.org/ # Fails
> $ soffice http://www.openoffice.org/  # Succeeds
> $ soffice https://... # Succeeds for any site I put there, except ASF
> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>
> If this is confirmed we are really close to a point where we could
> actually get useful information from Infra.

I can confirm this behavior with AOO 4.1.6 on Ubuntu 16.04.5.

Regards,

   Matthias

>
> Regards,
>   Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>
Rory O'Farrell
2018-11-17 17:51:29 UTC
Permalink
Just out of interest:
AOO420m1(Build:9800) - Rev. 1844412
2018-10-20_11:36:04 - Rev. 1844412
running on Xubuntu 18.04.1 64 bit (fully updated), all four URLs below work

Rory


On Sat, 17 Nov 2018 18:42:57 +0100
Matthias Seidel <***@hamburg.de> wrote:

> Hi Andrea,
>
> Am 17.11.18 um 18:32 schrieb Andrea Pescetti:
> > Dave Fisher wrote:
> >> I’ve been on with Infra on HipChat and both servers are the same with
> >> the same content internally,
> >
> > Yes, I don't see this as a major issue either. It is probably too
> > early for Infra to jump in, since we haven't identified major
> > network-related issues so far (yes, one of the two server does not
> > respond to ping and traceroute, but I can get updates from it
> > nevertheless). I mean, of course it doesn't harm but we need to shed
> > more light, see below.
> >
> >> I’m being asked for IP addresses to share so that can see if there is
> >> an IP ban happening.
> >
> > A ban is for sure not the case.
> >
> > Indeed, I have interesting news: I can reproduce the bug on an Ubuntu
> > system. My best bet at the moment is that something in the SSL
> > negotiation is wrong.
> >
> > A nice additional benefit is that this gives us a simple way to
> > reproduce the bug, equivalent to the update notification.
> >
> > $ soffice https://ooo-updates.apache.org/index.html
> >
> > (this fails on Ubuntu, succeeds on Fedora)
> >
> > Note that
> >
> > $ soffice https://www.google.com/
> >
> > will work in all cases (so this is not an HTTPS bug per se) and
> >
> > $ soffice http://ooo-updates.apache.org/index.html
> >
> > will work in all cases (so this not a network issue but rather an SSL
> > issue).
> >
> > Now, debugging SSL issues is not easy, but can the people who don't
> > get updates at least confirm the three results above, i.e., that only
> > the first one fails?
> >
> > Further tests show that problematic systems have issues with ASF sites
> > in HTTPS, like:
> > $ soffice https://www.apache.org/ # Fails
> > $ soffice http://www.apache.org/  # Succeeds
> > $ soffice https://www.openoffice.org/ # Fails
> > $ soffice http://www.openoffice.org/  # Succeeds
> > $ soffice https://... # Succeeds for any site I put there, except ASF
> > sites, but I'd love to see a non-ASF example of a failing HTTPS site.
> >
> > If this is confirmed we are really close to a point where we could
> > actually get useful information from Infra.
>
> I can confirm this behavior with AOO 4.1.6 on Ubuntu 16.04.5.
>
> Regards,
>
>    Matthias
>
> >
> > Regards,
> >   Andrea.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-***@openoffice.apache.org
> > For additional commands, e-mail: dev-***@openoffice.apache.org
> >
>


--
Rory O'Farrell <***@iol.ie>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-17 17:52:32 UTC
Permalink
> On November 17, 2018 at 5:32 PM Andrea Pescetti <***@apache.org> wrote:

> A nice additional benefit is that this gives us a simple way to
> reproduce the bug, equivalent to the update notification.
>
> $ soffice https://ooo-updates.apache.org/index.html
> (this fails on Ubuntu, succeeds on Fedora)
>
> Note that
>
> $ soffice https://www.google.com/
> will work in all cases (so this is not an HTTPS bug per se) and
>
> $ soffice http://ooo-updates.apache.org/index.html
> will work in all cases (so this not a network issue but rather an SSL
> issue).
>
> Now, debugging SSL issues is not easy, but can the people who don't get
> updates at least confirm the three results above, i.e., that only the
> first one fails?

Confirmed that only the first one fails.
I always get the message (even when it didn't fail to open the page)

Gtk-Message: Failed to load module "overlay-scrollbar"

** (soffice:10458): WARNING **: Unknown type: GailWindow

> Further tests show that problematic systems have issues with ASF sites
> in HTTPS, like:
> $ soffice https://www.apache.org/ # Fails
> $ soffice http://www.apache.org/ # Succeeds
> $ soffice https://www.openoffice.org/ # Fails
> $ soffice http://www.openoffice.org/ # Succeeds
> $ soffice https://... # Succeeds for any site I put there, except ASF
> sites, but I'd love to see a non-ASF example of a failing HTTPS site.

Confirmed. HTTPS links fail, HTTP succeed

> If this is confirmed we are really close to a point where we could
> actually get useful information from Infra.

Thank you for your persistent and systematic investigation! ;)

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Don Lewis
2018-11-18 22:30:58 UTC
Permalink
On 17 Nov, Pedro Lino wrote:
>> On November 17, 2018 at 5:32 PM Andrea Pescetti <***@apache.org> wrote:
>
>> A nice additional benefit is that this gives us a simple way to
>> reproduce the bug, equivalent to the update notification.
>>
>> $ soffice https://ooo-updates.apache.org/index.html
>> (this fails on Ubuntu, succeeds on Fedora)
>>
>> Note that
>>
>> $ soffice https://www.google.com/
>> will work in all cases (so this is not an HTTPS bug per se) and
>>
>> $ soffice http://ooo-updates.apache.org/index.html
>> will work in all cases (so this not a network issue but rather an SSL
>> issue).
>>
>> Now, debugging SSL issues is not easy, but can the people who don't get
>> updates at least confirm the three results above, i.e., that only the
>> first one fails?
>
> Confirmed that only the first one fails.
> I always get the message (even when it didn't fail to open the page)
>
> Gtk-Message: Failed to load module "overlay-scrollbar"
>
> ** (soffice:10458): WARNING **: Unknown type: GailWindow
>
>> Further tests show that problematic systems have issues with ASF sites
>> in HTTPS, like:
>> $ soffice https://www.apache.org/ # Fails
>> $ soffice http://www.apache.org/ # Succeeds
>> $ soffice https://www.openoffice.org/ # Fails
>> $ soffice http://www.openoffice.org/ # Succeeds
>> $ soffice https://... # Succeeds for any site I put there, except ASF
>> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>
> Confirmed. HTTPS links fail, HTTP succeed

The HTTPS links all work for me with the FreeBSD port of 4.1.6. One
difference is that the FreeBSD port uses the system OpenSSL, currently
1.02p or newer.

