moxie0 / convergence Goto Github PK

After a while, the Convergence extension seems to get slower to connect to notaries and establish connections to HTTPS sites. It appears that connections to notaries are not closed, but left in CLOSE_WAIT state. Here's an example output of netstat -ntup | grep firefox-bin to demonstrate the problem: https://pastee.org/r93wc

I'm seeing this with Convergence 0.3, Firefox 6.0.2 on Arch Linux (x86_64), but I suspect this occurs on other operating systems as well.

Thanks for this great project, and I'd like to help in testing and working with the project as time allows.

I installed a notary on a Debian like system without issue, and it is currently running at notary.brianshumate.com.

I added the Convergence.io to my instance of FireFox 5 on OS X 10.6.

I added my information and certificate through the add on interface and noticed that upon saving, my notary was not checked as enabled like notary.thoughgtcrime.org and notary2.thoughtcrime.org are by default when the add on is installed.

I removed all three notaries via the add on interface, and added the information and certificates for notary.brianshumate.com and notary.thoughgtcrime.org back in, noting that neither were checked as enabled.

After saving the two manually added notaries I could no longer access HTTPS urls in Firefox.

I get errors like the one below. I tried creating symlinks (some of the files are in /usr/lib/x86_64-linux-gnu, some in /usr/lib),
but then it looked for libmozsqlite3.so, which I don't have at all.
If I symlink libsqlite3.so as libmozsqlite3.so then it finally worked and plugin got loaded.
This is with Iceweasel 5.0 (Debian's Firefox 5.0).

Is there a way to build the plugin for Debian, by running some configure-like script that determines the proper location for these libraries?

Error initializing ctypes: Error: couldn't open library, ("/usr/lib/xulrunner-5.0/libnspr4.so")@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js -> file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/chrome/content/ctypes/NSPR.js:30
()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js:84
Convergence()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js:33
(null,[object XPCWrappedNative_NoHelper])@resource://gre/modules/XPCOMUtils.jsm:256
ConvergenceContentPolicy()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/ConvergenceContentPolicy.js:31
(null,[object XPCWrappedNative_NoHelper])@resource://gre/modules/XPCOMUtils.jsm:256

Initializing error: Error: couldn't open library , ("/usr/lib/xulrunner-5.0/libnspr4.so")@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js -> file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/chrome/content/ctypes/NSPR.js:30
()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js:84
Convergence()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/Convergence.js:33
(null,[object XPCWrappedNative_NoHelper])@resource://gre/modules/XPCOMUtils.jsm:256
ConvergenceContentPolicy()@file:///home/edwin/.mozilla/firefox/krlev8s9.default/extensions/[email protected]/components/ConvergenceContentPolicy.js:31
(null,[object XPCWrappedNative_NoHelper])@resource://gre/modules/XPCOMUtils.jsm:256

I was viewing the traffic with Wireshark and didn't notice any difference when this option is disabled.
It's always SSL encrypted.

Is this option supposed to do something

Are the requests to notaries sent thru TOR if configured?

I cannot find a definition of the protocols used for client-server communication.

In Convergence / server / convergence / CacheUpdater.py line 21 the module CertificateFetcher no longer exists.

Similar to issue #22 , Convergence needs access to master password protected resources when providing certificates to the user so the master password dialog should be presented in case the db has been closed.
Unlike issues #22 and #62 I wasn't able to pin down the exact location where the privileges are needed. From the console output:

ShuffleWorker accepted connection: 0x...
Spawning connectionworker...
Posted message to ConnectionWorker!

and nothing more: as you can see, it looks like serialized information cannot be accessed. I tried to reopen the master password db using the same code supplied in pull request #64 with no luck :-/

Temporary workarounds:

1. disable any extension which close the master password db (like Master Password Timeout)
2. reload an HTTP page/open the db from preferences in order to refresh credentials

I'm running ff6 & archlinux. HTTPS pages won't get shown by browser. Ff output:

