Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Monday, 5 March 2018 12:40:40 GMT Ralph Corderoy wrote:
> It needs to be a few steps printed big and stuck on a wall away from the
> booth to avoid clogging the area.  The QR code should be present because
> you might be surprised how many phones handle it without an explicit
> app, and it's a convenience for those users;  they're on the rise.

I 've just back from discussing all this with the Manager.

> > BTW.  iPhones 'just connect'
> 
> Today.  :-)

Point taken.
 
> It's annoying that Management are wary of web-site contractor time and
> money, but not volunteer time.

To be fair, they're not that wary and the guy has a contract to update the 
site on a regular basis.  The Manager can add content, but not change the 
overall architecture.  He is going to discuss this with the contractor and 
look into registering WMTGuide.com as a subdomain, with SSL Certificate too.

The main problem is that they have a budget for the website but it has largely 
been allocated.

> Aren't you mixing two things here?
> 
> Android is attempting a HTTPS probe to check for being captive.  You've
> proved responding to that with a self-signed certificate doesn't work.
> You're hoping that if it's a signed certificate by an authority known to
> the browser then, even though it's a certificate for a completely
> different domain to the one being contacted, that Android will be happy
> with the 204 response it expected.
> 
> You don't need HTTPS for accessing the guide;  that's already working
> with HTTP.
> 
> If the certificate is for a domain diffrent to the one Android contacts
> then it could be for hadrian-way.co.uk, say.  I suggested
> wimborne-modeltown.com because that's the one it owns, though held
> captive by a contractor.  :-)  To just test the idea out, and hope it
> quickly fails, giving certainty, you could get one for
> hadrian-way.co.uk, say.  If that's still a problem I may be able to dish
> one up in a few days.

See above.

> See https://letsencrypt.org/getting-started/ for all the options.  Have
> WMT really *no* non-contractor access to the site, e.g. to update some
> page's data in a CMS?  If they can upload files then the Manual Mode
> described on that page might be useful.  Or you could do that for
> hadrian-way.co.uk.

See above.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 4 March 2018 21:07:41 GMT Stephen Wolff wrote:
> i don’t think you’ll be able to get another certificate for
> wimborne-modeltown.com. You might be able to get one for a subdomain or
> a wildcard (ie *.modeltown.com). You’re likely to need some way to

This will be the first certificate for wimborne-modeltown.com.  I've suggested 
that they will need to make the site secure soon anyway.

> verify that you ‘own’ the domain - which for letsencrypt would need
> to be either a DNS record of some sort under wimborne-modeltown.com or a
> file served somewhere under wimborne-modeltown.com (so you’d need to
> work with the contractor in some way)

Understood.

> which server? it could be used on the local network server for an https
> site - it doesn’t have to be on the webserver. a ‘certificate’
> will consist of 3 files (sometimes combined into one - depending on
> server config). You’d need to put the files into certain locations
> with certain permissions on the local webserver, and set up local DNS to
> point the sub-domain, but no, you wouldn’t need the certificate on the
> public webserver.

That's what I'm hoping to do.

> As Chrome is about to label all http sites insecure - maybe the person
> looking after the site will have to sort out a certificate - so will
> have one you could use on the local network?

See above.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> The problem is that the people who man the pay-booth have no idea
> about any of this and struggle to explain the procedure to people
> who've tried to get onto our WiFi network, so the thinking is that
> it'll be less hassle anyway.

It needs to be a few steps printed big and stuck on a wall away from the
booth to avoid clogging the area.  The QR code should be present because
you might be surprised how many phones handle it without an explicit
app, and it's a convenience for those users;  they're on the rise.

> BTW.  iPhones 'just connect'

Today.  :-)

It's annoying that Management are wary of web-site contractor time and
money, but not volunteer time.

> I don't suppose it would work if we got a Certificate for wimborne-
> modeltown.com and added that to the DNS on the internal server, then
> simply told them to go to WMT.com which would also be available on
> that server?  (Maybe by redirection.)

Aren't you mixing two things here?

Android is attempting a HTTPS probe to check for being captive.  You've
proved responding to that with a self-signed certificate doesn't work.
You're hoping that if it's a signed certificate by an authority known to
the browser then, even though it's a certificate for a completely
different domain to the one being contacted, that Android will be happy
with the 204 response it expected.

You don't need HTTPS for accessing the guide;  that's already working
with HTTP.

If the certificate is for a domain diffrent to the one Android contacts
then it could be for hadrian-way.co.uk, say.  I suggested
wimborne-modeltown.com because that's the one it owns, though held
captive by a contractor.  :-)  To just test the idea out, and hope it
quickly fails, giving certainty, you could get one for
hadrian-way.co.uk, say.  If that's still a problem I may be able to dish
one up in a few days.

> So.  If we got a certificate for wimborne-modeltown.com, would the
> server need to have that Certificate installed (more contractor work).

See https://letsencrypt.org/getting-started/ for all the options.  Have
WMT really *no* non-contractor access to the site, e.g. to update some
page's data in a CMS?  If they can upload files then the Manual Mode
described on that page might be useful.  Or you could do that for
hadrian-way.co.uk.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 4 March 2018 13:25:43 GMT Ralph Corderoy wrote:
> >  and this...
> 
> Nothing followed.  You're probably pasting those NUL bytes into
> Thunderbird again.  :-)

Nope.  I just didn't make myself very clear.  I asked those two questions 
(about getting Certs for wimborne-modeltown.com) and no-one answered them.

I was hoping to avoid having to ask for the wimborne-modeltown.com website to 
be updated by the contractor.


-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

>  and this...

Nothing followed.  You're probably pasting those NUL bytes into
Thunderbird again.  :-)

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Thursday, 1 March 2018 07:01:28 GMT Terry Coles wrote:
> I don't suppose it would work if we got a Certificate for wimborne-
> modeltown.com and added that to the DNS on the internal server, then simply
> told them to go to WMT.com which would also be available on that server?
> (Maybe by redirection.)

Can anyone comment on this query..

> So.  If we got a certificate for wimborne-modeltown.com, would the server
> need to have that Certificate installed (more contractor work).

 and this...

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Wednesday, 28 February 2018 21:33:10 GMT Ralph Corderoy wrote:
> I still think this idea of trying to fool your paying public that
> they're on the Internet, since they won't get the `you're captured' UI
> that's familiar to them, just leaves them confused when they can't post
> their photos to Facebook, etc.  :-)

I tried to convince 'Management' of this on Tuesday morning, but to no avail.  
The problem is that the people who man the pay-booth have no idea about any of 
this and struggle to explain the procedure to people who've tried to get onto 
our WiFi network, so the thinking is that it'll be less hassle anyway.

BTW.  iPhones 'just connect', so Apple users have idea about the loss of their 
Facebook access until they try to upload their photos.

> There's already wimborne-modeltown.com.  I'd expect a subdomain of that
> to work, e.g. guide.wimborne-modeltown.com.  No fee for domain
> registration if your existing set-up allows whatever subdomains you
> want.

The problem is that I have no control over the wimborne-modeltown.com server, 
which is managed by a contractor.  That means that the WMT would have to pay 
the contractor to make the change.

> I think that should work.  If you're not allowed subdomains with your
> hosting then LetsEncrypt wimborne-modeltown.com and use
> wimborne-modeltown.com/guide on the Unternet?

That's pretty much what I would have wanted to do, although the length of the 
URL will be a problem.

