Groups | Search | Server Info | Login | Register

Groups > comp.os.ms-windows.networking.misc > #100

Re: Can't connect to Web

From VanguardLH <V@nguard.LH>
Newsgroups microsoft.public.windowsxp.general, alt.comp.os.windows-xp, comp.os.ms-windows.networking.misc
Subject Re: Can't connect to Web
Date 2017-05-26 13:39 -0500
Organization Usenet Elder
Message-ID <eorb36F1d85U1@mid.individual.net> (permalink)
References <m0ofic9sm6v97v17qncgjp45q6tdvg6scv@4ax.com>

Cross-posted to 3 groups.

Show all headers | View raw

Steve Hayes <hayesstw@telkomsa.net> wrote:

> This morning I suddenly lost my connection to the web while I was
> browsing. 
> 
> Mail still worked, news still worked, but the web connection did not. 
> 
> I reset the router, rebooted my computer, but still nothing. 
> 
> I wondered if it was a browser fault (I use Firefox) so tried Internet
> Explorer. It too could not connect, but offered to run diagnostics.
> This is what was found:
> 
> ---- diagnostic report ----
> Last diagnostic run time: 05/26/17 09:44:37 HTTP, HTTPS, FTP
> Diagnostic 
> HTTP, HTTPS, FTP connectivity 
> 
> info HTTP: Successfully connected to www.microsoft.com. 
> warn HTTPS: Error 12157 connecting to www.microsoft.com: An error
> occurred in the secure channel support  
> warn FTP (Passive): Error 12031 connecting to ftp.microsoft.com: The
> connection with the server was reset  
> warn HTTPS: Error 12029 connecting to www.passport.net: A connection
> with the server could not be established  
> warn FTP (Active): Error 12031 connecting to ftp.microsoft.com: The
> connection with the server was reset  
> error Could not make an HTTPS connection. 
> error Could not make an FTP connection. 
> info Redirecting user to support call 
>  
> 
> DNS Client Diagnostic 
> DNS - Not a home user scenario 
> 
> info Using Web Proxy: no 
> info Resolving name ok for (www.microsoft.com): yes 
> No DNS servers 
> 
> DNS failure 
> 
>  
> 
> Gateway Diagnostic 
> Gateway 
> 
> info The following proxy configuration is being used by IE:
> Automatically Detect Settings:Disabled Automatic Configuration Script:
> Proxy Server: Proxy Bypass list:  
> info This computer has the following default gateway entry(ies):
> 192.168.0.1 
> info This computer has the following IP address(es): 192.168.0.2 
> info The default gateway is in the same subnet as this computer 
> info The default gateway entry is a valid unicast address 
> info The default gateway address was resolved via ARP in 1 try(ies) 
> info The default gateway was reached via ICMP Ping in 1 try(ies) 
> info TCP port 80 on host 104.92.152.182 was successfully reached 
> info The Internet host www.microsoft.com was successfully reached 
> info The default gateway is OK 
>  
> 
> IP Layer Diagnostic 
> Corrupted IP routing table 
> 
> info The default route is valid 
> info The loopback route is valid 
> info The local host route is valid 
> info The local subnet route is valid 
> Invalid ARP cache entries 
> 
> action The ARP cache has been flushed 
>  
> 
> IP Configuration Diagnostic 
> Invalid IP address 
> 
> info Valid IP address detected: 192.168.0.2 
>  
> 
> Wireless Diagnostic 
> Wireless - Service disabled 
> 
> Wireless - User SSID 
> 
> Wireless - First time setup 
> 
> Wireless - Radio off 
> 
> Wireless - Out of range 
> 
> Wireless - Hardware issue 
> 
> Wireless - Novice user 
> 
> Wireless - Ad-hoc network 
> 
> Wireless - Less preferred 
> 
> Wireless - 802.1x enabled 
> 
> Wireless - Configuration mismatch 
> 
> Wireless - Low SNR 
> 
>  
> 
> WinSock Diagnostic 
> WinSock status 
> 
> info IrDA protocol is not found in Winsock catalog. 
> info All base service provider entries are present in the Winsock
> catalog. 
> info The Winsock Service provider chains are valid. 
> info Provider entry MSAFD Tcpip [TCP/IP] passed the loopback
> communication test. 
> info Provider entry MSAFD Tcpip [UDP/IP] passed the loopback
> communication test. 
> info Provider entry RSVP UDP Service Provider passed the loopback
> communication test. 
> info Provider entry RSVP TCP Service Provider passed the loopback
> communication test. 
> info Connectivity is valid for all Winsock service providers. 
>  
> 
> Network Adapter Diagnostic 
> Network location detection 
> 
> info Using home Internet connection 
> Network adapter identification 
> 
> info Network connection: Name=Local Area Connection 2, Device=Realtek
> PCIe FE Family Controller, MediaType=LAN, SubMediaType=LAN 
> info Network connection: Name=MSN, Device=, MediaType=PHONE,
> SubMediaType=NONE 
> info Network connection: Name=telkomsa9, Device=WAN Miniport (PPPOE),
> MediaType=PPPOE, SubMediaType=NONE 
> info Ethernet connection selected 
> Network adapter status 
> 
> info Network connection status: Connected 
>  
> 
> HTTP, HTTPS, FTP Diagnostic 
> HTTP, HTTPS, FTP connectivity 
> 
> warn FTP (Passive): Error 12031 connecting to ftp.microsoft.com: The
> connection with the server was reset  
> info HTTP: Successfully connected to www.microsoft.com. 
> warn HTTPS: Error 12157 connecting to www.microsoft.com: An error
> occurred in the secure channel support  
> warn HTTPS: Error 12029 connecting to www.passport.net: A connection
> with the server could not be established  
> warn FTP (Active): Error 12031 connecting to ftp.microsoft.com: The
> connection with the server was reset  
> error Could not make an HTTPS connection. 
> error Could not make an FTP connection. 
>  
> --- end diagnostic report ---
> 
> Can any of you network gurus suggest what can be done to fix it?

Microsoft dropped their FTP server and why you cannot connect to it.
That happened long after Windows XP was released and when its
troubleshooter was coded.  There seems to be a listener on port 21 on
their host but their FTP server program won't respond.

You can connect via HTTP but not HTTPS.  When you use a web browser to
connect to https://www.microsoft.com/, it should report an error but it
should also let you look at the details, like clicking on an icon in the
address bar to get more info.  That will tell you more.  In IE, and when
going to this HTTPS site, there should be a padlock icon in its address
bar.  Click on it.

Do you use something that interrogates your HTTPS traffic?  I use Avast
Free and it has its HTTPS scanner.  It uses a MITM (man-in-the-middle)
scheme to intercept web traffic: it pretends to your client that it is
the other endpoint (server) and it pretends to the server that it is
your endpoint (client).  That works by installing a root certificate
into your certificate store.  Windows has its own certificate store that
is used by all web browsers EXCEPT Firefox which has its own private
certificate store and into where Avast must install its root store.  If
HTTPS scanning is enabled in Avast but its root cert is missing,
expired, or revoked in whichever cert store your web browser uses then
the cert authentication will fail to its proxy trying to use that cert
for the MITM scheme.

If using Avast (or anything else that interrogates your HTTPS traffic),
is it configured to scan your HTTPS traffic?  If you use Firefox, is the
avast cert listed in its private cert store (Options -> Advanced ->
Certificates -> View Certificates)?  In Windows' cert store
(certmgr.msc), is the "avast email/web shield" cert listed under Trusted
Root Certificates?

It can also depend on which web browser you use.  Google made a change
in version 53 of Chrome that requires the SA (Subject Alternate) field
in a cert be populated.  In the past, it was sufficient for a single
domain to just populate the Subject field with the domain name.  Still
works okay in Firefox which does not demand the SA field be populated
but Google decided to be assholes.  If only one domain is specified, the
Subject field has it and there has never been a requirement the SA field
also be populated.  The SA field is only to be used when more than one
host or domain is listed for a cert.  That lets sites use one cert for
multiple targets rather than buy a cert for each one.  