Loading: /.../[email protected]/chrome/content/ctypes/NSPR.js
Loaded!
Loading: /.../[email protected]/chrome/content/ctypes/NSS.js
Loaded!
Loading: /.../[email protected]/chrome/content/ctypes/SSL.js
Loaded!
Loading: /.../[email protected]/chrome/content/ctypes/SQLITE.js
Loaded!
Loading: /.../[email protected]/chrome/content/sockets/ConvergenceDestinationSocket.js
Loaded!
Loading: /.../[email protected]/chrome/content/sockets/ConvergenceServerSocket.js
Loaded!
Loading: /.../[email protected]/chrome/content/sockets/ConvergenceSocket.js
Loaded!
Loading: /.../[email protected]/chrome/content/ctypes/Serialization.js
Loaded!
Loading: /.../[email protected]/chrome/content/ssl/CertificateManager.js
Loaded!
Loading: /.../[email protected]/chrome/content/ssl/CertificateInfo.js
Loaded!
Loading: /.../[email protected]/chrome/content/protocols/ConnectCommandParser.js
Loaded!
Loading: /.../[email protected]/components/LocalProxy.js
Loaded!
Loading: /.../[email protected]/chrome/content/ssl/Notary.js
Loaded!
Loading: /.../[email protected]/components/SettingsManager.js
Loaded!
Loading: /.../[email protected]/components/ConnectionManager.js
Loaded!
Loading: /.../[email protected]/chrome/content/ssl/NativeCertificateCache.js
Loaded!
Settings loaded threshold: consensus
Configuring cache...
Found existing certificate!

SQL exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE)
[mozIStorageConnection.executeSimpleSQL]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  
location: "JS frame :: file:///.../[email protected]/components/Convergence.js :: 
    <TOP_LEVEL> :: line 143"  data: no]

LISTEN PORT: 36930
Initializing shuffleworker...
Posting...
Convergence Setup Complete.
ShuffleWorker accepted connection: 0x99caffa0
Spawning connectionworker...
Posted message to ConnectionWorker!
ShuffleWorker accepted connection: 0x98165ac0
Spawning connectionworker...
Posted message to ConnectionWorker!
ShuffleWorker accepted connection: 0x9725d2a0
Spawning connectionworker...
Posted message to ConnectionWorker!
ShuffleWorker accepted connection: 0x973d7120
Spawning connectionworker...
Posted message to ConnectionWorker!
ShuffleWorker accepted connection: 0x97f55dc0
Spawning connectionworker...
Posted message to ConnectionWorker!

Can't see no timeouts or at least some detailed information about what's happening.
In fact, this issue combines:

• tofix: https page loading
• todo: more detailed debug output

Versions:

• Firefox 6.0 (Gentoo Linux, amd64, DigiNotar certificate manually removed)
• Convergence 0.03 (As reported by the version currently available from Convergence.io)
• Symantec's OpenID SeatBelt 1.0.0.0.4334

With Convergence enabled, Symantec's OpenID seatbelt displays its own alerts for both providers I tested (Symantec PIP and myOpenID):

First, while browsing, a dialog periodically pops up which says "Warning, an attempt to check your OpenID Provider login status returned an invalid SSL certificate."

Second, when visiting the provider's login page, a dialog pops up saying "It appears you are attempting to visit 'www.myopenid.com'. However, the web site certificate for this Provider does not validate. VeriSign recommends you do not trust this site." (The extension was a Verisign Labs creation before Symantec bought them and they've been a bit lazy about changing some of the names)

With Convergence installed but disabled, these problems go away.

Convergence is the best thing since photosynthesis, but I would like it to do more!

In particular, I think convergence could be extended to support authenticity of webservers as well as preventing MiTM attacks.

How about something like this:

• when a notary first encounters a new certificate, it checks to see if a signed copy is available (using DNS or a pre-arranged url path) and if so it fetches the public key used in the signing.
• the public key is stored by the notary.
• when the certificate changes, the notary only validates the new cert if it has also been signed with the previously stored key (and it hasn't expired), or if there is a new key is signed with the old, or if the key has been revoked.

