Firefox SSL Filtering Failing At Random

Discussion in 'Quality Control' started by Boo Berry, Dec 3, 2013.

  1. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Okay, this is something I've noticed since 5.7 and I might of mentioned it a few times. But for the life of me I can't find a way to reproduce it consistently and on demand. I've noticed when I'm using the latest Firefox build (stable channel or Nightly), at random HTTPS filtration will completely stop working, regardless of WFP or TDI driver. Sometimes it'll happen when trying to load up multiple tabs (I'm guessing multiple resource-heavy HTTPS links might do it) at the same time. But again, I can't reproduce it on demand and nothing ever appears in the debug logs. When the filtering fails, I end up having to kill and restart Adguard's service and main process to fix it. Still, it's something worth mentioning and something for any of you guys to look out for!

    Thanks!
     
  2. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,866
    Do you have SSL-filtration enabled in ESET?

    Does it also break HTTP-filtration or HTTPS only?
     
  3. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    SSL Protocol checking is disabled in ESET. It just seems to break HTTPS filtration but websites load fine. I'll uninstall ESET and see if it still happens (or I'll switch to Kaspersky or Bitdefender).
     
  4. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,866
    One more question: is Adguard service restart really necessary? Does restarting protection from UI fix the problem?
     
  5. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Will try that and report back! :)
     
  6. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    An update, it does seem to be ESET related. So, again, I've dumped it for Bitdefender - will test and see if it happens there too. :)
     
  7. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Scratch that, just happened. And no, disabling and re-enabling isn't enough - I have to restart Adguard + the service or else HTTPS filtration fails completely for ALL browsers, not just Firefox.

    EDIT: Saw this error in the log when running debug mode...

    Code:
    ERROR, Adguard, 1, 09.12.2013 14:25:29.436, Connect fault: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.pipe://127.0.0.1/Adguard/Communication that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
    Source: mscorlib
    Stack trace: 
    Server stack trace: 
       at System.ServiceModel.Channels.PipeConnectionInitiator.GetPipeName(Uri uri, IPipeTransportFactorySettings transportFactorySettings)
       at System.ServiceModel.Channels.NamedPipeConnectionPoolRegistry.NamedPipeConnectionPool.GetPoolKey(EndpointAddress address, Uri via)
       at System.ServiceModel.Channels.CommunicationPool`2.TakeConnection(EndpointAddress address, Uri via, TimeSpan timeout, TKey& key)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
    
    Exception rethrown at [0]: 
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Adguard.Domain.Contracts.ICommunicationService.GetServiceStatus()
       at Adguard.UI.Controllers.ServiceController.Bkkn0V9FN0Of7gjWVgh(Object )
       at Adguard.UI.Controllers.ServiceController.AwvXpoKYm9(Object )
       at Adguard.Commons.ServiceClient`1.Call(UseServiceDelegate codeBlock)
       at Adguard.UI.Controllers.ServiceController.EEjX0Y5PRE()
    
        System.IO.PipeException: The pipe endpoint 'net.pipe://127.0.0.1/Adguard/Communication' could not be found on your local machine. 
        Stack trace:
    EDIT 2: An unrelated warning too! :p

    Code:
    WARNING, Adguard, 1, 09.12.2013 14:33:27.183, Error writing to file C:\ProgramData\Adguard\locale.dat: System.UnauthorizedAccessException: Access to the path 'C:\ProgramData\Adguard\locale.dat' is denied.
    Source: mscorlib
    Stack trace:    at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
       at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
       at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
       at System.IO.File.InternalWriteAllText(String path, String contents, Encoding encoding, Boolean checkHost)
       at System.IO.File.WriteAllText(String path, String contents)
       at Adguard.Commons.Files.FileUtils.WriteQuetly(String path, String text)
    I'll keep running Firefox through the paces and see if I can find a determinable pattern and/or a way to reproduce it.
     
    Last edited by a moderator: Dec 9, 2013
  8. Accel

    Accel Beta Tester

    Joined:
    Oct 8, 2012
    Messages:
    234
    could you try using palemoon? sometimes firefox has a regression because of their fastened release cycle which produce some bugs
     
  9. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    I don't believe it's related to the browser itself per-say because once HTTPS filtering fails, it fails for all other browsers.
     