Does the Apache web server still support TLS version 1.0? The old
version of OpenSSL that we bundle with the Windows and Linux versions
doesn't support anything newer than that.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Branko Čibej
2018-11-19 00:52:56 UTC
Permalink
On 18.11.2018 23:30, Don Lewis wrote:
> On 17 Nov, Pedro Lino wrote:
>>> On November 17, 2018 at 5:32 PM Andrea Pescetti <***@apache.org> wrote:
>>> A nice additional benefit is that this gives us a simple way to
>>> reproduce the bug, equivalent to the update notification.
>>>
>>> $ soffice https://ooo-updates.apache.org/index.html
>>> (this fails on Ubuntu, succeeds on Fedora)
>>>
>>> Note that
>>>
>>> $ soffice https://www.google.com/
>>> will work in all cases (so this is not an HTTPS bug per se) and
>>>
>>> $ soffice http://ooo-updates.apache.org/index.html
>>> will work in all cases (so this not a network issue but rather an SSL
>>> issue).
>>>
>>> Now, debugging SSL issues is not easy, but can the people who don't get
>>> updates at least confirm the three results above, i.e., that only the
>>> first one fails?
>> Confirmed that only the first one fails.
>> I always get the message (even when it didn't fail to open the page)
>>
>> Gtk-Message: Failed to load module "overlay-scrollbar"
>>
>> ** (soffice:10458): WARNING **: Unknown type: GailWindow
>>
>>> Further tests show that problematic systems have issues with ASF sites
>>> in HTTPS, like:
>>> $ soffice https://www.apache.org/ # Fails
>>> $ soffice http://www.apache.org/ # Succeeds
>>> $ soffice https://www.openoffice.org/ # Fails
>>> $ soffice http://www.openoffice.org/ # Succeeds
>>> $ soffice https://... # Succeeds for any site I put there, except ASF
>>> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>> Confirmed. HTTPS links fail, HTTP succeed
> The HTTPS links all work for me with the FreeBSD port of 4.1.6. One
> difference is that the FreeBSD port uses the system OpenSSL, currently
> 1.02p or newer.
>
> Does the Apache web server still support TLS version 1.0? The old
> version of OpenSSL that we bundle with the Windows and Linux versions
> doesn't support anything newer than that.


It looks like you found the real problem:

$ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/
* Trying 40.79.78.1...
...
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS alert, Server hello (2):
* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version


Connection fails with options --tlsv1.0 and --tlsv1.1 but succeeds with
--tlsv1.2. Which is in fact a good thing; TLSv1 and TLSv1.1 both have
known security bugs.

It is usually a bad idea to bundle OpenSSL instead of using the
system-provided version; but if you do have to do that (e.g., on
Windows, which doesn't have it, or macOS, which has an ancient version),
at least use the latest 1.0.2 version, or even better, 1.1.0.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-19 09:11:02 UTC
Permalink
Hi Brane, all

> On November 19, 2018 at 12:52 AM Branko Čibej <***@apache.org> wrote:

> > Does the Apache web server still support TLS version 1.0? The old
> > version of OpenSSL that we bundle with the Windows and Linux versions
> > doesn't support anything newer than that.
>
>
> It looks like you found the real problem:
>
> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/
> * Trying 40.79.78.1...
> ...
> * TLSv1.0 (OUT), TLS handshake, Client hello (1):
> * TLSv1.0 (IN), TLS alert, Server hello (2):
> * error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version
>
>
> Connection fails with options --tlsv1.0 and --tlsv1.1 but succeeds with
> --tlsv1.2. Which is in fact a good thing; TLSv1 and TLSv1.1 both have
> known security bugs.

This means that on the Server side connection with the current version of Openoffice will not be accepted?
Can this change be reversed or an exception opened for AOO?

Otherwise, how are users going to be notified that any future version is available?

@_Andreas_, which AOO version are you using under which OS?

@_Rory O'Farrell_, can you please test with 4.1.5?

I can confirm that version 4.2.0 build 1846852 does connect under Ubuntu 16.04.5 but that doesn't solve the problem for current users...

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Branko Čibej
2018-11-19 12:34:40 UTC
Permalink
On 19.11.2018 10:11, Pedro Lino wrote:
> Hi Brane, all
>
>> On November 19, 2018 at 12:52 AM Branko Čibej <***@apache.org> wrote:
>>> Does the Apache web server still support TLS version 1.0? The old
>>> version of OpenSSL that we bundle with the Windows and Linux versions
>>> doesn't support anything newer than that.
>>
>> It looks like you found the real problem:
>>
>> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/
>> * Trying 40.79.78.1...
>> ...
>> * TLSv1.0 (OUT), TLS handshake, Client hello (1):
>> * TLSv1.0 (IN), TLS alert, Server hello (2):
>> * error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version
>>
>>
>> Connection fails with options --tlsv1.0 and --tlsv1.1 but succeeds with
>> --tlsv1.2. Which is in fact a good thing; TLSv1 and TLSv1.1 both have
>> known security bugs.
> This means that on the Server side connection with the current version of Openoffice will not be accepted?
> Can this change be reversed or an exception opened for AOO?


This is a server-side configuration, I suppose an exception could be
added ... but this is for Infra to decide.

> Otherwise, how are users going to be notified that any future version is available?

It's actually a bit worse than users not being notified. If you bundle
your own SSL library you must have a process in place to track security
fixes in said library. I suspect OpenSSL is not the only issue; for
example, AOO still uses Serf 1.2.1, which does not support the latest
OpenSSL, so you're effectively stuck with 1.02 and can't migrate to
1.1.0 unless you also upgrade Serf.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-19 17:17:40 UTC
Permalink
Pedro Lino wrote:>> On November 19, 2018 at 12:52 AM Branko Čibej wrote:
>> It looks like you found the real problem:
>> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/

This makes sense, but I still don't understand it as the full explanation.

I mean, if this is due to bundled libraries then why do the same
binaries produce different results on different systems?

This is config.log from my test 4.1.6 build (done on CentOS 7):
---
configure:16978: checking which libnss to use
configure:17076: result: internal
configure:17088: checking which libssl to use
configure:17194: result: internal
---
so this should mean we are using bundled libraries.

Then I copy the produced binaries to Ubuntu 16.04 and to Fedora 26
(these happen to be the machines that I setup for this test).

On CentOS 7 (where it was built):
$ ./soffice https://ooo-updates.apache.org/index.html # Fails
$ ./soffice https://fosdem.org # Succeeds
$ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/ # Fails

On Ubuntu 16.04:
$ ./soffice https://ooo-updates.apache.org/index.html # Fails
$ ./soffice https://fosdem.org # Succeeds
$ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/ # Fails

On Fedora 26:
$ ./soffice https://ooo-updates.apache.org/index.html # Succeeds!
$ ./soffice https://fosdem.org # Succeeds
$ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/ # Fails

Does the current explanation actually explain why the first command
succeeds on Fedora? (of course, this also reflects in GUI, where the
check for updates only succeeds on Fedora).

> Can this change be reversed or an exception opened for AOO?

Sure, we have multiple options available. Including moving this server
to a smaller (or even dedicated) virtual machine. Note that, even if we
miss a full explanation, we could still try this, but I'm really curious
to know whether the Fedora behavior can be explained.

> how are users going to be notified that any future version is available?

Fortunately we can fix this in code, even though Brane explained well
why this is hard to do on the 4.1.x line.

> @_Andreas_, which AOO version are you using under which OS?

The three above, plus the official 4.1.6 build on both Fedora 26 and a
new machine, Ubuntu 18.04 (with the usual results: Fedora succeeds,
Ubuntu fails).

> I can confirm that version 4.2.0 build 1846852 does connect under Ubuntu 16.04.5

Yes, same for me on Ubuntu 16.04 with 4.2.0-dev (I get the same results
as on Fedora, and no errors if I check for updates).

The current explanation we have is very good.

I'm just left with the big question mark of why 4.1.6 works well in
Fedora and the same binaries fail on CentoOS 7 (where I built them) and
Ubuntu 16.04. If we could explain this last part we would be able to go
to Infra with more confidence.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-19 17:49:16 UTC
Permalink
> On November 19, 2018 at 5:17 PM Andrea Pescetti <***@apache.org> wrote:

> Does the current explanation actually explain why the first command
> succeeds on Fedora? (of course, this also reflects in GUI, where the
> check for updates only succeeds on Fedora).

Not at all. If the problem was simply on the TLS version then it shouldn't work on Fedora also.
If it only worked on CentOS, it could have been some compilation glitch. But this is really puzzling!

> > Can this change be reversed or an exception opened for AOO?
>
> Sure, we have multiple options available. Including moving this server
> to a smaller (or even dedicated) virtual machine. Note that, even if we
> miss a full explanation, we could still try this, but I'm really curious
> to know whether the Fedora behavior can be explained.

Excellent. I'm glad this can be solved for the current (4.1.6) and past versions (4.1.5, 4.1.4, etc) which people are already using.

> > how are users going to be notified that any future version is available?
>
> Fortunately we can fix this in code, even though Brane explained well
> why this is hard to do on the 4.1.x line.

I meant if this could not be solved on the server side, there was no way for people on 4.1.5 or previous to be notified of any other version (including 4.1.6)

> I'm just left with the big question mark of why 4.1.6 works well in
> Fedora and the same binaries fail on CentOS 7 (where I built them) and
> Ubuntu 16.04. If we could explain this last part we would be able to go
> to Infra with more confidence.

I agree. Maybe Brane (or anyone else) can suggest other tests? Unfortunately now the ball is on your side, I can't help with Fedora...

However if users start to complain on forums that they can't update to 4.1.6, the server side solution should be applied sooner.

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Branko Čibej
2018-11-19 23:16:18 UTC
Permalink
On 19.11.2018 18:17, Andrea Pescetti wrote:
> Pedro Lino wrote:>> On November 19, 2018 at 12:52 AM Branko Čibej wrote:
>>> It looks like you found the real problem:
>>> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/
>
> This makes sense, but I still don't understand it as the full
> explanation.
>
> I mean, if this is due to bundled libraries then why do the same
> binaries produce different results on different systems?
>
> This is config.log from my test 4.1.6 build (done on CentOS 7):
>   ---
> configure:16978: checking which libnss to use
> configure:17076: result: internal
> configure:17088: checking which libssl to use
> configure:17194: result: internal
>   ---
> so this should mean we are using bundled libraries.
>
> Then I copy the produced binaries to Ubuntu 16.04 and to Fedora 26
> (these happen to be the machines that I setup for this test).
>
> On CentOS 7 (where it was built):
> $ ./soffice https://ooo-updates.apache.org/index.html   # Fails
> $ ./soffice https://fosdem.org                          # Succeeds
> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/  # Fails
>
> On Ubuntu 16.04:
> $ ./soffice https://ooo-updates.apache.org/index.html   # Fails
> $ ./soffice https://fosdem.org                          # Succeeds
> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/  # Fails
>
> On Fedora 26:
> $ ./soffice https://ooo-updates.apache.org/index.html   # Succeeds!
> $ ./soffice https://fosdem.org                          # Succeeds
> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/  # Fails
>
> Does the current explanation actually explain why the first command
> succeeds on Fedora? (of course, this also reflects in GUI, where the
> check for updates only succeeds on Fedora).


