#1
|
|||
|
|||
Using SSL HTTPS Proxy
Hi,
I am trying to use an HTTPS proxy from NordVPN in JD but JD constantly gives proxy errors. I setup the proxy as shown in the picture. I first thought the proxy might be bad but the same proxy works fine when setup in Google Chrome (through "Proxy Helper" extension). The proxy is a secure HTTPS proxy accepting SSL connections on port 89. It supports only TLS 1.2 according to openssl: Code:
vbs@ubuntu:~$ openssl s_client ch250.nordvpn.com:89 CONNECTED(00000005) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 verify return:1 depth=0 CN = *.nordvpn.com verify return:1 --- Certificate chain 0 s:CN = *.nordvpn.com i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 1 s:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGOTCCBSGgAwIBAgIMG1tlhMqlCnF3i4coMA0GCSqGSIb3DQEBCwUAMEwxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIwMDgxMjE0NDEyOVoXDTIyMTAw NDEwNDkzOVowGDEWMBQGA1UEAwwNKi5ub3JkdnBuLmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALsDM7vqkDEKkiGkugPKvb44HjuL5epl5M3GNrl4 IYKBMvjNkoWNprl40eC8OAioSUTuZTSdhieddXGWXFT1Epi7sKUS7TCGJU+NIxmH zlnZBHMt+JLxgCp2k2Z06rqWd6coWWhjzHgSCBf8JnQplwDCwH3dd9WQkbhNHlpk GmAaQ9qxZoULEKEL0xmGkMz34EEe0N6VHH4hwK9Qo14FzyoTIzNKJMEJ/4wwXuJF G0bQxIP3MaPASj4rlE55N8D+wL/Ej+M+DWxuJQ0bza+peakMWo8jXrBeEkYQhurE Wlq0e0p8fDjvl4J/sCHMijrK3xUvrgPM7W22NJASOVSgg6ECAwEAAaOCA00wggNJ MA4GA1UdDwEB/wQEAwIFoDCBiQYIKwYBBQUHAQEEfTB7MEIGCCsGAQUFBzAChjZo dHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFzaGEyZzJy MS5jcnQwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9n c2FscGhhc2hhMmcyMFcGA1UdIARQME4wQgYKKwYBBAGgMgEKCjA0MDIGCCsGAQUF BwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAIBgZn gQwBAgEwCQYDVR0TBAIwADA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsMi5h bHBoYXNzbC5jb20vZ3MvZ3NhbHBoYXNoYTJnMi5jcmwwJQYDVR0RBB4wHIINKi5u b3JkdnBuLmNvbYILbm9yZHZwbi5jb20wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG AQUFBwMCMB8GA1UdIwQYMBaAFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MB0GA1UdDgQW BBThGmeiemwr2BeVz6tJhqJjIQkGrjCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFp AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMAAAFz4x5+EgAABAMA RzBFAiEAgOiO8roXsCipNQThMkk2q0npYxQGUJI9U1bbnNb6O8ECIEYXMVlMEayO vV/lGmuNI70pyBxwltuwsL99XxwapTvHAHYAKXm+8J45OSHwVnOfY6V35b5XfZxg Cvj5TV0mXCVdx4QAAAFz4x59/wAABAMARzBFAiEAyrHBfukMI2gZEA/yuAZcpAmj Fb0IRplKrWvMfs71U1gCIBKszIm5IB9A3+FBADLjygBAuhHoO449gMw5ZCKhJ9lq AHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAFz4x5+KwAABAMA SDBGAiEA2OL3wk8/Br21Qft6MuZ91Dgq5X/vY6CsuJ1FdrSGvUICIQCeFPVVTeZq RNwpPZs1VJPAsqnOHabmvbIot6trM9ZwLDANBgkqhkiG9w0BAQsFAAOCAQEAxm60 4NYjJjt1Hlgz1O3Bgr+7936Ye1t9SnfsXgQafRZbDSNW1oYB2t4X8w1LLv1V1lKX +MjmMSBwjKwfhU6gemmjM0XXj1AT129EVZQpgTFtMyEebAdRascR/qDD1QQrFCCF XIiaMiGNWUcQ2r7aaHlkcfQiQeGHgVwaVOr4Zueyagq7FM5ss52Es4Dj3BQjxQne K3FR0QL41QHaKAH+cWWCCxST/pc6tPbGUt+wjtrljkTxLHwVS3JcFQmtYNXz41Ay JXFPjTItg+t3VjjJC5/MjW42p96qZfg7AEKFBdx4yy4PNoO+zHjKc1GfODiiNpaE lLNl8xc1ULd0Zb0ukA== -----END CERTIFICATE----- subject=CN = *.nordvpn.com issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2 --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3379 bytes and written 445 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 0ADAEB74786F05AAF48AC9B751719AC3B245C5D6CEDC44E7CB9C1AE237B29515 Session-ID-ctx: Master-Key: 7F1F329029EBCB5B269993FB84D575EA1ACACAB6087A2AB4B91AA3144A636B0D3E00E9D110D1D256D174B230E6678D32 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 11 37 3e d1 06 e2 00 bb-a3 0b 6d 8e a7 34 43 99 .7>.......m..4C. 0010 - d1 40 93 fb 8d 03 bb 1d-31 b4 87 75 42 1a cb e1 .