I don't suppose it would work if we got a Certificate for wimborne-
modeltown.com and added that to the DNS on the internal server, then simply 
told them to go to WMT.com which would also be available on that server?  
(Maybe by redirection.)

> With LetsEncrypt, which is a good choice, yes.  And fairly regularly as
> they need `renewing' every three months IIRC.  For the initial proof,
> and later renewals, they contact the server for
> guide.wimborne-modeltown.com, say, in a certain manner so you can prove
> you own it.  It's quite simple, but they need to be able to resolve DNS
> for that hostname to an IP address that's happy to play along.  It could
> all be torn down in between renewals.  Or the guide could be available
> to the Internet?

So.  If we got a certificate for wimborne-modeltown.com, would the server need 
to have that Certificate installed (more contractor work).

> How about if the normal site prominently hosted the guide, had a
> LetsEncrypt certificate, and had a duplicate off-Internet on the site?

Contractor

> BTW, AndrewM on IRC pointed out https://qifi.org/ for producing a QR
> code that tells the smartphone the SSID, etc., for wifi.

Yes.  I recall this and we discussed it at the time.  The problem is that 
Aunty Mabel and Grandpa Fred are highly unlikely to have a QR Code Reader App 
installed, so half the users would still need to type in the foot-long URL.

(We also discussed the fact that users could install the QR Code Reader App at 
the door, but decided that Aunty Mabel, Grandpa Fred or the door staff are 
unlikely to know how to do that.


-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> Our idea is to register a new domain for the WMT, such as
> WMTGuide.com.

I still think this idea of trying to fool your paying public that
they're on the Internet, since they won't get the `you're captured' UI
that's familiar to them, just leaves them confused when they can't post
their photos to Facebook, etc.  :-)

There's already wimborne-modeltown.com.  I'd expect a subdomain of that
to work, e.g. guide.wimborne-modeltown.com.  No fee for domain
registration if your existing set-up allows whatever subdomains you
want.

> We could then create a Domain Validated Certificate for that site and
> use that domain on our private network.

I think that should work.  If you're not allowed subdomains with your
hosting then LetsEncrypt wimborne-modeltown.com and use
wimborne-modeltown.com/guide on the Unternet?

> Do you (or anyone else) know if we would have to have a live website
> on the  Internet for the Doamin validation to work?

With LetsEncrypt, which is a good choice, yes.  And fairly regularly as
they need `renewing' every three months IIRC.  For the initial proof,
and later renewals, they contact the server for
guide.wimborne-modeltown.com, say, in a certain manner so you can prove
you own it.  It's quite simple, but they need to be able to resolve DNS
for that hostname to an IP address that's happy to play along.  It could
all be torn down in between renewals.  Or the guide could be available
to the Internet?

How about if the normal site prominently hosted the guide, had a
LetsEncrypt certificate, and had a duplicate off-Internet on the site?

BTW, AndrewM on IRC pointed out https://qifi.org/ for producing a QR
code that tells the smartphone the SSID, etc., for wifi.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

I just realised that my reply yesterday only went to Ian and not the list; 
those pesky CCs again.

On Sunday, 25 February 2018 12:55:45 GMT you wrote:

Ian,

> You could create your own CA ... but anyone using the site will still
> get the error unless they (manually) install your CA root cert.

Yes. Tried that and it was as you said.

> Probably the cheapest way is to get a free certificate :
> https://letsencrypt.org/ However then the server at least would need to
> be connected to the Internet to renew the issued certificate. 

I spoke to the Management team at WMT this morning and we've decided to try 
this.  AFAICT, Foxdog Studios use the Domain Validated Certificate for their 
main site and install it on their private server.  Presumably this means that 
they have to name their Private webserver the same as their public one.

Our idea is to register a new domain for the WMT, such as WMTGuide.com.  We 
could then create a Domain Validated Certificate for that site and use that 
domain on our private network.

Do you (or anyone else) know if we would have to have a live website on the  
Internet for the Doamin validation to work?  I'm assuming that we probably do, 
but it would be nice if we didn't so that we can get away with paying for 
hosting.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 25 February 2018 13:11:59 GMT Ralph Corderoy wrote:
> Your self-signed certificate is not signed by one of those trusted
> authorities, thus ERR_CERT_AUTHORITY_INVALID.  If you were using your
> proper public domain name, on this private network, then you might
> already have a authority-signed certificate for that.  You won't be able
> to get one for wmt.com because that's not your domain, it's Wright
> Medical Technology.

See my other post.

> Despite your laptop's browser warning, you should tell it to ignore it
> and test the rest of your nginx configuration.  Or use curl, like
> before, adding its -k when it complains.  This is because you're hoping,
> clutching :-), that Android, at least for the captive probe, doesn't get
> as far as validating the certificate.  So you should continue with the
> test.

Unfortunately, it doesn't work with Android, as predicted.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> NET::ERR_CERT_AUTHORITY_INVALID
...
> This server could not prove that it is wmt.com; its security
> certificate is not trusted by your computer's operating system. This
> may be caused by a misconfiguration or an attacker intercepting your
> connection.
>
> So is it mis-configuration

It's working as designed.  The browser/OS has the details of trusted
certificate issuers called authorities.  Your site ships a chain of
certificates to the browser that should lead from the one for you site
up to one of those trusted ones.  When the chain all links up, the site
is trusted.

Your self-signed certificate is not signed by one of those trusted
authorities, thus ERR_CERT_AUTHORITY_INVALID.  If you were using your
proper public domain name, on this private network, then you might
already have a authority-signed certificate for that.  You won't be able
to get one for wmt.com because that's not your domain, it's Wright
Medical Technology.

Despite your laptop's browser warning, you should tell it to ignore it
and test the rest of your nginx configuration.  Or use curl, like
before, adding its -k when it complains.  This is because you're hoping,
clutching :-), that Android, at least for the captive probe, doesn't get
as far as validating the certificate.  So you should continue with the
test.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ian Morris]

The reason for the error is because your certificate is not signed by
one of the trusted Certificate authorities ... indeed the certificate
you have is self signed, it's not signed by any CA.

You could create your own CA ... but anyone using the site will still
get the error unless they (manually) install your CA root cert.

Probably the cheapest way is to get a free certificate :
https://letsencrypt.org/ However then the server at least would need to
be connected to the Internet to renew the issued certificate. A more
expensive way, but requiring less frequent updates would be to get a
certificate signed by one of the CA but this means $$$.

You could always start off with letsencrpyt to get hang of things and/or
prove the viability of your solution and then migrate to a cert issues
by one of the trusted CA.