No ... but checking which OpenSSL library is actually used at runtime
just might.

Just now I downloaded 4.1.6 and installed it on a VM running XUbuntu
14.04. I didn't find libcrypto.so or libssl.so in the install tree, nor
are they mentioned by ldd. Opening fosdem.org or ooo-updates.apache.org
just hangs.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-20 22:30:12 UTC
Permalink
Hi Andrea, all

> On November 19, 2018 at 5:17 PM Andrea Pescetti <***@apache.org> wrote:

> > Can this change be reversed or an exception opened for AOO?
>
> Sure, we have multiple options available. Including moving this server
> to a smaller (or even dedicated) virtual machine. Note that, even if we
> miss a full explanation, we could still try this, but I'm really curious
> to know whether the Fedora behavior can be explained.

People are already starting to report the broken Check for Update
https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=95930

Can you (or someone else) ask Infra to provide one of the alternate solutions you mentioned?

On an intersting note: according to a freeware program I use under Windows to check for updates (I disable automatic checking for each program and run this once a week) more than half the AOO users who also use SUMo are already on 4.1.6 (Windows only) only a day after release!
https://www.kcsoftwares.com/sumo/view.php?ProductName=OpenOffice&Company=OpenOffice.org&prot=2
(of course this is not unexpected since people who use a dedicated program for checking for updates are likely to be the first to do the updates)

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-24 16:19:23 UTC
Permalink
Any news on this issue? Can this be solved by Infra or by someone
on the PMC? I believe this issue should have some priority especially because it affects the Windows OS users (the vast majority of the users)...

Regards,
Pedro

> On November 20, 2018 at 10:30 PM Pedro Lino <***@mailbox.org> wrote:
>
>
> Hi Andrea, all
>
> > On November 19, 2018 at 5:17 PM Andrea Pescetti <***@apache.org> wrote:
>
> > > Can this change be reversed or an exception opened for AOO?
> >
> > Sure, we have multiple options available. Including moving this server
> > to a smaller (or even dedicated) virtual machine. Note that, even if we
> > miss a full explanation, we could still try this, but I'm really curious
> > to know whether the Fedora behavior can be explained.
>
> People are already starting to report the broken Check for Update
> https://forum.openoffice.org/en/forum/viewtopic.php?f=9&t=95930
>
> Can you (or someone else) ask Infra to provide one of the alternate solutions you mentioned?
>
> On an intersting note: according to a freeware program I use under Windows to check for updates (I disable automatic checking for each program and run this once a week) more than half the AOO users who also use SUMo are already on 4.1.6 (Windows only) only a day after release!
> https://www.kcsoftwares.com/sumo/view.php?ProductName=OpenOffice&Company=OpenOffice.org&prot=2
> (of course this is not unexpected since people who use a dedicated program for checking for updates are likely to be the first to do the updates)
>
> Regards,
> Pedro
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-25 00:08:58 UTC
Permalink
On 24/11/2018 Pedro Lino wrote:
> Any news on this issue? Can this be solved by Infra or by someone
> on the PMC? I believe this issue should have some priority especially because it affects the Windows OS users (the vast majority of the users)...

It is a matter of virtual machines and policy. The virtual machines we
have available for the moment (and one would need to open the URLs with
"soffice URL" to check) are:

- https://wiki.openoffice.org
- https://forum.openoffice.org
- https://wikitest.openoffice.org
- We have a further VM for the new forum but I'm not sure it already has
a URL

I believe, but I haven't checked, that only the first two can be reached
from the affected systems. Unfortunately, infrastructure migrations are
being performed during the next week, and the first two servers are
scheduled for decommissioning. But, if everything fits, we might be in
time for a quick test on the old Wiki VM shortly before 30 November. At
least, this will tell us whether we can solve the problem by using a TLS
1.0 server (which is still unclear, as everybody by now knows that
Fedora for example can connect without issues, so the problem does not
seem to be 100% due to the libraries we bundle).

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-12-05 07:08:42 UTC
Permalink
On 25/11/2018 Andrea Pescetti wrote:
> It is a matter of virtual machines and policy. The virtual machines we
> have available for the moment (and one would need to open the URLs with
> "soffice URL" to check) are:
> - https://wiki.openoffice.org
> - https://forum.openoffice.org
> - https://wikitest.openoffice.org ...
> I believe, but I haven't checked, that only the first two can be reached
> from the affected systems. ... if everything fits, we might be in
> time for a quick test on the old Wiki VM shortly before 30 November.

Just a note to say that Infra asked us to keep the web server inactive
on the old VMs to ensure nothing was missing from the migration, so we
couldn't test as I had proposed.

Are the current VMs unreachable from the affected systems? I mean, does

$ soffice https://wiki.openoffice.org
$ soffice https://forum.openoffice.org

give "Server error" from the machine where updates cannot be reached?

If yes, we'll have to look into another environment. If no, we can reuse
one of these two VMs as the new updates server.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Dave Fisher
2018-12-05 07:11:02 UTC
Permalink
> On Dec 4, 2018, at 11:08 PM, Andrea Pescetti <***@apache.org> wrote:
>
> On 25/11/2018 Andrea Pescetti wrote:
>> It is a matter of virtual machines and policy. The virtual machines we have available for the moment (and one would need to open the URLs with "soffice URL" to check) are:
>> - https://wiki.openoffice.org
>> - https://forum.openoffice.org
>> - https://wikitest.openoffice.org ...
>> I believe, but I haven't checked, that only the first two can be reached from the affected systems. ... if everything fits, we might be in time for a quick test on the old Wiki VM shortly before 30 November.
>
> Just a note to say that Infra asked us to keep the web server inactive on the old VMs to ensure nothing was missing from the migration, so we couldn't test as I had proposed.
>
> Are the current VMs unreachable from the affected systems? I mean, does
>
> $ soffice https://wiki.openoffice.org
> $ soffice https://forum.openoffice.org
>
> give "Server error" from the machine where updates cannot be reached?
>
> If yes, we'll have to look into another environment. If no, we can reuse one of these two VMs as the new updates server.

+1 - Or even ask for a new VM. I’ll help either way. Show me the update code and httpd config.

Regards,
Dave
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-12-05 07:51:48 UTC
Permalink
> On December 5, 2018 at 7:08 AM Andrea Pescetti <***@apache.org> wrote:

> Are the current VMs unreachable from the affected systems? I mean, does
>
> $ soffice https://wiki.openoffice.org
> $ soffice https://forum.openoffice.org
>
> give "Server error" from the machine where updates cannot be reached?

Both commands return the usual message:
Error reading data from the Internet.
Server error message: .

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Keith N. McKenna
2018-12-05 16:19:31 UTC
Permalink
On 12/5/2018 2:08 AM, Andrea Pescetti wrote:
> On 25/11/2018 Andrea Pescetti wrote:
>> It is a matter of virtual machines and policy. The virtual machines we
>> have available for the moment (and one would need to open the URLs
>> with "soffice URL" to check) are:
>> - https://wiki.openoffice.org
>> - https://forum.openoffice.org
>> - https://wikitest.openoffice.org ...
>> I believe, but I haven't checked, that only the first two can be
>> reached from the affected systems. ... if everything fits, we might be
>> in time for a quick test on the old Wiki VM shortly before 30 November.
>
> Just a note to say that Infra asked us to keep the web server inactive
> on the old VMs to ensure nothing was missing from the migration, so we
> couldn't test as I had proposed.
>
> Are the current VMs unreachable from the affected systems? I mean, does
>
> $ soffice https://wiki.openoffice.org
> $ soffice https://forum.openoffice.org
>
> give "Server error" from the machine where updates cannot be reached?
>
> If yes, we'll have to look into another environment. If no, we can reuse
> one of these two VMs as the new updates server.
>
> Regards,
>   Andrea.
On my Windows 10 system they both resolve correctly

Regards
Keith
Peter Kovacs
2018-12-05 22:01:38 UTC
Permalink
On 05.12.18 08:08, Andrea Pescetti wrote:
>
> If yes, we'll have to look into another environment. If no, we can
> reuse one of these two VMs as the new updates server.
We could try the OpenGrok Server.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Dave Fisher
2018-11-25 02:34:54 UTC
Permalink
Hi -

Sent from my iPhone

> On Nov 24, 2018, at 4:08 PM, Andrea Pescetti <***@apache.org> wrote:
>
>> On 24/11/2018 Pedro Lino wrote:
>> Any news on this issue? Can this be solved by Infra or by someone
>> on the PMC? I believe this issue should have some priority especially because it affects the Windows OS users (the vast majority of the users)...
>
> It is a matter of virtual machines and policy. The virtual machines we have available for the moment (and one would need to open the URLs with "soffice URL" to check) are:
>
> - https://wiki.openoffice.org
> - https://forum.openoffice.org
> - https://wikitest.openoffice.org
> - We have a further VM for the new forum but I'm not sure it already has a URL

Https://forumtest.openoffice.org
>
> I believe, but I haven't checked, that only the first two can be reached from the affected systems. Unfortunately, infrastructure migrations are being performed during the next week, and the first two servers are scheduled for decommissioning. But, if everything fits, we might be in time for a quick test on the old Wiki VM shortly before 30 November. At least, this will tell us whether we can solve the problem by using a TLS 1.0 server (which is still unclear, as everybody by now knows that Fedora for example can connect without issues, so the problem does not seem to be 100% due to the libraries we bundle).

Let’s do our required migrations this week and then we can play with this TLS issue. This may be more complex. My concern is whether or not older AOO is even using TLS. Since legacy forums and wiki must be cut over by Nov 30th we must prioritize.

Regards,
Dave
>
> Regards,
> Andrea.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-25 10:58:35 UTC
Permalink
Hi Dave, Andrea, all

> Let’s do our required migrations this week and then we can play with this TLS
> issue. This may be more complex. My concern is whether or not older AOO is
> even using TLS. Since legacy forums and wiki must be cut over by Nov 30th we
> must prioritize.

Agreed.
Keep in mind that previous versions worked until 2-3 weeks ago
This problem also occurs on version 4.1.5 running on Windows XP (where no updates to the OS occur) so any modification is on the server side.

An interesting detail: I reinstalled version 4.1.5 on a Windows XP netbook and I do get the "New Updates for Extensions" icon and warning but clicking on it returns the same error mentioned before.

This means that the program is getting version information from the server so some communication is passing through...

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Matthias Seidel
2018-11-25 11:39:05 UTC
Permalink
Am 25.11.18 um 11:58 schrieb Pedro Lino:
> Hi Dave, Andrea, all
>
>> Let’s do our required migrations this week and then we can play with this TLS
>> issue. This may be more complex. My concern is whether or not older AOO is
>> even using TLS. Since legacy forums and wiki must be cut over by Nov 30th we
>> must prioritize.
> Agreed.
> Keep in mind that previous versions worked until 2-3 weeks ago
> This problem also occurs on version 4.1.5 running on Windows XP (where no updates to the OS occur) so any modification is on the server side.
>
> An interesting detail: I reinstalled version 4.1.5 on a Windows XP netbook and I do get the "New Updates for Extensions" icon and warning but clicking on it returns the same error mentioned before.
>
> This means that the program is getting version information from the server so some communication is passing through...

You did a reinstall without deleting the profile? Probably you updated
some dictionary before and AOO just finds them locally...

Regards,

   Matthias

>
> Regards,
> Pedro
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org
> For additional commands, e-mail: dev-***@openoffice.apache.org
>
Pedro Lino
2018-11-25 12:09:24 UTC
Permalink
Hi Matthias


>
> > > This means that the program is getting version information from the server so some communication is passing through...
> >
> > > You did a reinstall without deleting the profile? Probably you updated
> some dictionary before and AOO just finds them locally...
>

You are right. There goes the theory about some communication working :)

The message (and action required) does not make sense then. If AOO finds a newer version locally then it should use the newer version or at least ask if you want to use the newer version... It doesn't make sense to download it again from the server if it is already installed.

Another fix that requires developer time...

Regards,
Pedro
Matthias Seidel
2018-11-25 12:13:31 UTC
Permalink
Am 25.11.18 um 13:09 schrieb Pedro Lino:
> Hi Matthias
>
>
>> > > This means that the program is getting version information from the server so some communication is passing through...
>>> > You did a reinstall without deleting the profile? Probably you updated
>> some dictionary before and AOO just finds them locally...
>>
> You are right. There goes the theory about some communication working :)
>
> The message (and action required) does not make sense then. If AOO finds a newer version locally then it should use the newer version or at least ask if you want to use the newer version... It doesn't make sense to download it again from the server if it is already installed.
No need to download it again as it is already in your profile. Just add
it by using "Add..."
>
> Another fix that requires developer time...

If you can find the time? ;-)

Regards,

   Matthias

>
> Regards,
> Pedro
>
Pedro Lino
2018-11-25 12:31:55 UTC
Permalink
> On November 25, 2018 at 12:13 PM Matthias Seidel < ***@hamburg.de mailto:***@hamburg.de > wrote:
>

> No need to download it again as it is already in your profile. Just add
> it by using "Add..."
>

That doesn't work unless you have the oxt file
There is also an error in detection of the local version (could be related to the failed communication)


>
> > > Another fix that requires developer time...
> >
> > > If you can find the time? ;-)
>

As I mentioned before I'm not a developer

Regards,
Pedro
Keith N. McKenna
2018-11-17 23:45:25 UTC
Permalink
<snip>
>
> $ soffice https://ooo-updates.apache.org/index.html
>
> (this fails on Ubuntu, succeeds on Fedora)
>
> Note that
>
> $ soffice https://www.google.com/
>
> will work in all cases (so this is not an HTTPS bug per se) and
>
> $ soffice http://ooo-updates.apache.org/index.html
>
> will work in all cases (so this not a network issue but rather an SSL
> issue).
>
> Now, debugging SSL issues is not easy, but can the people who don't get
> updates at least confirm the three results above, i.e., that only the
> first one fails?
I can confirm the behavior with AOO 4.1.6 on Windows 19
Keith

>
> Further tests show that problematic systems have issues with ASF sites
> in HTTPS, like:
> $ soffice https://www.apache.org/ # Fails
> $ soffice http://www.apache.org/  # Succeeds
> $ soffice https://www.openoffice.org/ # Fails
> $ soffice http://www.openoffice.org/  # Succeeds
> $ soffice https://... # Succeeds for any site I put there, except ASF
> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>
> If this is confirmed we are really close to a point where we could
> actually get useful information from Infra.
>
> Regards,
>   Andrea.
Branko Čibej
2018-11-18 00:00:53 UTC
Permalink
On 17.11.2018 18:32, Andrea Pescetti wrote:
> Dave Fisher wrote:
>> I’ve been on with Infra on HipChat and both servers are the same with
>> the same content internally,
>
> Yes, I don't see this as a major issue either. It is probably too
> early for Infra to jump in, since we haven't identified major
> network-related issues so far (yes, one of the two server does not
> respond to ping and traceroute, but I can get updates from it
> nevertheless). I mean, of course it doesn't harm but we need to shed
> more light, see below.
>
>> I’m being asked for IP addresses to share so that can see if there is
>> an IP ban happening.
>
> A ban is for sure not the case.
>
> Indeed, I have interesting news: I can reproduce the bug on an Ubuntu
> system. My best bet at the moment is that something in the SSL
> negotiation is wrong.
>
> A nice additional benefit is that this gives us a simple way to
> reproduce the bug, equivalent to the update notification.
>
> $ soffice https://ooo-updates.apache.org/index.html
>
> (this fails on Ubuntu, succeeds on Fedora)
>
> Note that
>
> $ soffice https://www.google.com/
>
> will work in all cases (so this is not an HTTPS bug per se) and
>
> $ soffice http://ooo-updates.apache.org/index.html
>
> will work in all cases (so this not a network issue but rather an SSL
> issue).
>
> Now, debugging SSL issues is not easy, but can the people who don't
> get updates at least confirm the three results above, i.e., that only
> the first one fails?
>
> Further tests show that problematic systems have issues with ASF sites
> in HTTPS, like:
> $ soffice https://www.apache.org/ # Fails
> $ soffice http://www.apache.org/  # Succeeds
> $ soffice https://www.openoffice.org/ # Fails
> $ soffice http://www.openoffice.org/  # Succeeds
> $ soffice https://... # Succeeds for any site I put there, except ASF
> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>
> If this is confirmed we are really close to a point where we could
> actually get useful information from Infra.


Note that all the sites that fail in your list have wildcard
certificates — CN=*.apache.org for the Apache sites and
CN=*.openoffice.org for the OO sites. This may be related to wildcard
cert support in OpenSSL/LibreSSL/GnuTLS/whateveryou'reusing on the
affected systems. Correlating this with the SSL library name and version
would be useful.

(I'm on macOS, so using Apple's crypto library which does support
wildcard certs).