Obviously, something like this would take a bit of time to implement. But it seems to me like a good long term goal.

The Convergence Firefox add-on needs to be updated to be compatible with Firefox 6.0.

Hi i get the ssl_error_bad_cert_domain with ff6 on ubuntu 10.10 64bit

Site that i test this is https://mijn.ing.nl (bank site) wit the folioing ssl key:

-----BEGIN CERTIFICATE-----

MIIGNTCCBR2gAwIBAgIQXebcc+bw+nZ37eVaEJVb/zANBgkqhkiG9w0BAQUFADCB

vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv

VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew

HhcNMTAxMDExMDAwMDAwWhcNMTExMDMwMjM1OTU5WjCB9TETMBEGCysGAQQBgjc8

AgEDEwJOTDEdMBsGA1UEDxMUUHJpdmF0ZSBPcmdhbml6YXRpb24xETAPBgNVBAUT

CDMzMDMxNDMxMQswCQYDVQQGEwJOTDEQMA4GA1UEERQHMTEwMiBNRzEWMBQGA1UE

CBMNTm9vcmQtSG9sbGFuZDEbMBkGA1UEBxQSQW1zdGVyZGFtIFp1aWRvb3N0MRkw

FwYDVQQJFBBCaWpsbWVycGxlaW4gODg4MRYwFAYDVQQKFA1JTkcgQkFOSyBOLlYu

MQ8wDQYDVQQLFAZSZXRhaWwxFDASBgNVBAMUC21pam4uaW5nLm5sMIIBIjANBgkq

hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwD8KGd0hIbUVktJADPXQA2wc6AR5T2uw

OwmP2CywCdHVA0UaNm1ctW/umlPJe2l/f1WNtaTl1QcYnu+xI+4oefBj3TjXp1S+

cjaQgtIkpB9/BUuGzdPx3BfvYTI98mKPQ1T0WZ5Z0v7qlbBLjgwRUcInLoYQPx8E

pPnJFhudS7IygfUuIB03DNL9vqR2K62xu8USbQJBq9l2phJOegFDu6uKABiiWeW6

qSE9dEGqIMRh34OuJzafhsnOZvv9uXiouQEBtlzXEBwelp/BuFEDhR3JDPCPwHhn

YvrJcxVBDveWm7cjccnfbp80CvGlePyQQtkdBDa/IFW5Tct2WqOKmwIDAQABo4IB

9DCCAfAwCQYDVR0TBAIwADAdBgNVHQ4EFgQUzBQSzfqhVFd1qmmOAxFXld8NhqYw

CwYDVR0PBAQDAgWgMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwYwKjAoBggrBgEF

BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTA+BgNVHR8ENzA1MDOg

MaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJpc2lnbi5jb20vRVZJbnRsMjAwNi5j

cmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwHwYD

VR0jBBgwFoAUTkPIHXbvN1N6T/JYb5TzOOLVvd8wdgYIKwYBBQUHAQEEajBoMCsG

CCsGAQUFBzABhh9odHRwOi8vRVZJbnRsLW9jc3AudmVyaXNpZ24uY29tMDkGCCsG

AQUFBzAChi1odHRwOi8vRVZJbnRsLWFpYS52ZXJpc2lnbi5jb20vRVZJbnRsMjAw

Ni5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAH

BgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVy

aXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQCqhP/5kKwS

7KdwtVq6sqyzK0DabOP6c8aqwRMKjV0NT+dwxXBSXkPIsT8FyYthr0jcdcFOsiMc

GiBo897IACVial1Z0P1/8mvQTafbRQRWyDp7A10nJ3Pf5pC59aStt/gRa8GmDK2n

ww2GC9SuojfmKHmhnnETRwtKl7v5cKPOJ/KBDEBSk3IdivfrkOaYg/cz1O3qFxxH

p37+2NlHUXVs/REpq43jVZt//dr/DwEOrxQ6aKs5zQ3p5sXsBxDzXuilU7O6guNh

hgPeFrmLn2RYVykYu28z6qVOCyizb13FXeb7vFmckAy8w/215nX9G7DiGEEasSZW

78E+wU2TQ3vB

-----END CERTIFICATE-----

But i get this key:

-----BEGIN CERTIFICATE-----

MIICJzCCAZCgAwIBAgIFAKz+IiswDQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMC

VVMxFDASBgNVBAoTC0NvbnZlcmdlbmNlMRQwEgYDVQQLEwtDb252ZXJnZW5jZTEd

MBsGA1UEAxMUQ29udmVyZ2VuY2UgTG9jYWwgQ0EwHhcNMTAwOTA1MjIzMDU0WhcN

MTYwOTA1MjIzMDU0WjBXMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQ29udmVyZ2Vu

Y2UxFDASBgNVBAsMC2h0dHBzLnRvOjAqMRwwGgYDVQQDExNJbnZhbGlkIENlcnRp

ZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIO7vdUXuEcUzq38qD

/nbCc3zaQReH8H4tfALbFRNEDPTO2wwGF9Tp2rAHjpIG0MVSm8u0ZvfpBMXwl2CN

Lzt/zWc++YG2wbCZW51yWLv3ZP/fJg5+iOtmJTnevhFT7UXiuPhy+iOP36XJOyVN

DH6ZXsfCZTnl3tzZtEQVYV42lwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAILfQast

6NALEQSV6uIJwCdenwCsJbCibGi4X3/quR/Akp947kn27aG3SBuv4YYKcerSWbpV

+IPqNVvwoWPFsOTyGceU5AeDDZvUfCDaznLeFdiFZBDbJWNS3gzEErqs+2QlLF4q

lTD8Se/GqJmtyftXdYXtxrl1zuCj2wp2pDNv

-----END CERTIFICATE-----

Note i use now the https.to as my notory.

My server webmins are all using self-signed certificates. How do I enable the "I understand the risks / Add Exception" dance? It does not work as of now.

EDIT: "I've managed a workaround by setting up my own local notary, but this isn't ideal because I have to relax the restrictions quite a bit. I have to turn off anonymization (because my notary isn't accessible from other notaries) and I have to make due with "Require only one notary to agree".

It would be nice to be able to specify which notaries should be referenced for which domains, I would love to set up a notary which validated hosts from the context of my workplace (firewall policies and all)."

From what I understand I shouldn't get warnings about sites using self signed certificates but I still do. Here's some random site I found that my browser warns me about: https://lists.gno.org/self-signed.html

lists.gno.org uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_ca_cert_invalid)

I'm also seeing "Verified by: Digicert Inc" instead of Verified by: Convergence" which is what I should see if I remember the Blackhat talk correctly.
Here's a screenshot of that: http://img839.imageshack.us/img839/8849/screenshotznq.png

As you can see Convergence is enabled. I haven't done any changes in the options so it's all default.

I'm using Iceweasel 6.0-3~bpo60+1 from http://mozilla.debian.net and Convergence 0.03

Clicking the convergence icon to disable convergence enables default browser certificate verification. However, it does not prevent Convergence from proxying requests.

I observed this behavior because I am running a notary, and noticed that URL's I needed to access were popping up in my convergence notary log. The problem of course is that when convergence is disabled, it should be completely disabled. It shouldn't require you to disable it via the extensions control panel and then restart firefox.

The other problem is that bugs in the convergence proxy can interfere with requests, and it is in fact interfering with requests. File transfers to google apps fail. See my other Issue, #46. In that issue, gmail file attachment transfers are not working. Clicking the convergence icon to disable it is enough to workaround the problem.

However in the new behaviour I am observing with Google Doc's, downloading of documents is broken, even by disabling convergence by clicking the convergence Icon. In order to work around this issue, you have to disable it completely via the extensions control panel and restart FF.