@......1..uB... 0020 - af 52 a3 9d fb 7a a0 d7-83 2f 54 7d c1 5b 18 35 .R...z.../T}.[.5 0030 - 75 6e 09 65 e3 00 e4 bd-8b a8 89 c3 10 b7 5c 5d un.e..........\] 0040 - 1d 9a 07 f8 c9 b1 68 52-61 fc 38 54 3b 41 91 3e ......hRa.8T;A.> 0050 - b9 c2 fd 37 7b 64 f0 2c-d9 74 23 79 2f dd c8 75 ...7{d.,.t#y/..u 0060 - 68 74 a9 42 34 55 32 ad-5f 7d 97 aa 2e 51 8c cd ht.B4U2._}...Q.. 0070 - 7f 73 eb 4b 40 7c 3b 59-a8 07 cc 73 d6 ba 9e b8 .s.K@|;Y...s.... 0080 - 22 6d 8d 64 83 34 ff 71-cb 8f b4 1b 3b 1a d1 f0 "m.d.4.q....;... 0090 - ef aa 6c 63 7b 70 d7 07-cf 5a ef 97 dd f8 11 31 ..lc{p...Z.....1 00a0 - 9b a1 c7 76 61 af 36 c7-42 76 86 7d 8a 86 9e 93 ...va.6.Bv.}.... Start Time: 1598002070 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- closed Thank you. |
#2
|
||||
|
||||
Hi,
Please post your log-ID here | bitte poste deine Log-ID hier. Also another forum user had reported similar problems HERE but we were not yet able to find the cause - a JD bug is unlikely in this case! -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#3
|
|||
|
|||
Ok, thank you, I will provide logs.
So HTTPS SSL proxies are generally supported in JD? Several programs do not support this. I think the thread you linked is not related to this as it is about VPN connections but this issue here is solely about proxy connections (without VPN). |
#4
|
||||
|
||||
Supported proxy types in JD: HTTP, HTTPS, socks4, socks4a, socks5
__________________
Join 9kw.eu Captcha Service now and let your JD continue downloads while you sleep. |
#5
|
|||
|
|||
Sorry for asking but what does JD mean exactly by the term "HTTPS proxy". A regular HTTP proxy that supports the CONNECT method? Or really a proxy you can communicate with through SSL protocol. I think the term "HTTPS proxy" alone is a bit ambiguous as I have learned. I want to use a real HTTPS SSL proxy.
|
#6
|
||||
|
||||
HTTPS is always "Hypertext Transfer Protocol Secure".
__________________
Join 9kw.eu Captcha Service now and let your JD continue downloads while you sleep. |
#7
|
|||
|
|||
I created a debug log with this ID:
26.08.20 22.40.17 <--> 26.08.20 22.41.38 jdlog://5812225302851/ |
#8
|
||||
|
||||
@vbs
Your log contains a lot of these errors: Code:
org.appwork.utils.net.httpconnection.ProxyConnectException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Settings --> Advanced Settings --> prefer bouncy castle for TLS --> Restart JD --> Try again If it doesn't help, install a current Java version on your OS and try with that - currently you're using the one that comes with JD. -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#9
|
|||
|
|||
Enabling Bouncy Castle made it work instantly, thanks alot Sir!:w00t:
|
#10
|
|||
|
|||
Well, sorry, me again, it stopped working after 1 day with apparently the same error (which is a bit strange, no?).