For debugging, I suggest using cURL instead of OO, for example:

    curl -sviI https://www.openoffice.org/


-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-18 01:14:41 UTC
Permalink
> On November 18, 2018 at 12:00 AM Branko Čibej <***@apache.org> wrote:

> For debugging, I suggest using cURL instead of OO, for example:
>
>     curl -sviI https://www.openoffice.org/

The output is below

* Trying 95.216.24.32...
* Connected to www.openoffice.org (95.216.24.32) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.openoffice.org (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: OU=Domain Control Validated,OU=EssentialSSL Wildcard,CN=*.openoffice.org
* start date: Wed, 19 Jul 2017 00:00:00 GMT
* expire date: Sat, 18 Jul 2020 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
* compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD / HTTP/1.1
> Host: www.openoffice.org
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sun, 18 Nov 2018 01:11:37 GMT
Date: Sun, 18 Nov 2018 01:11:37 GMT
< Server: Apache/2.4.18 (Ubuntu)
Server: Apache/2.4.18 (Ubuntu)
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

<
* Connection #0 to host www.openoffice.org left intact

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-18 14:48:00 UTC
Permalink
Branko Čibej wrote:
> Note that all the sites that fail in your list have wildcard
> certificates — CN=*.apache.org for the Apache sites and
> CN=*.openoffice.org for the OO sites. This may be related to wildcard
> cert support

Interesting find, and I was hopeful this could be the solution. But if
try with fosdem.org (that has a wildcard certificate too) it works even
on the Ubuntu system (i.e., the one where I cannot get the updates):

$ soffice https://fosdem.org/2019/ # Works, HTTPS with wildcard

> in OpenSSL/LibreSSL/GnuTLS/whateveryou'reusing on the
> affected systems. Correlating this with the SSL library name and version
> would be useful.

But, as reported by Pedro in the first test,

$ curl https://ooo-updates.apache.org/index.html

works well, while

$ soffice https://ooo-updates.apache.org/index.html

so it's unclear to what extent system libraries are involved. I've
tried, with no success, to install more libraries

$ sudo apt-get install libssl1.0-dev

(see here for context:
https://github.com/wkhtmltopdf/wkhtmltopdf/issues/2938#issuecomment-334784936
)

but the Ubuntu system still refused to open the update URL.

> For debugging, I suggest using cURL instead of OO, for example:
>     curl -sviI https://www.openoffice.org/

Thanks, if the issue is with SSL this indeed helps in finding more
details. Still, curl will always work also on affected systems, so if it
is SSL-related it won't be enough to check whether the site uses a
wildcard SSL certificate... Maybe some more technical certificate details?

I'm now trying to check the OpenOffice code to see whether we can get
some more meaningful output instead of the empty details string we
currently print. For those interested, the error message is assembled in
main/uui/source/iahndl.cxx

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Pedro Lino
2018-11-18 15:13:48 UTC
Permalink
> On November 18, 2018 at 2:48 PM Andrea Pescetti <***@apache.org> wrote:

> > For debugging, I suggest using cURL instead of OO, for example:
> >     curl -sviI https://www.openoffice.org/
>
> Thanks, if the issue is with SSL this indeed helps in finding more
> details. Still, curl will always work also on affected systems, so if it
> is SSL-related it won't be enough to check whether the site uses a
> wildcard SSL certificate... Maybe some more technical certificate details?

I compared the output from the sites that do work

curl -sviI https://fosdem.org/2019/
curl -sviI https://www.google.com/

fosdem specifies
< Content-Type: text/html; charset=utf-8
google specifies
< Content-Type: text/html; charset=ISO-8859-1

However the AOO site does not specify any charset. Could that be the problem?

On funny note, the issuer of the Google certificate is
* issuer: C=US,O=Google Trust Services,CN=Google Internet Authority G3

Regards,
Pedro

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Andrea Pescetti
2018-11-18 16:19:13 UTC
Permalink
Pedro Lino wrote:
> However the AOO site does not specify any charset. Could that be the problem?

I don't think the charset is a major issue, but indeed (if I do the same
test with openssl) there is something interesting that can probably be
submitted to Infra for investigation.

On any system I've tried with (CentOS, Ubuntu, Fedora)

$ openssl s_client -state -nbio -connect ooo-updates.apache.org:443

will show (in a lengthy output that I don't have the time to debug now)
that it is using this certificate:

0 s:/OU=Domain Control Validated/OU=EssentialSSL
Wildcard/CN=*.openoffice.org

Note that I requested apache.org and I get a certificate valid for
*.openoffice.org. The same holds if I use just apache.org or openoffice.org

This mismatch itself doesn't explain much since the connection still
works, but it probably gives a hint for asking Infra why this happens.

The output I get is very different depending on the system I use (I get
dozens of errors on some systems, a cleaner output in Ubuntu) but in all
cases openssl manages to connect in the end.

Regards,
Andrea.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Branko Čibej
2018-11-18 17:41:10 UTC
Permalink
On 18.11.2018 17:19, Andrea Pescetti wrote:
> Pedro Lino wrote:
>> However the AOO site does not specify any charset. Could that be the
>> problem?
>
> I don't think the charset is a major issue, but indeed (if I do the
> same test with openssl) there is something interesting that can
> probably be submitted to Infra for investigation.
>
> On any system I've tried with (CentOS, Ubuntu, Fedora)
>
> $ openssl s_client -state -nbio -connect ooo-updates.apache.org:443
>
> will show (in a lengthy output that I don't have the time to debug
> now) that it is using this certificate:
>
> 0 s:/OU=Domain Control Validated/OU=EssentialSSL
> Wildcard/CN=*.openoffice.org
>
> Note that I requested apache.org and I get a certificate valid for
> *.openoffice.org.

The subject alternative names (which are the real identities that should
match, not the common name) are '*.openoffice.org' and 'openoffice.org'.

And you're right ... the certificate is wrong ... but making the same
request with cURL will give the right certificate. Most likely that's
because s_client doesn't send the Server Name Indication that would let
HTTPd select the correct virtual host, so it'll select the "first" one.


> The same holds if I use just apache.org or openoffice.org

And this tends to prove the above assumption.

> This mismatch itself doesn't explain much since the connection still
> works, but it probably gives a hint for asking Infra why this happens.
>
> The output I get is very different depending on the system I use (I
> get dozens of errors on some systems, a cleaner output in Ubuntu) but
> in all cases openssl manages to connect in the end.

I think it's best to gather all the info in this thread and create an
Infra ticket.

