UAMALLOWED and HTTPS (to select.worldpay.com)

Derek C derekchilli at hssl.ie
Wed Apr 29 21:07:39 UTC 2009


Hi Henk,

It's a more general problem - Here I've got a test AP setup and another
setup about 100KM away (the, to-be, live unit - both units are WRAP boards
with Ubiquiti XR2 radio cards, Kamikaze 8.09 release and Coova Chilli
1.0.13).

The remote system is on a completely different broadband supply too.

Here I only have a Ubuntu notebook and [the Wife's] Macbook and the
Macbook worked fine (that is very weird...).

I setup the live unit in the same way and someone tested there today with
an XP notebook and... exactly the same problem as my Ubuntu notebook (I
was hoping it was a Ubuntu only problem so I said nothing until they came
back to me with the problem)

I suppose this does mean that this problem can (does?) happen with Coova
Chilli and other SSL websites?  Why even SSL I wonder?  but could it be
some sort of extra security that, one could easily imagine, Worldpay use
to curtail everything from DOS attacks to money stealing attempts?

Needless to say I'll do any more testing that anyone can think of :)

Derek


On Wed, April 29, 2009 9:30 pm, Henk Kleynhans wrote:
> Sometimes a random problem requires a random solution ;-)
>
>
> You said earlier that you are only having this problem with Ubuntu Hardy
> Heron, but not with Mac OS X.
>
>
> Have you tested with other computers?  (I imagine for some reason you
> mentioned XP somewhere, but now can't find it in the thread).
>
> Can you definitely rule out that it's not a problem specific to your
> Ubuntu
> setup?
>
> henk
>
>
> On Wed, Apr 29, 2009 at 8:43 PM, Derek C <derekchilli at hssl.ie> wrote:
>
>
>> I should have said:  I'm only redirecting traffic that is destined for
>> the Worldpay SSL server.
>>
>>
>> I use this rule: -
>>
>>
>> iptables -t nat -I PREROUTING -p tcp -d select.worldpay.com --dport 443
>> -j
>> DNAT --to-destination MY-SERVER-IP:443
>>
>>
>> That server is using socat to listen on 443 and proxy traffic from the
>> Worldpay SSL server.  I use this socat command:
>>
>>
>> socat TCP4-LISTEN:443,bind=MY-SERVER-IP,fork
>> TCP4:select.worldpay.com:443
>>
>>
>> But I'm pretty sure that if Worldpay change their IP this setup will be
>>  dead until restarted.
>>
>> Derek
>>
>>
>>
>>
>>
>> On Wed, April 29, 2009 7:22 pm, Derek C wrote:
>>
>>>
>>
>>> On Wed, April 29, 2009 5:58 pm, Johan Meiring wrote:
>>>
>>>
>>>> The only other thing I can think of is MTU issues.
>>>> Try issuing the following on your hotspot, and see if it helps.
>>>> iptables -I FORWARD -t mangle -p tcp -m tcp --tcp-flags SYN,RST SYN
>>>> -j
>>>> TCPMSS --clamp-mss-to-pmtu
>>>> (the above command is one line)
>>>>
>>>>
>>>
>>> Hi Johan,
>>>
>>>
>>>
>>> This didn't work either.
>>>
>>>
>>>
>>> I have a work-around to my problems (which is great) - but it's
>>> horrible! On the Coova Chilli AP I'm redirecting traffic with a DNAT
>>> iptables rule to a server I have in a data centre.  In that server I'm
>>> proxying the traffic with socat - and its working so I have the
>>> payment gateway up & running.  But its horrible because if Worldpay
>>> change their IP....
>>>
>>> Derek
>>>
>>>
>>>
>>>
>>> --
>>> Derek C
>>> In Ireland
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>>  To unsubscribe, e-mail: chilli-unsubscribe at coova.org
>>> For additional commands, e-mail: chilli-help at coova.org
>>> Wiki: http://coova.org/wiki/index.php/CoovaChilli
>>> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Derek C
>> In Ireland
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
>> For additional commands, e-mail: chilli-help at coova.org
>> Wiki: http://coova.org/wiki/index.php/CoovaChilli
>> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>>
>>
>>
>
>
> --
> Henk Kleynhans
> CTO & Founder
> Skyrove (Pty) Ltd
> Technology Top 100 - Most Promising Emerging Enterprise 2006
> Tel: +27 (21) 4488843
> Cell: +27 (84) 3073451
> Fax: +27 (86) 6204077
> henk at skyrove.com blog: www.geekrebel.com
>
>
> ------
>
>
> "A person with ubuntu is open and available to others, affirming of
> others, does not feel threatened that others are able and good, for he or
> she has a proper self-assurance that comes from knowing that he or she
> belongs in a greater whole and is diminished when others are humiliated or
> diminished, when others are tortured or oppressed." - Desmond Tutu
>


-- 
Derek C
In Ireland




More information about the Chilli mailing list