On 25/02/18 12:29, Terry Coles wrote:
> On Sunday, 25 February 2018 08:04:49 GMT Terry Coles wrote:
>>> You can trying listening on TCP port 443 and seeing if Android 7 will
>>> play along with your self-signed certificates.  Perhaps it will as far
>>> as thinking it's got to the Internet, but that Java source I referenced
>>> also talks of `PAC' that I suspect are some sort of Android software
>>> update package.  If a PAC is involved then it will obviously only trust
>>> that from the expected Google source, verified by the certificate.
>> I'm going to try that today.  Lloyd at Foxdog says that they have https
>> support with a Foxdog Certificate and all the phones that he's tried work. 
>> He doesn't specify what they are.
> I've just spent much of this morning getting my head around what https, SSL, 
> TLS and SSL 
> Certificates are all about.  I now have a (fairly limited) understanding of 
> how to get and 
> use a certificate, based on info here and elsewhere: 
>
> http://nginx.org/en/docs/http/configuring_https_servers.html
>
> I used the command:
>
> openssl req -x509 -newkey rsa:2048 -nodes -days 365 -keyout WMT.com.key -out 
> WMT.com.csr
>
> to generate the certificate and key and put them into /etc/ssl, with the 
> nginx.conf 
> configured to give me a Single HTTP/HTTPS server, as defined in the nginx 
> link.
>
> Once all the files were installed, I ran sudo nginx -s reload with no errors.
>
> Predictably though, it didn't work and when I typed https://WMT.com from my 
> laptop 
> while connected to the WMT AP, I got:
>
> ...
>
> Attackers might be trying to steal your information from wmt.com (for 
> example, 
> passwords, messages or credit cards). Learn more
> NET::ERR_CERT_AUTHORITY_INVALID
> Subject: Terry Coles
>
> Issuer: Terry Coles
>
> Expires on: 25 Feb 2019
>
> Current date: 25 Feb 2018
>
> PEM encoded chain:
> -BEGIN CERTIFICATE-
> .
> .
> -END CERTIFICATE-
>
> This server could not prove that it is wmt.com; its security certificate is 
> not trusted by your 
> computer's operating system. This may be caused by a misconfiguration or an 
> attacker 
> intercepting your connection.
>
>
> ...
>
> So is it mis-configuration or does Chrome (Chromium) not trust the 
> Certificate because it 
> is not Domain Validated?  We obviously can't get one of those because the 
> domain name 
> WMT.com is only used on our local network and not registered with Nominet (or 
> any 
> other Authority). 
>


-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 25 February 2018 08:04:49 GMT Terry Coles wrote:
> > You can trying listening on TCP port 443 and seeing if Android 7 will
> > play along with your self-signed certificates.  Perhaps it will as far
> > as thinking it's got to the Internet, but that Java source I referenced
> > also talks of `PAC' that I suspect are some sort of Android software
> > update package.  If a PAC is involved then it will obviously only trust
> > that from the expected Google source, verified by the certificate.
> 
> I'm going to try that today.  Lloyd at Foxdog says that they have https
> support with a Foxdog Certificate and all the phones that he's tried work. 
> He doesn't specify what they are.

I've just spent much of this morning getting my head around what https, SSL, 
TLS and SSL 
Certificates are all about.  I now have a (fairly limited) understanding of how 
to get and 
use a certificate, based on info here and elsewhere: 

http://nginx.org/en/docs/http/configuring_https_servers.html

I used the command:

openssl req -x509 -newkey rsa:2048 -nodes -days 365 -keyout WMT.com.key -out 
WMT.com.csr

to generate the certificate and key and put them into /etc/ssl, with the 
nginx.conf 
configured to give me a Single HTTP/HTTPS server, as defined in the nginx link.

Once all the files were installed, I ran sudo nginx -s reload with no errors.

Predictably though, it didn't work and when I typed https://WMT.com from my 
laptop 
while connected to the WMT AP, I got:

...

Attackers might be trying to steal your information from wmt.com (for example, 
passwords, messages or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: Terry Coles

Issuer: Terry Coles

Expires on: 25 Feb 2019

Current date: 25 Feb 2018

PEM encoded chain:
-BEGIN CERTIFICATE-
.
.
-END CERTIFICATE-

This server could not prove that it is wmt.com; its security certificate is not 
trusted by your 
computer's operating system. This may be caused by a misconfiguration or an 
attacker 
intercepting your connection.


...

So is it mis-configuration or does Chrome (Chromium) not trust the Certificate 
because it 
is not Domain Validated?  We obviously can't get one of those because the 
domain name 
WMT.com is only used on our local network and not registered with Nominet (or 
any 
other Authority). 

-- 



Terry Coles
-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 23:40:56 GMT Ralph Corderoy wrote:
> It should be packets 12 and 13;  you could run the tcpdump command and
> compare it to Wireshark's display.  /etc/services says https is TCP port
> 443.

I have now received a response to my question about where https is used from 
Lloyd at Foxdog and he helpfully provided a screenshot of the packets in 
Wireshark.  The exchange is on the Foxdog page I linked to earlier.

> No, not a path to the Internt; unencrypted contact with something
> listening on TCP port 80 has been established that sent back the 204
> reply.  Could be anything, not necessarily Google's machine at the
> Internet;  it's easily impersonated.

Yes.  A system like this could be used to scam users.  However, it's more 
likely to be successful if the user still gets his Internet connection :-)

> You can trying listening on TCP port 443 and seeing if Android 7 will
> play along with your self-signed certificates.  Perhaps it will as far
> as thinking it's got to the Internet, but that Java source I referenced
> also talks of `PAC' that I suspect are some sort of Android software
> update package.  If a PAC is involved then it will obviously only trust
> that from the expected Google source, verified by the certificate.

I'm going to try that today.  Lloyd at Foxdog says that they have https 
support with a Foxdog Certificate and all the phones that he's tried work.  He 
doesn't specify what they are.
 
> But this is Wimborne v. Google.  All Google is trying to do is inform
> the user that they're not connecting to an Internet access point but
> something else, and asking them to acknowledge that.  Seems reasonable.
> I assume relying solely on the HTTP 204 in Android 6 and earlier was
> because there was enough places blocking HTTPS that they had no choice.
> As HTTPS-only has become common for major sites, they can assume that
> access to the Internet allows it so they can probe for it, and it would
> seem duff if they don't validate the certificate on connection.

Agreed.  See above.
 
> Even if Android 7 doesn't validate the certificate, Android 8 probably
> will and we will be here again enough into the future to have forgotten
> this detail.  :-)
> 
> Tell management that the posters asking the users to open the QR code
> also need to warn them to accept the portal warning?

I did that last year.  Apparently it confuses the Visitors and so they give 
up.  My belief is that they are more likely to give up if they suddenly lose 
their 'indispensible' link to Facebook, Twitter, et al.

I was asked to fix this and I will do my best.  I have a backup of the old 
configuration, so it's easy to revert.

I'll talk it through with 'Management' when I go in to WMT on Tuesday.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> > I've looked at the files with this command that gives packet numbers
> > to reference.
> > 
> > tcpdump -vvvKnt# -r $packet_file
> 
> I used Wireshark as you originally recommended.

Yes, I thought that would be more suitable if packets are new to you.  I
don't have it installed, and I know tcpdump won't hide anything from me
by trying to be a helpful GUI.  :-)

> I looked for https in the stream, but couldn't see it.

It should be packets 12 and 13;  you could run the tcpdump command and
compare it to Wireshark's display.  /etc/services says https is TCP port
443.

> Well it could trigger a fail, although it seems a bit OTT, since a
> path to the Internet has been established.

No, not a path to the Internt; unencrypted contact with something
listening on TCP port 80 has been established that sent back the 204
reply.  Could be anything, not necessarily Google's machine at the
Internet;  it's easily impersonated.

> > If that's the case, you're stuck.  A HTTPS connection couldn't be
> > made to the Pi such that it can provide a trusted certificate
> > verifying it's connectivitycheck.gstatic.com.  Happy to be proved
> > wrong.  :-)

You can trying listening on TCP port 443 and seeing if Android 7 will
play along with your self-signed certificates.  Perhaps it will as far
as thinking it's got to the Internet, but that Java source I referenced
also talks of `PAC' that I suspect are some sort of Android software
update package.  If a PAC is involved then it will obviously only trust
that from the expected Google source, verified by the certificate.