-- Brane
Branko Čibej
2018-11-18 17:45:05 UTC
Permalink
On 18.11.2018 18:41, Branko Čibej wrote:
> On 18.11.2018 17:19, Andrea Pescetti wrote:
>> Pedro Lino wrote:
>>> However the AOO site does not specify any charset. Could that be the
>>> problem?
>> I don't think the charset is a major issue, but indeed (if I do the
>> same test with openssl) there is something interesting that can
>> probably be submitted to Infra for investigation.
>>
>> On any system I've tried with (CentOS, Ubuntu, Fedora)
>>
>> $ openssl s_client -state -nbio -connect ooo-updates.apache.org:443
>>
>> will show (in a lengthy output that I don't have the time to debug
>> now) that it is using this certificate:
>>
>> 0 s:/OU=Domain Control Validated/OU=EssentialSSL
>> Wildcard/CN=*.openoffice.org
>>
>> Note that I requested apache.org and I get a certificate valid for
>> *.openoffice.org.
> The subject alternative names (which are the real identities that should
> match, not the common name) are '*.openoffice.org' and 'openoffice.org'.
>
> And you're right ... the certificate is wrong ... but making the same
> request with cURL will give the right certificate. Most likely that's
> because s_client doesn't send the Server Name Indication that would let
> HTTPd select the correct virtual host, so it'll select the "first" one.
>
>
>> The same holds if I use just apache.org or openoffice.org
> And this tends to prove the above assumption.

And so does this:

$ openssl s_client -state -nbio -servername ooo-updates.apache.org
-connect ooo-updates.apache.org:443

Note the additional -servename option.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Kay Schenk
2018-11-15 23:15:47 UTC
Permalink
On 11/14/2018 09:29 PM, Don Lewis wrote:
> On 15 Nov, Matthias Seidel wrote:
>> Hi Kay,
>>
>> Am 15.11.18 um 00:48 schrieb Kay Schenk:
>>> Two things --
>>> * I see localization was set up for Kabyle. So is this a new language
>>> addition?
>>
>> No, only locale data were added internally.
>>
>>> * some discussion and commits about Java 8,
>>> see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
>>> Changes were committed to the 4.1.6 branch near as I can tell.
>>> So...does AOO require Java 8 now or can Java 7 still be used?
>>
>> Changes for Java 8 were revoked, but that did only affect the building
>> process.
>>
>> Java 8 as well as Java 7 can still be used like before.
>
> Yes, but at least on Windows, if you build with Java 8, the resulting
> binaries will not recognize Java 7. This is only true for 4.1.x and
> does not affect trunk for some reason even though the code is
> essentially identical. I haven't had a time to dig into this problem.

OK. What is our (soon to be ) distributed 4.1.6 built with then? This is
important for the System Requirements page.

https://www.openoffice.org/dev_docs/source/sys_reqs_aoo41.html

I'm assuming at this point the Java info at the bottom should be a
minimum of Java 7? Unless this has really been tested with Jave 1.5 (Java 5)

>
> The fix in this bug report is to allow ODK to be built with Java 8.
> Since the fix was revoked, if you want to build ODK, then you must build
> with Java 7.
>
>
>



--
------------------------------------------
MzK

"Less is MORE."

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@openoffice.apache.org
For additional commands, e-mail: dev-***@openoffice.apache.org
Jim Jagielski
2018-11-19 13:28:20 UTC
Permalink
For Linux, Java7, for macOS, Java6

> On Nov 15, 2018, at 6:15 PM, Kay Schenk <***@gmail.com> wrote:
>
> On 11/14/2018 09:29 PM, Don Lewis wrote:
>> On 15 Nov, Matthias Seidel wrote:
>>> Hi Kay,
>>>
>>> Am 15.11.18 um 00:48 schrieb Kay Schenk:
>>>> Two things --
>>>> * I see localization was set up for Kabyle. So is this a new language
>>>> addition?
>>>
>>> No, only locale data were added internally.
>>>
>>>> * some discussion and commits about Java 8,
>>>> see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
>>>> Changes were committed to the 4.1.6 branch near as I can tell.
>>>> So...does AOO require Java 8 now or can Java 7 still be used?
>>>
>>> Changes for Java 8 were revoked, but that did only affect the building
>>> process.
>>>
>>> Java 8 as well as Java 7 can still be used like before.
>> Yes, but at least on Windows, if you build with Java 8, the resulting
>> binaries will not recognize Java 7. This is only true for 4.1.x and
>> does not affect trunk for some reason even though the code is
>> essentially identical. I haven't had a time to dig into this problem.
>
> OK. What is our (soon to be ) distributed 4.1.6 built with then? This is important for the System Requirements page.
>
> https://www.openoffice.org/dev_docs/source/sys_reqs_aoo41.html <https://www.openoffice.org/dev_docs/source/sys_reqs_aoo41.html>
>
> I'm assuming at this point the Java info at the bottom should be a minimum of Java 7? Unless this has really been tested with Jave 1.5 (Java 5)
>
>> The fix in this bug report is to allow ODK to be built with Java 8.
>> Since the fix was revoked, if you want to build ODK, then you must build
>> with Java 7.
>
>
>
> --
> ------------------------------------------
> MzK
>
> "Less is MORE."
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-***@openoffice.apache.org <mailto:dev-***@openoffice.apache.org>
> For additional commands, e-mail: dev-***@openoffice.apache.org <mailto:dev-***@openoffice.apache.org>
Keith N. McKenna
2018-11-15 02:36:14 UTC
Permalink
On 11/14/2018 6:48 PM, Kay Schenk wrote:
> Two things --
> * I see localization was set up for Kabyle. So is this a new language
> addition?
>
> * some discussion and commits about Java 8,
> see: https://bz.apache.org/ooo/show_bug.cgi?id=127876
> Changes were committed to the 4.1.6 branch near as I can tell.
> So...does AOO require Java 8 now or can Java 7 still be used?
>
> I may have more questions coming in the next day or so, but hopefully not
> many. I will make every attempt to get this ready by Fri afternoon, PST.
>
Kay

I already removed the Kabyle entry from the Release Notes.
As far as the Java 8 Issue. I believe the RC-1 builds were built with
Java 7 so that either Java 7 or Java 8 will be recognized.
Loading...