I have another program (Applian Replay Media Capture aka RMC) that
intercepts HTTPS traffic to capture video streams.  It uses the MITM
scheme to grab the HTTPS stream.  Since it specifies only one domain,
only the Subject field in the cert is populated.  The SA field is empty
(as it should be).  I can use Firefox to visit a site and have RMC
capture a video stream.  Google Chrome will refuse to allow HTTPS
connects when RMC is loaded (and using its cert for its proxy) because
they require the SA field be populated but which is NOT required when
just one domain is specified in the Subject field.  The RMC cert is
self-signed as are all root certs.  Google is okay with the other root
certs so I don't know why they don't like RMC's cert.  That Google
doesn't like RMC's root cert is why I cannot do anything HTTPS in Chrome
when RMC's proxy is intercepting HTTPS traffic.  I have to use Firefox
(in which RMC added its cert to Firefox's private cert store) to use RMC
with HTTPS sites.

So check what you have running.  In one case, it could be HTTPS scanning
in some security program.  In another case, it could be some software
you use that intercepts HTTPS traffic.  For either case, you must have
the program's cert installed in whichever cert store that your program
uses.  If I disable HTTPS support in RMC, I cannot capture video streams
from HTTPS sites because I cannot get their proxy to connect to HTTPS
sites.  With Avast, I could disable its HTTPS scanning feature but that
means it can no longer inspect the content of a delivered web page to
determine if anything untoward is in there.

Back to comp.os.ms-windows.networking.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Can't connect to Web Steve Hayes <hayesstw@telkomsa.net> - 2017-05-26 10:04 +0200
  Re: Can't connect to Web rickman <gnuarm@gmail.com> - 2017-05-26 04:47 -0400
    Re: Can't connect to Web Steve Hayes <hayesstw@telkomsa.net> - 2017-05-28 06:21 +0200
      Re: Can't connect to Web VanguardLH <V@nguard.LH> - 2017-05-27 23:33 -0500
      Re: Can't connect to Web rickman <gnuarm@gmail.com> - 2017-05-28 01:24 -0400
        Re: Can't connect to Web Paul <nospam@needed.invalid> - 2017-05-28 02:17 -0400
          Re: Can't connect to Web rickman <gnuarm@gmail.com> - 2017-05-28 03:18 -0400
            Re: Can't connect to Web VanguardLH <V@nguard.LH> - 2017-05-28 05:31 -0500
  Re: Can't connect to Web VanguardLH <V@nguard.LH> - 2017-05-26 13:39 -0500
  Re: Can't connect to Web Stef <not@this.address.com> - 2017-05-28 17:16 +0000
    Re: Can't connect to Web Bert <bert@iphouse.com> - 2017-05-28 17:48 +0000
      Re: Can't connect to Web Stef <not@this.address.com> - 2017-05-29 19:05 +0000
        Re: Can't connect to Web Bert <bert@iphouse.com> - 2017-05-31 17:51 +0000
          Re: Can't connect to Web Stef <not@this.address.com> - 2017-05-31 23:03 +0000
          Re: Can't connect to Web Char Jackson <none@none.invalid> - 2017-06-13 15:10 -0500
    Re: Can't connect to Web VanguardLH <V@nguard.LH> - 2017-05-28 15:11 -0500
      Re: Can't connect to Web rickman <gnuarm@gmail.com> - 2017-05-29 00:20 -0400
      Re: Can't connect to Web Stef <not@this.address.com> - 2017-05-29 18:57 +0000
    Re: Can't connect to Web Steve Hayes <hayesstw@telkomsa.net> - 2017-05-29 03:53 +0200
      Re: Can't connect to Web Stef <not@this.address.com> - 2017-05-29 16:27 +0000
      Re: Can't connect to Web VanguardLH <V@nguard.LH> - 2017-05-31 15:41 -0500
        Re: Can't connect to Web Steve Hayes <hayesstw@telkomsa.net> - 2017-06-01 08:52 +0200
          Re: Can't connect to Web Rene Lamontagne <rlamont@shaw.ca> - 2017-06-20 20:50 -0500

csiph-web