But this is Wimborne v. Google.  All Google is trying to do is inform
the user that they're not connecting to an Internet access point but
something else, and asking them to acknowledge that.  Seems reasonable.
I assume relying solely on the HTTP 204 in Android 6 and earlier was
because there was enough places blocking HTTPS that they had no choice.
As HTTPS-only has become common for major sites, they can assume that
access to the Internet allows it so they can probe for it, and it would
seem duff if they don't validate the certificate on connection.

Even if Android 7 doesn't validate the certificate, Android 8 probably
will and we will be here again enough into the future to have forgotten
this detail.  :-)

Tell management that the posters asking the users to open the QR code
also need to warn them to accept the portal warning?

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 20:19:27 GMT Hamish MB wrote:
> It being that I'm studying Java for my Open University course, I'll have a
> look at it for you. Python is my preferred language, but I'm not bad with
> Java. I think when we get it working on Android 7 & 8 I should use the VMS
> to test old versions too. People still use Android versions going back to
> 2.6. Might be overkill, but best to know it always works.
 
> I don't have a lot of free time right now, so it may be a little while
> before I get to it, but I shall see if I can make sense of the code.
 
Thanks Hamish,

However, see my other post; Lloyd at Foxdog has confirmed that both http and 
https is used.

I also need to get this sorted, so we can put the antenna back up before the 
WMT re-opens in about four weeks time :-)

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Hamish MB]

Hi,

It being that I'm studying Java for my Open University course, I'll have a look 
at it for you. Python is my preferred language, but I'm not bad with Java. I 
think when we get it working on Android 7 & 8 I should use the VMS to test old 
versions too. People still use Android versions going back to 2.6. Might be 
overkill, but best to know it always works.

I don't have a lot of free time right now, so it may be a little while before I 
get to it, but I shall see if I can make sense of the code.

Hamish
On 24 Feb 2018, at 18:34, Terry Coles 
mailto:d-...@hadrian-way.co.uk>> wrote:

On Saturday, 24 February 2018 18:02:38 GMT Ralph Corderoy wrote:
 And other Apple domains.  I assume both devices have Apple software,
 e.g. iTunes?


Not as far as I know.

 I've looked at the files with this command that gives packet numbers to
 reference.

 tcpdump -vvvKnt# -r $packet_file

I used Wireshark as you originally recommended.  I sort of understood what was
going on most of the time, its the unexpected events that have me foxed and
the fact that both phones seem to trigger the generate_204 OK, but only one
works.

 First, 'packets(1_Minute_Nexus)' where it's fooled it's not captive.

Thanks for this.

 The 'packets(1_Minute_G5)' is different.

 That gets us to 15.9 s into the recording.  Next packets are at 31.9 s.
 You said `no Internet' appears around 16 s.

Yes.  That's right.

 I've read through
 http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/com
 /android/server/connectivity/NetworkMonitor.java and struggle to understand
 it.  It being Java, the Android standard libraries, and its asynchronous
 nature.  But I think the G5's behaviour most matches
 sendParallelHttpProbes() that, despite the name, sends HTTP and HTTPS in
 parallel.

So should I setup SSL on the server?  At the moment it's disabled.  I looked
for https in the stream, but couldn't see it.

 I didn't figure out what happens if the HTTP probe `suceeds', assuming
 that's what we're seeing in the packets, and HTTPS doesn't.  I suspect
 that's what's triggering the `You're captive'.  Perhaps someone that
 knows Java could untangle it.

Well it could trigger a fail, although it seems a bit OTT, since a path to the
Internet has been established.

 If that's the case, you're stuck.  A HTTPS connection couldn't be made
 to the Pi such that it can provide a trusted certificate verifying it's
 connectivitycheck.gstatic.com.  Happy to 
be proved wrong.  :-)

I've seen talk of Self Signed Certificates, but Patrick indicated that they
wouldn't work.

I asked the guy at Foxdog if they are supporting https on their server, but he
hasn't responded.
-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 18:02:38 GMT Ralph Corderoy wrote:
> I didn't figure out what happens if the HTTP probe `suceeds', assuming
> that's what we're seeing in the packets, and HTTPS doesn't.  I suspect
> that's what's triggering the `You're captive'.  Perhaps someone that
> knows Java could untangle it.
> 
> If that's the case, you're stuck.  A HTTPS connection couldn't be made
> to the Pi such that it can provide a trusted certificate verifying it's
> connectivitycheck.gstatic.com.  Happy to be proved wrong.  :-)

Lloyd at Foxdog has confirmed that he can see the https requests in the packet 
dump for the G5 and that they support https in their server using a Foxdog 
Certificate.  However, he also says that he can't see how they can be valid 
https connections, since the phone would be expecting the certificate to be 
issued by Google.

Full comments trail at 
https://foxdogstudios.com/making-phones-believe-the-wifi-has-internet#comment-3772704492

I'm going to try setting the Pi up as an https server with a Self Signed 
Certificate tomorrow and see what happens.


-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 18:32:52 GMT Terry Coles wrote:
> On Saturday, 24 February 2018 18:02:38 GMT Ralph Corderoy wrote:
> > And other Apple domains.  I assume both devices have Apple software,
> > e.g. iTunes?

BTW.  I forgot to mention, I added this and other domains that the phone 
queried to my DNS, to see if the phone issued any new command once the request 
was acknowledged.  It stopped the refusal, but nothing else happened.

I'm assuming that these queries are there to establish if the domains are 
available for other purposes (Apps etc).  They don't always appear, so maybe 
the phone queries them on a cyclical basis.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 18:02:38 GMT Ralph Corderoy wrote:
> And other Apple domains.  I assume both devices have Apple software,
> e.g. iTunes?


Not as far as I know.
 
> I've looked at the files with this command that gives packet numbers to
> reference.
> 
> tcpdump -vvvKnt# -r $packet_file

I used Wireshark as you originally recommended.  I sort of understood what was 
going on most of the time, its the unexpected events that have me foxed and 
the fact that both phones seem to trigger the generate_204 OK, but only one 
works.

> First, 'packets(1_Minute_Nexus)' where it's fooled it's not captive.

Thanks for this.

> The 'packets(1_Minute_G5)' is different.

> That gets us to 15.9 s into the recording.  Next packets are at 31.9 s.
> You said `no Internet' appears around 16 s.

Yes.  That's right.

> I've read through
> http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/com
> /android/server/connectivity/NetworkMonitor.java and struggle to understand
> it.  It being Java, the Android standard libraries, and its asynchronous
> nature.  But I think the G5's behaviour most matches
> sendParallelHttpProbes() that, despite the name, sends HTTP and HTTPS in
> parallel.

So should I setup SSL on the server?  At the moment it's disabled.  I looked 
for https in the stream, but couldn't see it.

> I didn't figure out what happens if the HTTP probe `suceeds', assuming
> that's what we're seeing in the packets, and HTTPS doesn't.  I suspect
> that's what's triggering the `You're captive'.  Perhaps someone that
> knows Java could untangle it.

Well it could trigger a fail, although it seems a bit OTT, since a path to the 
Internet has been established.

> If that's the case, you're stuck.  A HTTPS connection couldn't be made
> to the Pi such that it can provide a trusted certificate verifying it's
> connectivitycheck.gstatic.com.  Happy to be proved wrong.  :-)

I've seen talk of Self Signed Certificates, but Patrick indicated that they 
wouldn't work.

