OK, awesome. I think I'm now going to try and merge all the entries into my first post
|
OK, awesome. I think I'm now going to try and merge all the entries into my first post
mine works perfectly, using the same packageOriginally Posted by Tpex
can't connect with gmail on a local account (capped telkom 3gb) Firefox
Some setups complain about it not being a secured connection when a secured one was expected (FF).
That's unfortunately the problem when forcing an HTTPS connection to a different serverIf you do get this issue with the certificates, PLEASE ensure that the Certificate Hierarchy tree resolves back to a Built-in Token (Root Certificate) in Firefox. You can view the Certificate and then in the Details tab it would show the Hierarchy tree.
I've updated my list in my first post by merging/adding all the DNS entries given in this thread. I've also removed all the double entries. Like www.google.com would resolve to www.l.google.com, so I've removed www.google.com.
If you have a DNS server that won't resolve www.google.com to www.l.google.com, then I would love to get that DNS server's IP address
I've used the following DNS servers to test my list: 168.210.2.2 (IS), 196.25.1.9 (Telkom), 146.232.128.10 (Stellenbosch Unversity - Internal access only) & 8.8.8.8 (Google DNS).
To check how the DNS entry is being resolved, use the command-line app: nslookup <hostname>, eg. nslookup www.google.com
In Linux you can either use nslookup or dig
Last edited by Pada; 27-06-2010 at 03:04 PM.
Thanks. works great. Youtube and google earth working well.
Last edited by schumi; 27-06-2010 at 03:33 PM.
Could you explain this in more detail. I've found the Hierarchy tree, but don't understand which cert I'm looking for or what it must look like.That's unfortunately the problem when forcing an HTTPS connection to a different server
Also, you can remove credit to me from OP...Catal already had the addr I added in his/her list.
I'm using dns1.webafrica.co.za as my DNS. (196.7.18.82)
Google DNS is secondary. Not sure how to interpret the above.Code:C:\Documents and Settings\HX>nslookup www.google.com DNS request timed out. timeout was 2 seconds. *** Can't find server name for address 196.7.18.82: Timed out Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: www.l.google.com Address: 155.232.240.19 Aliases: www.google.com C:\Documents and Settings\HX>
EDIT: Above is from the laptop that does not give cert issue.Code:Pinging www.google.com [196.23.168.147] with 32 bytes of data: Reply from 196.23.168.147: bytes=32 time=72ms TTL=54 Reply from 196.23.168.147: bytes=32 time=71ms TTL=54 Reply from 196.23.168.147: bytes=32 time=71ms TTL=54
HavocXphere, the WebAfrica DNS server that you're using isn't working:When you're viewing the certificate of mail.google.com, it should be the one at the bottom of the Certificate Hierarchy with the name 'mail.google.com'. If it doesn't have any certificates listed above it, with the top-most one being a 'Builtin Object Token' (root certificate built into Firefox), then the host is being spoofed and you SHOULD NOT continue.*** Can't find server name for address 196.7.18.82: Timed out
Here's a very technical explanation of it:X509 certificates are signed by taking a hash (like MD5 or SHA1) of the X509 certificate in the DER encoded form, and then encrypting both the OID (describing the hash algorithm used) and the hash itself with the RSA private key. The RSA private key is only known by the owner of the certificate.* If you're wondering why I know so much about X509 certificates... Its because I'm working for a company where we're making our own X509 certificates
Certificates can either be signed by a CA (Certificate Authority, like VeriSign) or self-signed. Root certificates are always self-signed and their signatures can be verified by decrypting their signature with their own public key (which is stored in the X509 certificate). You'll know that the certificate is self-signed when its Issuer field matches its Subject field.
Certificates signed by a CA certificate can only be verified by decrypting the signature with the public key of the CA certificate used to sign it. The name/description of the CA certificate used to sign the X509 certificate is stored in the Issuer field. So the correct CA certificate can always be found in the list of certificates by matching the Issuer field with the CA certificate's Subject field.
CA/Root certificates can be faked if they used MD5 hash for the signature, since MD5 collisions are already known, but you still need like 200 PS3's to be able to crack it in a few days.
Firefox includes most of the trusted root certificates (listed as 'Builtin Object Tokens'). If a certificate's hierarchy doesn't start with a root certificate built-in in Firefox, then the certificate cannot be trusted, unless you made your own root certificate
Thanks pada and everyone else who helped for this.
Last edited by shaunvw; 27-06-2010 at 08:42 PM.
Just a heads-up, SAIX(TelkomInternet)'s Google Global Cache servers started operating properly just a few days ago... it's working for Telkom customers automatically now as well without intervention
That's a MTN-Business DNS server, not a WebAfrica DNS server, which is 196.220.59.188/189
Few people can see the genius in someone who has offended them.
- Robertson Davies
i just fried some brain cells reading thisHavocXphere, the WebAfrica DNS server that you're using isn't working:
When you're viewing the certificate of mail.google.com, it should be the one at the bottom of the Certificate Hierarchy with the name 'mail.google.com'. If it doesn't have any certificates listed above it, with the top-most one being a 'Builtin Object Token' (root certificate built into Firefox), then the host is being spoofed and you SHOULD NOT continue.
Here's a very technical explanation of it:X509 certificates are signed by taking a hash (like MD5 or SHA1) of the X509 certificate in the DER encoded form, and then encrypting both the OID (describing the hash algorithm used) and the hash itself with the RSA private key. The RSA private key is only known by the owner of the certificate.* If you're wondering why I know so much about X509 certificates... Its because I'm working for a company where we're making our own X509 certificates
Certificates can either be signed by a CA (Certificate Authority, like VeriSign) or self-signed. Root certificates are always self-signed and their signatures can be verified by decrypting their signature with their own public key (which is stored in the X509 certificate). You'll know that the certificate is self-signed when its Issuer field matches its Subject field.
Certificates signed by a CA certificate can only be verified by decrypting the signature with the public key of the CA certificate used to sign it. The name/description of the CA certificate used to sign the X509 certificate is stored in the Issuer field. So the correct CA certificate can always be found in the list of certificates by matching the Issuer field with the CA certificate's Subject field.
CA/Root certificates can be faked if they used MD5 hash for the signature, since MD5 collisions are already known, but you still need like 200 PS3's to be able to crack it in a few days.
Firefox includes most of the trusted root certificates (listed as 'Builtin Object Tokens'). If a certificate's hierarchy doesn't start with a root certificate built-in in Firefox, then the certificate cannot be trusted, unless you made your own root certificate
If I use Imap for Gmail will this go through local?
On a 384 line gmail takes ages to sync via IMAP using outlook for example.
Cider, add the following 2 lines and see if your Gmail still works via IMAP/SMTP:
Code:196.23.168.147 gmail-imap.l.google.com 196.23.168.147 gmail-smtp-msa.l.google.com
Are there really ISPs that need this still?
I see what you mean.
You're right about the DNS server I posted 100% dead. Was wondering what all the 8.8.8.8 were doing in my firewall records...
I'm not convinced that the nslookup thing is a reliable method of testing it though. I also got the timeout message whilst using the broken dns as primary & google as secondary. Now I've switched to 196.31.65.99 (another WA/MTN) I get a result for the (broken) first WA dns server:
Cert: On this PC it looks right. Will have a look on the others too. thxC:\Documents and Settings\HX>nslookup 196.7.18.82
Server: ns2.anova.co.za
Address: 196.31.65.99
Name: ns1.savitar.co.za
Address: 196.7.18.82
Reply With Quote
Bookmarks