So three things:

1. Convergence should be completely disabled from making any kind of requests when the icon says it is disabled without having to be disabled in the extension control panel and restarting firefox.
2. Convergence MITM proxying is broken for file transfers to various google applications. Possibly due to Serialization or some other Twisted Network library issue (not sure).
3. might be related, observe the behavior across browser windows, in one, Convergence is enabled, in the other, disabled. If Convergence can't keep track of its own state across windows, then it should function appropriately for each window in which it is open.

Screenshot of Behavior Here:
http://www.dumpt.com/img/viewer.php?file=o67wit8f9hcw3pv2c0c0.jpg

I can provide log data and other items necessary for successful reproduction, ask and you shall receive.

When using Convergence, Firefox no longer supports my client certificate to my webserver.

When you disable all notaries all requests end up with a connection reset.
Would be nicer to get a more meaning-full error/ warning.

The connection was interrupted

The connection to was interrupted while the page was loading.

OS: Mac OSX 10.7
FF: 6.01 w/ convergence 0.03

when convergence is enabled firefox 6.0.1 sync gives this message, sync
encountered an error while syncing: Unknown error. Sync will
automatically retry this action

Convergence v0.3.0
Firefox v6.0.1
OS X 10.6.8

All notaries install from list here: https://github.com/moxie0/Convergence/wiki/Notary-list-:--share-and-find-notaries!

All https connections timeout when more than 2 notaries, in any combination, from the above list are configured.

Convergence is incompatible with SeaMonkey. Can this be fixed? I use version 2.0.14, but I can upgrade to 2.3 (the current latest version) if needed.

When visiting an HTTPS site over IPv6 with convergence enabled, the site does not load. Disabling convergence by clicking on the toolbar icon and reloading the page makes it load properly.

Tested with
https://www.v6.facebook.com
https://ipv6.google.com

2011-09-07 13:30:31,313 Get records error: [Failure instance: Traceback: <type 'exceptions.AttributeError'>: 'module' object has no attribute 'dumps'
/usr/lib/python2.5/site-packages/Twisted-11.0.0-py2.5-linux-i686.egg/twisted/internet/base.py:1171:mainLoop
/usr/lib/python2.5/site-packages/Twisted-11.0.0-py2.5-linux-i686.egg/twisted/internet/base.py:766:runUntilCurrent
/usr/lib/python2.5/site-packages/Twisted-11.0.0-py2.5-linux-i686.egg/twisted/internet/defer.py:361:callback
/usr/lib/python2.5/site-packages/Twisted-11.0.0-py2.5-linux-i686.egg/twisted/internet/defer.py:455:_startRunCallbacks
--- ---
/usr/lib/python2.5/site-packages/Twisted-11.0.0-py2.5-linux-i686.egg/twisted/internet/defer.py:542:_runCallbacks
/usr/lib/python2.5/site-packages/convergence/TargetPage.py:86:getRecordsComplete
/usr/lib/python2.5/site-packages/convergence/TargetPage.py:79:sendResponse
/usr/lib/python2.5/site-packages/convergence/NotaryResponse.py:57:sendResponse
/usr/lib/python2.5/site-packages/convergence/NotaryResponse.py:33:signResponse

Not sure what the problem is here. Looks like a problem in Twisted to me tho. Maybe an outdated or incompatible module? What versions of all dependencies are known to work?

Currently convergence has "nobody" hardcoded as the user/group. While this works with Debian, it does not work directly for RedHat derivatives without a modification to the source. It would be most helpful to have an option to specify the user/group.

Could anyone tell me how to get the :

Install the dependencies: $ sudo apt-get install python python-twisted-web python-m2crypto python-openssl

to work.

I got a Redhat Linux with Python 2. Python is come with the Linux and a lone file /usr/bin/python existed but can not find other directory look like Python home directory. The error message is: apt-get not found.

The env varialbe PYTHONHOME and PYTHONPATH were not set and try various setting seem make no difference.

I run a webserver using nginx using SNI [1]. I have serveral domains hosted there, each with valid certificates signed by StartSSL.