I already updated Java to 1.8.0_261 (and tried with BouncyCastle on/off) but it didn't help. This is a log when it was working with BouncyCastle two days ago: 26.08.20 22.51.58 <--> 26.08.20 23.25.54 jdlog://9742225302851/ Here is a log from just now when it does not work anymore with BouncyCastle: 28.08.20 13.24.20 <--> 28.08.20 13.24.51 jdlog://1842225302851/ Any ideas? |
#11
|
|||
|
|||
Oh I forgot to mention that the proxy is still working without problems in Chrome.
|
#12
|
||||
|
||||
Hmm:
Code:
Caused by: org.appwork.utils.net.httpconnection.ProxyConnectException: org.bouncycastle.tls.TlsFatalAlertReceived: handshake_failure(40) I suggest installing a current version of Java on your OS and trying again with- and without bouncycastle then. -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#13
|
|||
|
|||
Quote:
I already tried with a current JRE with and without BouncyCastle :( |
#14
|
|||
|
|||
Not sure if it helps but these are the supported ciphers:
Code:
vbs@ubuntu:~$ nmap --script ssl-enum-ciphers -p 89 ch250.nordvpn.com Starting Nmap 7.60 ( https://nmap.org ) at 2020-08-28 17:43 CEST Nmap scan report for ch250.nordvpn.com (217.138.203.195) Host is up (0.023s latency). PORT STATE SERVICE 89/tcp open su-mit-tg | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 9.69 seconds |
#15
|
|||
|
|||
I think I figured out what the reason is.
I could reproduce the problem using this test code inside "appwork.utils" project: Code:
public static void main(String[] args) throws NoSuchAlgorithmException { HTTPConnectionFactory f = new HTTPConnectionFactory(); try { HTTPProxy p = new HTTPProxy(TYPE.HTTPS, "ch250.nordvpn.com", 89); HTTPConnection conn = f.createHTTPConnection(new URL("https://www.google.com"), p); try { conn.connect(); } catch (IOException e) { e.printStackTrace(); } } catch (MalformedURLException e) { e.printStackTrace(); } } Code:
protected void initCipherSuitesLists() { // still so many servers with 'server-preferred order' disabledCipherSuites.add("AES_128_GCM"); disabledCipherSuites.add("GCM"); switch (CrossSystem.getARCHFamily()) { case X86: // **External links are only visible to Support Staff** // **External links are only visible to Support Staff** // **External links are only visible to Support Staff** if (JVMVersion.isMinimum(JVMVersion.JAVA_11)) { // Java>=11, fixed known issues and we assume cpu aes-ni support preferredCipherSuites.add("GCM"); } else { // Java<=11, avoid due to known issues avoidedCipherSuites.add("AES_128_GCM"); avoidedCipherSuites.add("GCM"); } break; case ARM: if (CrossSystem.is64BitArch() && Application.is64BitJvm() && JVMVersion.isMinimum(JVMVersion.JAVA_11)) { // Java>=11, fixed known issues and we assume 64bit java on armv8 cpu with hardware support preferredCipherSuites.add("GCM"); } else { avoidedCipherSuites.add("AES_128_GCM"); avoidedCipherSuites.add("GCM"); preferredCipherSuites.add("CHACHA20"); } break; default: break; } } Code:
disabledCipherSuites.add("GCM"); Code:
| TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A So could GCM maybe be supported in JD? Or maybe give the users an option to modify the ciphers suite themselfs or just an option to enable GCM specifically? |
#16
|
||||
|
||||
@VBS
Thanks for your time. Actually Jiaz did already figure out the issue last friday but I was not online anymore. Indeed you are right - I had mis-interpreted your log and your issue was indeed caused by a JD bug. Please wait for the next CORE-update and disable bouncycastle again. Thanks for your patience and sorry for wasting your time! Wartest du auf einen angekündigten Bugfix oder ein neues Feature? Updates werden nicht immer sofort bereitgestellt! Bitte lies unser Update FAQ! | Please read our Update FAQ! --- Are you waiting for recently announced changes to get released? Updates to not necessarily get released immediately! Bitte lies unser Update FAQ! | Please read our Update FAQ! -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#17
|
||||
|
||||
Quote:
https://support.jdownloader.org/Know...ng-downloading ... but in this case, the workaround has failed and lead to the issue you were having. -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#18
|
|||
|
|||
Ok, no problem, was interesting anyway! Thanks for the upcoming fix!