  10. Accel

    Accel Beta Tester

    Joined:
    Oct 8, 2012
    Messages:
    234
    yes i know, but i used palemoon very heavily (think about 1000 sites a day both http and https), because i work for promotion company and still didn't have any failing in palemoon. do you have sites that i can test?

    it might a bug in firefox which trigger adguard to do such thing ( just a guess )
     
  11. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Like I said, I can't reproduce it (as of yet) - it's completely random. But it seems to happen when I'm loading tons of tabs at the same time. Perhaps loading a ton of HTTPS sites at the same time (40+) will trigger it, not sure yet. But I know filtering fails when the assistant isn't showing up and HTTPS filter doesn't work at all in any browser. Using Pale Moon probably won't make much difference - in my personal experience with Pale Moon I found it to be pointless to use (along with Waterfox/Cyberfox and all other variants) but I'll give it a try to see if I can make the HTTPS filtering fail. Right now I'm using vanilla Firefox, Nightly, Chrome, Chromium and Internet Explorer. The common denominator between all the browsers I run is LastPass, which might need checked for compatibility with Adguard at some point. :p

    I suspect the issue can be triggered in other browsers besides Firefox/Nightly, I'm going to try doing it in Chrome and Internet Explorer - I've had all filtering fail (HTTP and HTTPS) in IE too when loading tons of tabs at the same time in the past. But at as I said, I'll give Pale Moon a shot, just in case.

    EDIT: Thinking about it, I'm thinking it might be related to LastPass and it's auto login feature. See, most of the sites I visit have login information and I set LastPass to automatically log me into those sites. However sometimes the pages don't fully load before LastPass logs me into a site, so perhaps it interrupts the page loading causing HTTPS filtering in Adguard to break. Try getting LastPass and signing up for a free account, then pick HTTPS sites you visit that has login information, then set LastPass (for each site) to automatically log in. Clear your cookies in Firefox then open multiple HTTP + HTTPS websites at the same time (sites with login information) - perhaps filtering will fail? I'm going to try it and see what happens.

    The only other things I can think of is, for Firefox/Nightly/Pale Moon, I manually import the Adguard certificate because when toggling the browser in settings, the certificate isn't always added so I do it manually. Could that have something to do with it? Finally, the last thing I do is set all browsers to cache on a different dedicated HDD as I don't want browsers trashing my SSD with cache writes. :p
     
    Last edited by a moderator: Dec 11, 2013
  12. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,866
    Too random:(

    I am using LastPass too but didn't see anything like that.

    If this issue is reproduced in Firefox-based browsers only then the cause is Firefox's own certificate storage.
    Other browsers use Windows cert storage, only Firefox built it's own bicycle.
     
  13. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    I'll keep my eyes open. I *think* it's possible to get it to fail in other browsers (my bet would be IE), so I'll keep doing random things to try to reproduce it. In the meantime, I've moved to Kaspersky Internet Security 2014 (which has its own bug causing web browsing to be slowed to a crawl).
     
  14. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,866
    We've had an issue with KIS (slow DNS resolving). But I thought we've done with it. Is this bug connected with us?
     
  15. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    No, it's them - they're supposed to be fixing it.
     
  16. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Kaspersky Internet Security 2014 probably should be tested, to be on the safe side. I am randomly seeing random ssl_error_bad_mac_read error messages when loading HTTPS pages in Firefox and blank tabs where pages don't load in Chrome. Kinda like the issues with ESET Smart Security but it *may* be Kaspersky itself doing it. I'll need to test when patch D is released on the 18th.

    What I basically do to reproduce it is, I load up https://news.google.com/ in Firefox and leave the page/browser open for awhile. The page updates is self... or at least it should update itself however it eventually gives the ssl_error_bad_mac_read error.
     
    Last edited by a moderator: Dec 17, 2013
  17. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    12,866
    Great, thank you! We will test it.
     
  18. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    Patch D for Kaspersky IS 2014 is out with fixes for the slow browsing and whatnot (have to do a clean install for the fixes to work apparently). I'll be testing to see if any issues/incompatibilities exist with Adguard. My main purpose is to test to see if the ssl_error_bad_mac_read Firefox error and Chrome blank pages goes away.
     
  19. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,145
    ssl_error_bad_mac_read and ssl_error_rx_record_too_long errors in Firefox and blank pages in Chrome still exist when visiting https://news.google.com, so chances are it's an incompatibility with Kaspersky. Try adding the page as your homepage, it seems to happen to me a lot like that.
     
    Last edited by a moderator: Dec 19, 2013