I asked the guy at Foxdog if they are supporting https on their server, but he 
hasn't responded.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> 1.  Using my wife's Nexus 5 phone (Android 6), which connects to the
> WMT AP without complaint.
> 2.  Using my Moto G5+ phone (Android 7), which complains that the
> device has no Internet connection).

http://hadrian-way.co.uk/Misc/Misc.zip
'packets(1_Minute_Nexus)'
'packets(1_Minute_G5)'

>   a.  The Nexus showed a successful connection (approx 8 seconds).
>   b.  The G5 put up the 'No Internet' dialogue (approx 16s).
...
> Strangely enough they seem to try an apple.com site!

And other Apple domains.  I assume both devices have Apple software,
e.g. iTunes?

I've looked at the files with this command that gives packet numbers to
reference.

tcpdump -vvvKnt# -r $packet_file

First, 'packets(1_Minute_Nexus)' where it's fooled it's not captive.

1-2  The Pi tries to find the MAC address for 192.168.0.217.  Did you
ask tcpdump to only record packets to/from 192.168.0.217?  Nothing
answers, because nothing has that IP address yet.

3  A broadcast from the Nexus's MAC address that says `Receiver not
Ready'.  I've not seen those before.

4-5  IP6, i.e. IP for IPv6.  Seems to be discovery of some sort.  I
don't know IPv6.

6-9  The Nexus talks to the Pi's DHCP server over UDP, gets its
192.168.0.217 IP address, and learns that the Pi's IP address is the
gateway and DNS server.

10-11  Nexus asks for MAC address of Pi's IP address.  (Not related to
the problem in hand, but it knew this from the previous packet's
headers.)

12-15  Nexus gets rebuffed when asking for the IPv6 address for
connectivitycheck.gstatic.com.

00:00:02.445376 ? connectivitycheck.gstatic.com.
00:00:02.445606 Refused q: ? connectivitycheck.gstatic.com.
00:00:02.447099 ? connectivitycheck.gstatic.com.
00:00:02.447198 Refused q: ? connectivitycheck.gstatic.com.

16-17  Very soon after, it asks for IPv4 address and gets it.

00:00:02.452003 A? connectivitycheck.gstatic.com.
00:00:02.452094 q: A? connectivitycheck.gstatic.com. A 192.168.0.1

18-20  Nexus establishes TCP connection to Pi's HTTP server on port 80;
the `S', `S.', and `.' flags.  TCP's SYN and ACK.

21  Nexus sends `GET /generate_204' HTTP request.

22  Packet ACK'd by Pi.

23  Pi sends `204 No Content' HTTP reply.

24  Packet ACK'd by Nexus.

25  Nexus tries to make new TCP connection to HTTP server on
17.253.35.207, AKA uklon5-vip-bx-007.aaplimg.com.  Apple.  No reply will
be received.  It repeats this, with back-off, at 36, 37, 41, 43-46.

28-35  Nexus wants IPv4 address for mtalk.google.com.  Rebuffed.

38   Interesting.  Pi's web server tells Nexus's port 42627 it's
shutting down the connection.  That port's not been used yet.  Nexus
replies with a `R', RESET, in 39 confirming this.  nginx must have had a
TCP connection still open from a previous run of Android on that device.

Around now, the eight seconds you report for a sucessful connection is
up.

43-46  Apple again.  17.253.35.206 this time,
uklon5-vip-bx-006.aaplimg.com.

47-48  Like 16-17, IPv4 query for connectivitycheck.gstatic.com.  Time
32.638247.

49-50  Like 21, 23, re-using the existing connection.

52-67  Like 28, more DNS attempts for `mtalk' and related.

68-71  Like 47.  DNS lookup and HTTP 204.  Time 37.19.  Five seconds
after the last one.

They continue like this.

The 'packets(1_Minute_G5)' is different.

4-7  DHCP.
10-11  Lookup IPv4 connectivitycheck.gstatic.com.
12  Attempt TCP connection to port 443, HTTPS, on the Pi.
13  Pi sends RESET, connection refused.
14-16  TCP to port 80, HTTP, established instead.
17  `GET /generate_204'.
18  ACK.
19  `204 No Content'.
20-21  mtalk.
22  ACK for 19.
23-28  mtalk.
29-32  DNS IPv4 address for captive.apple.com sought.
33-44  mtalk and apple.
47-48  Like 10.  Lookup connectivitycheck.  Time 01.637305, 1.091709 later.
49-50  `GET /generate_204' yields `204 No Content'.
51  Like 12, attempting HTTPS.
52  Like 13, RESET.
57  `GET' → `204'.  03.682924 - 01.645985 = 2.036939 since last time.
59-60  Like 51, HTTPS attempt is reset.  2.035218 since last time.
63-64  Like 47.  Lookup connectivitycheck.  6.1936 later.
65-66  Like 59, HTTPS reset.  4.155318 later.
71-74  Like 63.  Lookup connectivitycheck → 204.  8.042971 later.
75-76  Like 65.  HTTPS reset.  8.053677 later.

That gets us to 15.9 s into the recording.  Next packets are at 31.9 s.
You said `no Internet' appears around 16 s.

I've read through
http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java
and struggle to understand it.  It being Java, the Android standard
libraries, and its asynchronous nature.  But I think the G5's behaviour
most matches sendParallelHttpProbes() that, despite the name, sends HTTP
and HTTPS in parallel.

I didn't figure out what happens if the HTTP probe `suceeds', assuming
that's what we're seeing in the packets, and HTTPS doesn't.  I suspect
that's what's triggering the `You're captive'.  Perhaps someone that
knows Java could untangle 

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 12:43:28 GMT Ralph Corderoy wrote:
> Does the AP have an IP address?

Yes.  It's 192.168.0.254.
 
> Out of interest, I'd test your Pi set up from a Linux machine with
> commands like

Here are the results:

> dig connectivitycheck.android.com. a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> connectivitycheck.android.com. a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;connectivitycheck.android.com. IN  A

;; ANSWER SECTION:
connectivitycheck.android.com. 0 IN A   192.168.0.1

;; Query time: 11 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Feb 24 13:31:16 GMT 2018
;; MSG SIZE  rcvd: 74

> ping 192.168.0.1

terry@XPS-13:~$ ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=3.52 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=10.0 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=7.26 ms
64 bytes from 192.168.0.1: icmp_seq=4 ttl=64 time=3.81 ms
64 bytes from 192.168.0.1: icmp_seq=5 ttl=64 time=4.32 ms
64 bytes from 192.168.0.1: icmp_seq=6 ttl=64 time=14.4 ms
^C
--- 192.168.0.1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5008ms
rtt min/avg/max/mdev = 3.520/7.235/14.440/3.952 ms

> curl -sSv http://connectivitycheck.android.com/generate_204

terry@XPS-13:~$ curl -sSv http://connectivitycheck.android.com/generate_204
*   Trying 192.168.0.1...
* TCP_NODELAY set
* Connected to connectivitycheck.android.com (192.168.0.1) port 80 (#0)
> GET /generate_204 HTTP/1.1
> Host: connectivitycheck.android.com
> User-Agent: curl/7.55.1
> Accept: */*
> 
< HTTP/1.1 204 No Content
< Server: nginx/1.6.2
< Date: Sat, 24 Feb 2018 12:19:08 GMT
< Connection: keep-alive
< 
* Connection #0 to host connectivitycheck.android.com left intact

> DTG?

Sorry.  Military speak. Date/Time Group.

> What's showing you the HTTP content of those packets?  The Android app?
> Does it actually show anything else, e.g. DNS, or packets?  For the WMT
> AP, you could still record on the Pi with tcpdump and then inspect with
> Wireshark on a laptop to see if there are other things from Android.

Yes.  The Android App.  See my other posting for the results when I used 
tcpdump instead.

> http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
> set to zero can disable the `Connection: keep-alive' in nginx's
> response, though I doubt that's the cause.

It may be worth a try.

> So are you saying this technique didn't in fact work for any Android
> version when installed, so it's not a change in a later Android that
> broken it?

To be perfectly honest; I'm not sure any more.  I know we had problems back in 
April last year, when we deployed it, but I thought some of the devices 
worked.  Thinking about what I've done to get this far, I think that it's 
unlikely though, because I had no DNS Server configured back then.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> 1.  Turned off DHCP in the TL-WA7210N.
> 2.  Configured The Raspberry Pi Webserver to also provide DHCP and DNS 
> servers.
> 3.  Set up a static IP address of 192.168.0.1 for the Pi.

Does the AP have an IP address?

> When the system is running, I get allocated an IP Address of
> 192.168.0.119 for WLN0 on my phone.  I can ping WMT.com and all the
> domains listed in the Foxdog solution. I can also issue traceroute and
> get 1 hop responses, so it looks like my DHCP and DNS servers
> configuration is OK.

Out of interest, I'd test your Pi set up from a Linux machine with
commands like

dig connectivitycheck.android.com. a
ping 192.168.0.1
curl -sSv http://connectivitycheck.android.com/generate_204

> I have put the 'android walled garden hack' code into a file located
> in /etc/nginx/sites-available with a simlink to
> /etc/nginx/sites-enabled.

Symlink from sites-enabled *to* the sites-available file, yes.

> Instead, I installed an Android App called 'Packet Capture', and used
> that; first with my home router and then by connecting to the WMT AP.
> I got virtually identical exchanges each time,  Here is the
> unsuccessful exchange:
>
> GET /generate_204 HTTP/1.1
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; Moto G (5) Plus 
> Build/NPN25.137-93)
> Host: connectivitycheck.android.com
> Connection: Keep-Alive
> Accept-Encoding: gzip
>
> HTTP/1.1 204 No Content
> Server: nginx/1.6.2
> Date: Thu, 22 Feb 2018 20:05:31 GMT
> Connection: keep-alive
>
> The only difference with the successful connection was the DTG.

DTG?

What's showing you the HTTP content of those packets?  The Android app?
Does it actually show anything else, e.g. DNS, or packets?  For the WMT
AP, you could still record on the Pi with tcpdump and then inspect with
Wireshark on a laptop to see if there are other things from Android.

> I just realised that that wasn't quite true.  The actual response from
> the good connection was:
>
> HTTP/1.1 204 No Content
> Content-Length: 0
> Date: Fri, 23 Feb 2018 21:09:06 GMT

http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
set to zero can disable the `Connection: keep-alive' in nginx's
response, though I doubt that's the cause.

So are you saying this technique didn't in fact work for any Android
version when installed, so it's not a change in a later Android that
broken it?

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 08:15:39 GMT Terry Coles wrote:
> I then went back to the suggestion made by Ralph a few days ago and captured
> the packets on the network when the WiFi connection was made.  In the
> event, I didn't use tcpdump because I also wanted to see what the exchange
> was when the system worked, ie, when I connected to a WiFi AP *with*
> Internet Access. Instead, I installed an Android App called 'Packet
> Capture', and used that; first with my home router and then by connecting
> to the WMT AP.  I got virtually identical exchanges each time,  Here is the

I decided to try tcpdump as suggested by Ralph, because I realised that the 
Android App was obfuscating the information.

I did two captures:

1.  Using my wife's Nexus 5 phone (Android 6), which connects to the WMT AP 
without complaint.

2.  Using my Moto G5+ phone (Android 7), which complains that the device has 
no Internet connection).

In each case, I started a stopwatch when I sent the tcpdump command on the Pi, 
and took a lap time when:

  a.  The Nexus showed a successful connection (approx 8 seconds).
  b.  The G5 put up the 'No Internet' dialogue (approx 16s).

I then continued capture for approx 1 minute.

Analysing the results in Wireshark, my limited skills allow me to see that 
both devices sent a GET /generate_204 to connectivitycheck.gstatic.com and got 
a '204 No Content' response a total of six times.  These GETs appear to 
continue even after the phone has accepted the AP in the case of the Nexus and 
complained about the AP with the G5.

I can't see anything else much in this capture to help, except that both 
phones seem to query a number of other sites and get refused of course because 
they are not in my DNS.  Strangely enough they seem to try an apple.com site!

(It should be noted that the sites that the phone tries seem to be a bit 
arbitrary; I've seen other google sites queried in other captures, including 
google.com and android.clients.google.com.) 

I've put both capture streams up on my website at:

  http://hadrian-way.co.uk/Misc/Misc.zip

If anyone with greater knowledge and experience than me could spare the time 
to have a look at these captures, I would appreciate it.


-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Saturday, 24 February 2018 08:15:39 GMT Terry Coles wrote:
> HTTP/1.1 204 No Content
> Server: nginx/1.6.2
> Date: Thu, 22 Feb 2018 20:05:31 GMT
> Connection: keep-alive
> 
> The only difference with the successful connection was the DTG.

I just realised that that wasn't quite true.  The actual response from the 
good connection was:

HTTP/1.1 204 No Content
Content-Length: 0
Date: Fri, 23 Feb 2018 21:09:06 GMT

Are those differences likely to cause a problem?

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Friday, 23 February 2018 17:07:34 GMT Terry Coles wrote:
> I've just had another thought as to what I might be doing wrong and have
> just written to Foxdog to get clarification of their solution.
> 
> I have put the 'android walled garden hack' code into a file located in
> /etc/nginx/sites- available with a simlink to /etc/nginx/sites-enabled.
> 
> In case Foxdog don't reply soon, can anyone tell me if I've put the code in
> the right place?

Foxdog confirmed that sites included in /etc/nginx/sites-enabled do not require 
the http directive, as mentioned in a comment response on the site (in fact it 
causes an error).

I then went back to the suggestion made by Ralph a few days ago and captured 
the packets on the network when the WiFi connection was made.  In the event, I 
didn't use tcpdump because I also wanted to see what the exchange was when the 
system worked, ie, when I connected to a WiFi AP *with* Internet Access.  
Instead, I installed an Android App called 'Packet Capture', and used that; 
first with my home router and then by connecting to the WMT AP.  I got 
virtually identical exchanges each time,  Here is the unsuccessful exchange:

GET /generate_204 HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.0; Moto G (5) Plus Build/
NPN25.137-93)
Host: connectivitycheck.android.com
Connection: Keep-Alive
Accept-Encoding: gzip

HTTP/1.1 204 No Content
Server: nginx/1.6.2
Date: Thu, 22 Feb 2018 20:05:31 GMT
Connection: keep-alive

The only difference with the successful connection was the DTG.

The trouble is that there are lots of other exchanges, which may or may not be 
relevant, so I'm not sure where to go from here.

I'll have to try many more captures I think before I can hope to see any kind 
of a pattern.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Friday, 23 February 2018 16:39:34 GMT Terry Coles wrote:
> Still looking for inspiration

I've just had another thought as to what I might be doing wrong and have just 
written to 
Foxdog to get clarification of their solution.

I have put the 'android walled garden hack' code into a file located in 
/etc/nginx/sites-
available with a simlink to /etc/nginx/sites-enabled.

In case Foxdog don't reply soon, can anyone tell me if I've put the code in the 
right place?


-- 



Terry Coles
-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Friday, 23 February 2018 12:25:29 GMT Terry Coles wrote:
> Any ideas as to what I've missed?

I think maybe I've got something wrong in the Foxdog configuration after all.

When the system is running, I get allocated an IP Address of 192.168.0.119 for 
WLN0 on my phone.  I can ping WMT.com and all the domains listed in the Foxdog 
solution. I can also issue traceroute and get 1 hop responses, so it looks 
like my DHCP and DNS servers configuration is OK.

I'm now wondering if the nginx config is missing something, but I can't 
actually see what at the moment.  If I issue:

nginx -s reload

I no longer get errors ( I had some, but they're fixed) and I can type 
'wmt.com' at the browser and I get the page I want - as long as I've agreed to 
stay connected to the AP which has no Internet access.

Still looking for inspiration

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Monday, 19 February 2018 12:04:51 GMT Terry Coles wrote:
> I'm hoping to try the new config tomorrow, when I go to the WMT.

The config provided by Foxdog Studios didn't work for me, so I removed the Pi 
and the AP from the WMT and set the whole thing up at home.

I'm still having problems, but I don't think it has anything to do with the 
config provided by Foxdog.  I searched back through the emails at the time and 
remembered that I had never got this spoofing to work on Android but, (as 
indicated by Foxdog), iPhones have always worked.  At the time, we agreed that 
it wasn't the end of the world to have to accept a connection with no path to 
the Internet, because at least the users would then realise that they wouldn't 
be able to access Twitter / Facebook etc when connected to our AP.  Since 
then, Management have decided that spoofing the Internet is a better solution.

Here is what we had, which worked as long as the user clicked on 'Remain 
Connected to this AP' when prompted by the phone:

The Wireless AP is a TL-WA7210N.  We configured it as an Access Point and used 
the built in DHCP server to set up an IP Range for Visitor's devices of 
192.168.0.100 - 199.

The Pi is running nginx and had the server wmt.com setup and the earlier 
version of the Foxdog solution.  There was no DNS server running anywhere on 
the system, which is why I suspect the Foxdog solution never really worked.

Since I got the system home, I have:

1.  Turned off DHCP in the TL-WA7210N.
2.  Configured The Raspberry Pi Webserver to also provide DHCP and DNS servers.
3.  Set up a static IP address of 192.168.0.1 for the Pi.
5.  Made the Pi a DHCP server instead of a client.
4.  Listed all of the domains in the Foxdog solution, plus the webserver 
(WMT.com) in the file hosts.dnsmasq

All using the instructions given in:

https://www.raspberrypi.org/learning/networking-lessons/lessons/

It is exactly the same as before !!!

Any ideas as to what I've missed?

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 18 February 2018 12:19:22 GMT Terry Coles wrote:
> At the time I was using the information at:
> 
>   https://foxdogstudios.com/making-phones-believe-the-wifi-has-internet
> 
> to do this and had some success.

The chap at Foxdog Studios emailed me last night to tell me that he has now 
updated the site to include the latest information about domains used by the 
various Android Versions.  Apparently he has tested it with all the Android 
phone that he has reasonable access to and it has worked every time, including 
with Oreo.

I've asked him what he thought about our discussions regarding https and await 
his response.

I'm hoping to try the new config tomorrow, when I go to the WMT.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Patrick Wigmore]

This page 
https://community.spiceworks.com/topic/1870844-wifi-connection-not-used-for-internet
leads me to the following stab in the dark:

Is your DHCP server configured to provide a gateway IP address to
clients, and, if so, would it solve the problem if you configure
it NOT to do that?

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Patrick Wigmore]

On Sunday, 18 February 2018, at 14:35:33 GMT, Terry Coles wrote:
> I presume not because it looks like I need an SSL/TLS
> Certificate.  If so, that may be all that is wrong, since
> Google have definitely moved towards https in recent years.

Except that you shouldn't be able to get an SSL/TLS certificate 
signed by a trusted certificate authority for a domain you do not 
own! (Which is not to say that that has never happened, but it's 
certainly a shady thing to do and not a reliable strategy!)

You could try a self-signed certificate to see what happens, or 
one meant for your own domain, but I imagine it will just cause 
certificate errors on the phone.

In the code Ralph linked to (NetworkMonitor.java), it looks as 
though Android at least allows captive portals to get away with 
blocking HTTPS, so maybe that's one way to work around the issue. 
(Set up a captive portal, block (or don't accept) HTTPS and 
continue to intercept the relevant HTTP URLs.)

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 18 February 2018 17:34:23 GMT Hamish MB wrote:
> Reminds me, I had a load of old android VMS, I could re deploy them and use
> a packet sniffer on them too see if that will help.
 
> Good idea?

Hamish,

It depends if the Android versions are really old.  Clearly, the version of 
Android that I had on my Nexus 12 months ago (when I first deployed the 
webserver) seemed to work, but later versions didn't.  When I bought my Nexus 
it was V 5.0 and got upgraded to 6.0 at some point.  I can't remember if the 
wireless connections stopped working then or when I got 7.0 on my Moto G5+.

Also, If Google changed all of their OSs to prefer https at around that time, 
they may well have included that update in even earlier versions, (which your 
VMs may not have).

By all means, try the VMs if you wish, but in a few days I intend to set up a 
test system (or borrow the real system back from the WMT, since we've got to 
move the antenna anyway).  The first thing that I'll try is enabling https and 
then, if that doesn't work, I'll try tcpdump and / or wireshark.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Hamish MB]

Reminds me, I had a load of old android VMS, I could re deploy them and use a 
packet sniffer on them too see if that will help.

Good idea?

Hamish
On 18 Feb 2018, at 14:51, Terry Coles 
mailto:d-...@hadrian-way.co.uk>> wrote:

On Sunday, 18 February 2018 14:46:43 GMT Ralph Corderoy wrote:
 On the Pi, something like

 sudo -i tcpdump -s 3141 -w /tmp/packets

 and Ctrl-C-ing it when you've finished.

 You might need to append a `-i wls34' or whatever the Pi's wifi network
 interface is, `ip a' might help.

Thanks Ralph.

I'll give it a try.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 18 February 2018 14:46:43 GMT Ralph Corderoy wrote:
> On the Pi, something like
> 
> sudo -i tcpdump -s 3141 -w /tmp/packets
> 
> and Ctrl-C-ing it when you've finished.
> 
> You might need to append a `-i wls34' or whatever the Pi's wifi network
> interface is, `ip a' might help.

Thanks Ralph.

I'll give it a try.


-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> > That means the mobile's packets will be reaching that box, another
> > Pi?  Capture them, both a working mobile and a failing one, e.g.
> > tcpdump(1), and examine them, probably with Wireshark on another
> > machine.
>
> The webserver is a Pi3 connected to the WiFi Antenna.

On the Pi, something like

sudo -i tcpdump -s 3141 -w /tmp/packets

and Ctrl-C-ing it when you've finished.

You might need to append a `-i wls34' or whatever the Pi's wifi network
interface is, `ip a' might help.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 18 February 2018 14:16:50 GMT Ralph Corderoy wrote:
> Yes, that's why those URLs should take you to that line.

It did, when I enabled the domain in ScriptSafe.  Doh!!

> That's my point.  Same area of source code, but the domain names have
> moved.  This also helps confirm we're on the right track as 6 is OK for
> you, 7 not.

Yes.  I see what you mean.

> I don't know, but I'd guess by the surrounding URLs that https might be
> in play now.  You're rigging a DNS server so it returns your nginx
> server's IP address for any query?  

I used the exact code given on the Dogsbody site, but I made no special 
provision for https.  I'm not sure if nginx supports https by default (or at 
all).  I presume not because it looks like I need an SSL/TLS Certificate.  If 
so, that may be all that is wrong, since Google have definitely moved towards 
https in recent years.

> That means the mobile's packets will
> be reaching that box, another Pi?  Capture them, both a working mobile
> and a failing one, e.g. tcpdump(1), and examine them, probably with
> Wireshark on another machine.

The webserver is a Pi3 connected to the WiFi Antenna.  I've used Wireshark on 
a wired network many moons ago, presumably, I would have to introduce an 
Ethernet Switch into the system to capture the mobile's traffic.  Can a laptop 
connected to the same network see the traffic between the mobile and the Pi?

> > What do you mean by 8's?
> 
> The start of the URL's path is the Android version.

Of course it is :-)

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> > These first two give a domain name, different in each.  I haven't
> > checked other older versions.
> > 
> > http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/java/android/net/CaptivePortalTracker.java#64
> > http://androidxref.com/6.0.0_r1/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#59
>
> Is that the domain name in DEFAULT_SERVER?

Yes, that's why those URLs should take you to that line.

> It seems to be either clients3.google.com or
> connectivitycheck.gstatic.com, which are both domains that were listed
> in the original posting at Dogsbody.

Agreed.  So that helps confirm we're looking at the right thing.

> > But lately that's seemed to move elsewhere.
> >
> > http://androidxref.com/7.1.2_r36/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#82
> > http://androidxref.com/8.0.0_r4/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#84
>
> I could see DEFAULT_SERVER in the first of those

I can't.

> but no domain name at all in the other.  Did you find one?

That's my point.  Same area of source code, but the domain names have
moved.  This also helps confirm we're on the right track as 6 is OK for
you, 7 not.

> > I think they're now:
> >
> > http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java#86
> > http://androidxref.com/8.0.0_r4/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java#87
>
> Those both seem to be connectivitycheck.gstatic.com, so why does my
> Android 7 phone not work?

I don't know, but I'd guess by the surrounding URLs that https might be
in play now.  You're rigging a DNS server so it returns your nginx
server's IP address for any query?  That means the mobile's packets will
be reaching that box, another Pi?  Capture them, both a working mobile
and a failing one, e.g. tcpdump(1), and examine them, probably with
Wireshark on another machine.

> > 8's is used here.
>
> What do you mean by 8's?

The start of the URL's path is the Android version.

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

On Sunday, 18 February 2018 13:00:32 GMT Ralph Corderoy wrote:
> These first two give a domain name, different in each.  I haven't
> checked other older versions.
> 
> http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/java/android/net/
> CaptivePortalTracker.java#64
> http://androidxref.com/6.0.0_r1/xref/frameworks/base/packages/CaptivePortal
> Login/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#59

Is that the domain name in DEFAULT_SERVER?  It seems to be either 
clients3.google.com or connectivitycheck.gstatic.com, which are both domains 
that were listed in the original posting at Dogsbody.

> But lately that's seemed to move elsewhere.
>
> http://androidxref.com/7.1.2_r36/xref/frameworks/base/packages/CaptivePorta
> lLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#82
> http://androidxref.com/8.0.0_r4/xref/frameworks/base/packages/CaptivePortal
> Login/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#84

I could see DEFAULT_SERVER in the first of those, but no domain name at all in 
the other.  Did you find one?

> I think they're now:
>
> http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/co
> m/android/server/connectivity/NetworkMonitor.java#86
> http://androidxref.com/8.0.0_r4/xref/frameworks/base/services/core/java/com
> /android/server/connectivity/NetworkMonitor.java#87

Those both seem to be connectivitycheck.gstatic.com, so why does my Android 7 
phone not work?

> 8's is used here.

What do you mean by 8's?

> http://androidxref.com/8.0.0_r4/xref/frameworks/base/services/core/java/com
> /android/server/connectivity/NetworkMonitor.java#667

That also seems to include connectivitycheck.gstatic.com.

> You have a phone that currently fails to test with?

As I recall, it worked with my old Nexus (Android 6, but not with my Moto G5+ 
which is currently running 7.0 until Motorola and/or Tesco Mobile get around 
to upgrading it to Oreo.

Other people at the WMT have also had problems, so I'd like to sus it out in 
the next few weeks.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

Re: [Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Ralph Corderoy]

Hi Terry,

> As a result, I have a starting point again, but if anyone knows what
> the latest test sites are for Android Phones (or has a link to a
> list), then I would appreciate it.  iPhones seem to be alright.

These first two give a domain name, different in each.  I haven't
checked other older versions.


http://androidxref.com/4.4.4_r1/xref/frameworks/base/core/java/android/net/CaptivePortalTracker.java#64

http://androidxref.com/6.0.0_r1/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#59

But lately that's seemed to move elsewhere.


http://androidxref.com/7.1.2_r36/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#82

http://androidxref.com/8.0.0_r4/xref/frameworks/base/packages/CaptivePortalLogin/src/com/android/captiveportallogin/CaptivePortalLoginActivity.java#84

I think they're now:


http://androidxref.com/7.1.2_r36/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java#86

http://androidxref.com/8.0.0_r4/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java#87

8's is used here.


http://androidxref.com/8.0.0_r4/xref/frameworks/base/services/core/java/com/android/server/connectivity/NetworkMonitor.java#667

You have a phone that currently fails to test with?

Cheers, Ralph.

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR

[Dorset] Revisited - Accessing a Local Network over a Wireless Router that is NOT Connected to the Internet

[Terry Coles]

Hi,

Back in August 2016, I posted a query about how to get a Wireless AP and 
Webserver to spoof an Internet connection so that a phone could be used to 
connect to our Audio Guide and Kiddies Quiz.

At the time I was using the information at:

  https://foxdogstudios.com/making-phones-believe-the-wifi-has-internet

to do this and had some success.

However, as the 2017 summer season progressed it became obvious that newer 
phones didn't work with this solution so I've just started to look at how we 
can fix it.

The original page at Foxdog Studios had disappeared so I wrote to them a short 
time ago and asked if it could be resurrected.  I just got a response (on a 
Sunday)  saying that they had taken it down because they too had 
experienced problems.  The chap there has just put it back up for me.

As a result, I have a starting point again, but if anyone knows what the 
latest test sites are for Android Phones (or has a link to a list), then I 
would appreciate it.  iPhones seem to be alright.

-- 



Terry Coles

-- 
Next meeting:  Bournemouth, Tuesday, 2018-03-06 20:00
Meets, Mailing list, IRC, LinkedIn, ...  http://dorset.lug.org.uk/
New thread:  mailto:dorset@mailman.lug.org.uk / CHECK IF YOU'RE REPLYING
Reporting bugs well:  http://goo.gl/4Xue / TO THE LIST OR THE AUTHOR