|
#19
|
||||
|
||||
Thanks for also looking into that so deep
-psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#20
|
||||
|
||||
GCM ciphers were disabled for memory because they caused very high cpu loads, specially in the older versions of Java. Also problematic with some of the lower cpu devices which people run JD on NAS and or ARM devices. A quick look at the old code it kinda reflects that with comments and the if statements. I haven't looked at the changes Jiaz has made, but I guess we will continue this saga.
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] Last edited by raztoki; 19.12.2020 at 23:51. |
#21
|
||||
|
||||
Quote:
https://support.jdownloader.org/Know...ng-downloading His changes are not yet online. He told me he plans to release it some time this week - along with a fix for the "unlimited proxy timeout" bug. -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download Last edited by raztoki; 01.09.2020 at 14:26. Reason: fox to fix |
#22
|
|||
|
|||
I know you don't give ETAs or something but is there maybe a ticket or something for this issue to track?
|
#23
|
||||
|
||||
Hi again,
this update is scheduled for this week but as said, usually we don't publish ANY ETAs ... -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#24
|
|||
|
|||
Ok sure, I understand, no hurry. I just don't want to miss it. Best for me is to track SVN log there I guess?
svn://svn.appwork.org/utils |
#25
|
||||
|
||||
Quote:
Once the following ticket is closed, all you have to do is to wait for the update to get released: Apart from that, sure you can grab our code directly from SVN. -psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#26
|
|||
|
|||
Ok thanks, I compiled the classes in question and directly replaced them in the existing Jdownloader.jar and it actually worked and I can use the HTTPS proxy in question with it.
So thank you and I am still looking forward for the official fix. But indeed it was hogging my full CPU (i5) capping download speed at about 20 MB/s. After updating Java to the latest x64 version I get full speed now while using like 12% CPU. |
#27
|
||||
|
||||
Thanks for your feedback.
-psp-
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#28
|
|||
|
|||
No hurry, but having this fixed would still be awesome, thanks
|
#29
|
||||
|
||||
@vbs2: I'm near releasing my changes
__________________
JD-Dev & Server-Admin |
#30
|
||||
|
||||
__________________
Join 9kw.eu Captcha Service now and let your JD continue downloads while you sleep. |
#31
|
||||
|
||||
@thecoder2012: as a pre-christmas present
__________________
JD-Dev & Server-Admin |
#32
|
||||
|
||||
as long as its not a easter egg
__________________
raztoki @ jDownloader reporter/developer http://svn.jdownloader.org/users/170 Don't fight the system, use it to your advantage. :] |
#33
|
||||
|
||||
@raztoki: easter egg 2022 :p
__________________
JD-Dev & Server-Admin |
#34
|
||||
|
||||
Then please release it without telling anyone and wait if they notice
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#35
|
||||
|
||||
A year in my live? (e.g. 2020, 2021, 2022 or as christmas fun in the past like perl6)
Useless because workarounds are available.
__________________
Join 9kw.eu Captcha Service now and let your JD continue downloads while you sleep. Last edited by thecoder2012; 14.12.2020 at 02:17. |
#36
|
||||
|
||||
Why do we need a real solution then?
__________________
JD Supporter, Plugin Dev. & Community Manager
Erste Schritte & Tutorials || JDownloader 2 Setup Download |
#37
|
||||
|
||||
Faster and easier than workarounds.
__________________
Join 9kw.eu Captcha Service now and let your JD continue downloads while you sleep. |
#38
|
|||
|
|||
I would appreciate to be able to use HTTPS proxies soon.
In between is is very hard to find any HTTP or SOCKS5 proxies and NordVPN. |
#39
|
|||
|
|||
bouncycastle TLS works for nordvpn https proxy on port 89/90, you can also use stunnel to handle the TLS as a workaround
|
#40
|
|||
|
|||
Hi Jiaz,
thanks for the christmas present :-D For all who want to use the HTTPS proxies from NordVPN: You need to use port 89 instead of 443 in order to connect JDownloader to the server. |
Thread Tools | |
Display Modes | |
|
|