Join us now. It is free, and it takes less than 1 minute to register.
Register now
Subscribe to our daily newsletter. It is free, and it comes with many benefits.


+ Reply to Thread
Page 4 of 21 FirstFirst 1234567814 ... LastLast
Results 46 to 60 of 313

Thread: Forcing Google Services to local (RSA) IP address

  1. #46
    Super Grandmaster
    Join Date
    Feb 2009
    Location
    Stellenbosch
    Posts
    8,135
    Blog Entries
    1

    Default

    OK, awesome. I think I'm now going to try and merge all the entries into my first post

  2. #47
    Grandmaster
    Join Date
    Sep 2009
    Location
    Soul Society
    Posts
    1,294

    Default

    Quote Originally Posted by Tpex View Post
    can't connect with gmail on a local account (capped telkom 3gb) Firefox
    mine works perfectly, using the same package

  3. #48

    Default

    Some setups complain about it not being a secured connection when a secured one was expected (FF).

  4. #49
    Super Grandmaster
    Join Date
    Feb 2009
    Location
    Stellenbosch
    Posts
    8,135
    Blog Entries
    1

    Default

    Quote Originally Posted by HavocXphere View Post
    Some setups complain about it not being a secured connection when a secured one was expected (FF).
    That's unfortunately the problem when forcing an HTTPS connection to a different server If you do get this issue with the certificates, PLEASE ensure that the Certificate Hierarchy tree resolves back to a Built-in Token (Root Certificate) in Firefox. You can view the Certificate and then in the Details tab it would show the Hierarchy tree.

    I've updated my list in my first post by merging/adding all the DNS entries given in this thread. I've also removed all the double entries. Like www.google.com would resolve to www.l.google.com, so I've removed www.google.com.

    If you have a DNS server that won't resolve www.google.com to www.l.google.com, then I would love to get that DNS server's IP address
    I've used the following DNS servers to test my list: 168.210.2.2 (IS), 196.25.1.9 (Telkom), 146.232.128.10 (Stellenbosch Unversity - Internal access only) & 8.8.8.8 (Google DNS).
    To check how the DNS entry is being resolved, use the command-line app: nslookup <hostname>, eg. nslookup www.google.com
    In Linux you can either use nslookup or dig
    Last edited by Pada; 27-06-2010 at 03:04 PM.

  5. #50
    Super Grandmaster
    Join Date
    Mar 2010
    Location
    Durban
    Posts
    16,224

    Default

    Thanks. works great. Youtube and google earth working well.
    Last edited by schumi; 27-06-2010 at 03:33 PM.

  6. #51

    Default

    Quote Originally Posted by Pada View Post
    That's unfortunately the problem when forcing an HTTPS connection to a different server If you do get this issue with the certificates, PLEASE ensure that the Certificate Hierarchy tree resolves back to a Built-in Token (Root Certificate) in Firefox. You can view the Certificate and then in the Details tab it would show the Hierarchy tree.
    Could you explain this in more detail. I've found the Hierarchy tree, but don't understand which cert I'm looking for or what it must look like.

    Also, you can remove credit to me from OP...Catal already had the addr I added in his/her list.

    I'm using dns1.webafrica.co.za as my DNS. (196.7.18.82)

    Code:
    C:\Documents and Settings\HX>nslookup www.google.com
    DNS request timed out.
        timeout was 2 seconds.
    *** Can't find server name for address 196.7.18.82: Timed out
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    www.l.google.com
    Address:  155.232.240.19
    Aliases:  www.google.com
    
    
    C:\Documents and Settings\HX>
    Google DNS is secondary. Not sure how to interpret the above.

    Code:
    Pinging www.google.com [196.23.168.147] with 32 bytes of data:
    
    Reply from 196.23.168.147: bytes=32 time=72ms TTL=54
    Reply from 196.23.168.147: bytes=32 time=71ms TTL=54
    Reply from 196.23.168.147: bytes=32 time=71ms TTL=54
    EDIT: Above is from the laptop that does not give cert issue.

  7. #52
    Super Grandmaster
    Join Date
    Feb 2009
    Location
    Stellenbosch
    Posts
    8,135
    Blog Entries
    1

    Default

    HavocXphere, the WebAfrica DNS server that you're using isn't working:
    *** Can't find server name for address 196.7.18.82: Timed out
    When you're viewing the certificate of mail.google.com, it should be the one at the bottom of the Certificate Hierarchy with the name 'mail.google.com'. If it doesn't have any certificates listed above it, with the top-most one being a 'Builtin Object Token' (root certificate built into Firefox), then the host is being spoofed and you SHOULD NOT continue.

    Here's a very technical explanation of it:
    X509 certificates are signed by taking a hash (like MD5 or SHA1) of the X509 certificate in the DER encoded form, and then encrypting both the OID (describing the hash algorithm used) and the hash itself with the RSA private key. The RSA private key is only known by the owner of the certificate.
    Certificates can either be signed by a CA (Certificate Authority, like VeriSign) or self-signed. Root certificates are always self-signed and their signatures can be verified by decrypting their signature with their own public key (which is stored in the X509 certificate). You'll know that the certificate is self-signed when its Issuer field matches its Subject field.
    Certificates signed by a CA certificate can only be verified by decrypting the signature with the public key of the CA certificate used to sign it. The name/description of the CA certificate used to sign the X509 certificate is stored in the Issuer field. So the correct CA certificate can always be found in the list of certificates by matching the Issuer field with the CA certificate's Subject field.