To be precise, these are two domains hosted at my server: a personal website [2], and a beta of a personal openid endpoint I'm using.

Visiting the any of both with convergence disable works fine (firefox valides the certificates as signed by StartSSL).

Visiting the latter with convergence enabled fails to validate. The notaries somehow compare the certificate to the former domain, and hence, firefox complains of a certificate mismatch.

I'm providing both URLs as to make thing easier to understand in case my explanation is no good. (just visit both websites with and without convergence). Both domains are hosted under the same IP, of course (see the wikipedia article in case of doubts).

[1] https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication
[2] https://hugoosvaldobarrera.com.ar
[3] https://hugo.osvaldobarrera.com.ar

Convergence v0.3.0
Evernote Web clipper 5.0.0.171805
Firefox v6.0.1
OS X 10.6.8

Clipping fails with a http 500 error when Convergence is enabled. Disable convergence and webclipping works again.

If there was one, I would be using this.

Using FF 5.0+build1+nobinonly-0ubuntu0.10.10.1~mfs1 on Ubuntu Maverick with default plugin options.

encrypted.google.com uses an invalid security certificate.

The certificate is only valid for Invalid Certificate

(Error code: ssl_error_bad_cert_domain)

I'm seeing this for all the sites I've tested with so far, though I'm wondering if it has to do with them being wildcard certs, or having SAN fields. I'll keep looking for a non-wildcard site to try to verify. The certs are totally valid if I disable the plugin.

Wanted to make sure these are warnings and not actual failures:

2011-09-07 15:45:27,933 Got connect request: notary2.thoughtcrime.org:4242
2011-09-07 15:45:27,934 Got connect request...
2011-09-07 15:45:27,934 Connecting to: notary2.thoughtcrime.org
2011-09-07 15:45:28,046 Building protocol...
2011-09-07 15:45:28,046 Connection made...
2011-09-07 15:45:28,287 Shuffling raw data...
2011-09-07 15:45:28,469 Fingerprint: E5:50:6D:CE:07:71:73:A9:6B:21:54:BF:B5:5F:12:60:84:D7:6B:A2
2011-09-07 15:45:28,470 Handling cache miss...
2011-09-07 15:45:28,470 Fetching certificate from: static-cdn.addons.mozilla.net:443
2011-09-07 15:45:28,601 Shuffling raw data...
2011-09-07 15:45:28,744 Connection made...
2011-09-07 15:45:28,753 Verifying certificate...
2011-09-07 15:45:28,753 Verifying certificate...
2011-09-07 15:45:28,753 Verifying certificate...
2011-09-07 15:45:28,753 Verifying certificate...
2011-09-07 15:45:28,754 Got fingerprint: E5:50:6D:CE:07:71:73:A9:6B:21:54:BF:B5:5F:12:60:84:D7:6B:A2
2011-09-07 15:45:28,754 Connection lost...
2011-09-07 15:45:28,927 Shuffling raw data...
2011-09-07 15:45:29,021 Connection lost from server: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.]
2011-09-07 15:45:29,022 Connection lost from client: [Failure instance: Traceback (failure with no frames): <class 'twisted.internet.error.ConnectionDone'>: Connection was closed cleanly.]

Also this pattern (specifically "connection lost")

2011-09-07 15:46:24,148 Fingerprint: B3:93:D0:5C:A0:7D:03:45:95:62:EC:18:1A:EA:BD:01:52:84:98:06
2011-09-07 15:46:24,148 Handling cache miss...
2011-09-07 15:46:24,149 Fetching certificate from: encrypted.google.com:443
2011-09-07 15:46:24,271 Connection made...
2011-09-07 15:46:24,290 Verifying certificate...
2011-09-07 15:46:24,290 Verifying certificate...
2011-09-07 15:46:24,291 Verifying certificate...
2011-09-07 15:46:24,291 Got fingerprint: B3:93:D0:5C:A0:7D:03:45:95:62:EC:18:1A:EA:BD:01:52:84:98:06
2011-09-07 15:46:24,291 Connection lost...

*Expected Behavior
Attachment transfer should complete as normal.

*Reproduced Behaviour

With Convergence Client enabled, drag a 1.5 megabyte zip file to include as an attachment in a new message.
Transfer never completes. The file transfer progress indicator bar jumps to 2/3's complete immediately.
While transfer is frozen, clicking the convergence icon to disable convergence during the transfer doesn't fix the problem.

*Workaround:
Click cancel on existing frozen transfer.
Disable convergence by clicking the icon so that the padlock appears open.
Restart the transfer by dragging the file back to the same Email (no need to close the existing New Email).
Progress bar indicating file transfer rises slowly to completion from zero.

Stumbled upon this project, looks cool. Definitlely need stuff like this to work around untrustworthy CAs. Was browsing the source, wondering what's the current purpose of the writePid function in convergence-notary.py? Typically you first lock the pid file (via POSIX voluntary File Locking API or something), then write the pid (for debug, if you care about it), then unlock only when the program exits. That way, whenever a user tries to spawn the daemon a second time, or even run in foreground, an exception will be raised upon the lock attempt and the duplicate instance can exit gracefully. Also, this should all happen earlier, before binding ports and such.

Unless you want to allow multiple instances? To present different notary "faces" to the world from the same host? I can't think of a good use case for that, unless you want to obfuscate your relationship as a notary for user X from user Y. In that case you would maybe rename the .pid file to convergence-cert-fingerprint.pid or something.

Sorry to sound like the peanut gallery, I'm not a python guy. Maybe I'll learn some syntax and submit a patch.

The error is "No local DNS access", also seems that EFF's HTTPS Everywhere has some issues, many sites just timeout.

It seems the notary servers need external access to the website to download the certificate. This results in a failed check on intranet sites. I can also not find a way to add an exception for this site.

If I download convergence-notary-current.tar.gz as the wiki says and do the usual "tar zxvf" which it does create a "convergence" directory, I think it's missing the top-level "convergence-notary-current" as I also get a bunch of stuff in the current directory (COPYING, SETUP etc).

There's also no convergence-createdb.py so perhaps it's more that the URL in the Wiki is incorrect.

I've issued a command to create the .notary or Convergence bundle on my server and this is the results, not sure if i'm missing something or not doing something, i've followed the guide via Wiki install guide.

OS: Ubuntu 11.04 Server 32 Bit
Cmd: $ convergence-bundle

taek@core:~/tmp$ sudo convergence-bundle
Traceback (most recent call last):
File "/usr/local/bin/convergence-bundle", line 95, in
main(sys.argv[1:])
File "/usr/local/bin/convergence-bundle", line 82, in main
certificate = loadCertificate(certFile)
File "/usr/local/bin/convergence-bundle", line 72, in loadCertificate
fd = open(path, "r")
IOError: [Errno 2] No such file or directory: '/etc/ssl/certs/convergence.pem'

I have to apologize if I have missed something, but:

1. I cannot find any information anywhere about what Firefox versions Convergence is compatible with.
2. I'm still using the following FF branch because of many compatibility issues with various add-ons for later FF's:
   " Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21 (.NET CLR 3.5.30729) "
   Is there a reason why this is not compatible with Conversion?
3. "Convergrence" is NOT present on " https://addons.mozilla.org/en-US/firefox/ " ? Why not?
4. What is the main difference with the "Perspectives" add-on? ( http://perspectives-project.org/ )

Please clarify these issues/questions on your website. I tried to promote this tool on Facebook, but all feedback I got in return, was that people could not install or use it...

Many thanks in advance.

If convergence was enabled, Firefox 6.0.1 will report this version as the last one.
If you disable convergence, Firefox will upgrade to 6.0.2.

I installed Convergence .5 on a clean firefox install, immediately browsing came to a screeching halt. I added crypto.is and bigbrotherheavybombers as notaries and de-select thoughtcrime notaries. Browsing functionality was restored.

Something is wrong with Thoughtcrime notaries.

Lots of folks have self-signed certs that they manually added exceptions for, and lots of these certs don't have a correct CN field. This was no problem in the pre-convergence world, but causes cert failures post.

It turns out that if more than two nodes are active, the page loading stalls.
Is that a known issue?

I don't believe that this is a known issue, and I can confirm that I experience the same problem if I have more than two nodes. I think you should open a new issue on the project page for it.

Convergence will currently give a certificate error for sites using SNI to provide appropriate certificates for virtual hosts; it looks like this will magically fix itself once Twisted supports SNI.

http://twistedmatrix.com/trac/ticket/4887 is re. server-side SNI support, http://twistedmatrix.com/trac/ticket/5190 SNI in general.

The 4887 bug mentions waiting for SNI support in PyOpenSSL, which according to https://bugs.launchpad.net/pyopenssl/+bug/705683 is now done.

So, fingers crossed.

Currently convergence does not possess the ability to specify the incoming or outgoing IP addresses. I would like to see a -i and -o option similar to googleshare. This would allow a user to run convergence on a server already hosting a HTTP or HTTPS server without being forced to run convergence on a non-standard port.

Twitpic.com is not securely accessible when using Convergence. Example: https://www.twitpic.com/6kw9zr

Notary operators should have some way to tell their notary what the correct fingerprint for a host:port combination is and have the notary always trust the operator over what it sees. This would prevent a DNS compromise from being fatal. It would also allow the notary operators from running some sort of verification service much like what Certificate Authorities do while still maintaining all the awesome that convergence offers (Trust agility, etc)

I've written some code (cless/Convergence@23c79e1) that achieves this goal in part but I would like some input to finish it. In my patch static fingerprints don't expire and they always give the client the same timestamps. I'm not completely sure what the client does with the timestamps so I'm not sure what the impact of that is.

Convergence is not able to generate its KeyPair, this is the log shown in the console:

...
Loaded!
Settings loaded threshold: majority
Configuring cache...
Generating new ca certificate..
KeyPair generation error: -8037
Initializing error: Error generating keypair! , undefined
...

I removed convergence, disabled every other extension, restarted firefox and installed convergence once again: same error.
Convergence works, though, on a new empty profile.
I am running Firefox 6.0.2 on a Slackware64 13.37.

sudo: convergence-createdb: command not found

on my system the library is located in

/usr/local/lib/libnspr4.so

and Convergence looks for

/usr/local/lib/firefox/libnspr4.so

workaround: symlink. ;)

i'm not sure if the error is on my end because it says it looks in the system paths and i'd guess "/usr/local/lib" would be one. the mozilla documentation unfortunately does not say what is considered a system path, cf. https://developer.mozilla.org/en/js-ctypes/Using_js-ctypes#Library_search_paths

Convergence 0.03 running in Firefox 6.02 on a fully-patched Mac OSX 10.6.8, fails all sites. My issue feels like #5, but the root cause may be different.

The few tests I tried indicate that the SSL server running on the notaries may be faulty in some way. Tried using OpenSSL on a Mac:

$ openssl s_client -connect notary.thoughtcrime.org:443
CONNECTED(00000003)
12679:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_lib.c:182:
$ openssl version
OpenSSL 0.9.8r 8 Feb 2011

Same thing from a fully patched Ubuntu 10.04 LTS:

$ openssl s_client -connect notary2.thoughtcrime.org:443
CONNECTED(00000003)
12150:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
$ openssl version
OpenSSL 0.9.8k 25 Mar 2009

My assessment tool on SSL Labs (which uses JSSE 6 for the initial connection) also fails, with "Remote host closed connection during handshake".

Trying to talk to the notaries directly from FF gives "The connection was reset".

Google Chrome and Safari manage to retrieve the notary certificate, but they complain that it expired in 1915 (they also complain that it's self-signed, but that was not surprising).

It seems that if we have a Master Password set in ff, NSS will fail to deploy private key.