    CA/Root certificates can be faked if they used MD5 hash for the signature, since MD5 collisions are already known, but you still need like 200 PS3's to be able to crack it in a few days.

    Firefox includes most of the trusted root certificates (listed as 'Builtin Object Tokens'). If a certificate's hierarchy doesn't start with a root certificate built-in in Firefox, then the certificate cannot be trusted, unless you made your own root certificate
    * If you're wondering why I know so much about X509 certificates... Its because I'm working for a company where we're making our own X509 certificates

  8. #53

    Default

    Thanks pada and everyone else who helped for this.
    Last edited by shaunvw; 27-06-2010 at 08:42 PM.

  9. #54
    Grandmaster
    Join Date
    Dec 2004
    Location
    Johannesburg
    Posts
    2,691

    Default

    Just a heads-up, SAIX(TelkomInternet)'s Google Global Cache servers started operating properly just a few days ago... it's working for Telkom customers automatically now as well without intervention

  10. #55
    The Magician Tinuva's Avatar
    Join Date
    Feb 2005
    Location
    Virgo Super Cluster
    Posts
    7,213

    Default

    Quote Originally Posted by Pada View Post
    HavocXphere, the WebAfrica DNS server that you're using isn't working
    That's a MTN-Business DNS server, not a WebAfrica DNS server, which is 196.220.59.188/189
    Few people can see the genius in someone who has offended them.
    - Robertson Davies

  11. #56
    Grandmaster
    Join Date
    Sep 2009
    Location
    Soul Society
    Posts
    1,294

    Default

    Quote Originally Posted by Pada View Post
    HavocXphere, the WebAfrica DNS server that you're using isn't working:

    When you're viewing the certificate of mail.google.com, it should be the one at the bottom of the Certificate Hierarchy with the name 'mail.google.com'. If it doesn't have any certificates listed above it, with the top-most one being a 'Builtin Object Token' (root certificate built into Firefox), then the host is being spoofed and you SHOULD NOT continue.

    Here's a very technical explanation of it:
    X509 certificates are signed by taking a hash (like MD5 or SHA1) of the X509 certificate in the DER encoded form, and then encrypting both the OID (describing the hash algorithm used) and the hash itself with the RSA private key. The RSA private key is only known by the owner of the certificate.
    Certificates can either be signed by a CA (Certificate Authority, like VeriSign) or self-signed. Root certificates are always self-signed and their signatures can be verified by decrypting their signature with their own public key (which is stored in the X509 certificate). You'll know that the certificate is self-signed when its Issuer field matches its Subject field.
    Certificates signed by a CA certificate can only be verified by decrypting the signature with the public key of the CA certificate used to sign it. The name/description of the CA certificate used to sign the X509 certificate is stored in the Issuer field. So the correct CA certificate can always be found in the list of certificates by matching the Issuer field with the CA certificate's Subject field.

    CA/Root certificates can be faked if they used MD5 hash for the signature, since MD5 collisions are already known, but you still need like 200 PS3's to be able to crack it in a few days.

    Firefox includes most of the trusted root certificates (listed as 'Builtin Object Tokens'). If a certificate's hierarchy doesn't start with a root certificate built-in in Firefox, then the certificate cannot be trusted, unless you made your own root certificate
    * If you're wondering why I know so much about X509 certificates... Its because I'm working for a company where we're making our own X509 certificates
    i just fried some brain cells reading this

  12. #57

    Default

    If I use Imap for Gmail will this go through local?

    On a 384 line gmail takes ages to sync via IMAP using outlook for example.

  13. #58
    Super Grandmaster
    Join Date
    Feb 2009
    Location
    Stellenbosch
    Posts
    8,135
    Blog Entries
    1

    Default

    Cider, add the following 2 lines and see if your Gmail still works via IMAP/SMTP:
    Code:
    196.23.168.147 gmail-imap.l.google.com
    196.23.168.147 gmail-smtp-msa.l.google.com

  14. #59

    Default

    Are there really ISPs that need this still?

  15. #60

    Default

    Quote Originally Posted by Tinuva View Post
    That's a MTN-Business DNS server, not a WebAfrica DNS server, which is 196.220.59.188/189
    I see what you mean.

    Quote Originally Posted by Pada View Post
    HavocXphere, the WebAfrica DNS server that you're using isn't working:
    You're right about the DNS server I posted 100% dead. Was wondering what all the 8.8.8.8 were doing in my firewall records...

    I'm not convinced that the nslookup thing is a reliable method of testing it though. I also got the timeout message whilst using the broken dns as primary & google as secondary. Now I've switched to 196.31.65.99 (another WA/MTN) I get a result for the (broken) first WA dns server:
    C:\Documents and Settings\HX>nslookup 196.7.18.82
    Server: ns2.anova.co.za
    Address: 196.31.65.99

    Name: ns1.savitar.co.za
    Address: 196.7.18.82
    Cert: On this PC it looks right. Will have a look on the others too. thx

+ Reply to Thread
Page 4 of 21 FirstFirst 1234567814 ... LastLast

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •