Jump to content

Can't connect to Master.

Rhinox

By Rhinox
in General Questions

 Share

Recommended Posts

  • Replies 141
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

txmtb

txmtb

Posted
Posted
This is not true. If we are to continue our technical discussion, SChannel API does NOT do anything network related by itself. It just provides encryption services required for the TLS channel. That is, all networking is done inside DCS (actually, by the CURL library). None of the systems which are available for us for testing had any problem connecting to DCS servers. Moreover, we hadn't changed the way users log in our servers. It is still good old SSL. It is the client implementation which changed.

It may be possible that LSASS needs network access to do certificate validation, ask Microsoft about it.

Most probably, when LSASS is blocked on your system, Event Log does contain a useful error info about why exactly DCS fails to establish SSL connection. It would be of a great help if you post such info. We have no systems which reproduce this behaviour yet.

 

Apologies, yep, spoke too soon. (Test first/answer later) Was testing and whether or not LSASS is blocked at firewall level in Windows, and also on external app firewall, was able to login and connect to the master server.



Win 10 64 Pro, MSI Z390 I7-9700K @5ghz Kraken Z63, 32Gb Corsair Dominator, MSI RTX-2070, 1TB NVME 2TB SSD's, TM Warthog, Pro Rudders, OpenTrack w/ IR Clip

Link to comment
Share on other sites
Rhinox

Rhinox

Posted
  • Author
Posted
It is possible that if people are having SSL related connection issues due to the use of the Microsoft Schannel API, that it may be due to a truncated trusted certificated authority list. Its caused by having too large a list. http://support.microsoft.com/kb/2801679

*IF* it were so, then no services relying on Schannel would work. But on my home LAN everything works without problem (sharing, remote connection, AD, etc) even without lsass.exe having free access to the net.

 

DCS is different. If I allow lsass.exe outside connection, I can log in to MP. If I block it, I can not log in. I tried to grab the traffic, but it seems to be all encrypted (I could not find any readable strings). All I know up to now it does about 3-4kB traffic per MP-connection, all to Akamai-servers. But it is huge CDN, so it is hard to find what actually it does there...

 

DCS has definitely something to do with lsass.exe, and I do not like the idea of opening my system. Lsass.exe was never meant to be fully opened to the wild! Very critical services depend on it...

Link to comment
Share on other sites
  • ED Team
c0ff

c0ff

Posted
  • ED Team
Posted
DCS is different. If I allow lsass.exe outside connection, I can log in to MP. If I block it, I can not log in.

 

Does your system event log contain anything schannel-related when you can't log in?

Dmitry S. Baikov @ Eagle Dynamics

LockOn FC2 Soundtrack Remastered out NOW everywhere - https://band.link/LockOnFC2.

Link to comment
Share on other sites
Rhinox

Rhinox

Posted
  • Author
Posted (edited)
Does your system event log contain anything schannel-related when you can't log in?

Nothing I can relate to this problem. The only trace is in dcs.log:

 

00009.584 ERROR NET: Can't connect to Master: SSL connect error

00009.584 ERROR NET: Master login : 503

00012.403 INFO NET: client has stopped

 

Edit: I will check it again. Maybe logs are written in batches. But I remember immediatelly after MP-login failed I found nothing...


Edited by Rhinox
Link to comment
Share on other sites
  • ED Team
c0ff

c0ff

Posted
  • ED Team
Posted (edited)

Just an idea, it may be this Windows bug: http://support.microsoft.com/kb/975858

 

 

EDIT: if we can make sure that this is the bug, we can work it around in DCS (by patching a couple of 3rd party libs, though).


Edited by c0ff

Dmitry S. Baikov @ Eagle Dynamics

LockOn FC2 Soundtrack Remastered out NOW everywhere - https://band.link/LockOnFC2.

Link to comment
Share on other sites
seikdel

seikdel

Posted
Posted

Oddly enough, mine just started working spontaneously. I couldn't connect an hour ago, then I tried resetting all of my settings but still couldn't connect. Now I tried again and I'm in. Huh. Firewall is still on.

Link to comment
Share on other sites
blkspade

blkspade

Posted
Posted

I posted without reading the particular issues people were having and assumed different people could have the issue for different reasons. What I posted is from experience with Schannel completely unrelated to DCS. Your concerns about LSASS maybe a little overboard, unless your desktop uses your public IP address directly as opposed to going through a nat router.

 

*IF* it were so, then no services relying on Schannel would work. But on my home LAN everything works without problem (sharing, remote connection, AD, etc) even without lsass.exe having free access to the net.

 

DCS is different. If I allow lsass.exe outside connection, I can log in to MP. If I block it, I can not log in. I tried to grab the traffic, but it seems to be all encrypted (I could not find any readable strings). All I know up to now it does about 3-4kB traffic per MP-connection, all to Akamai-servers. But it is huge CDN, so it is hard to find what actually it does there...

 

DCS has definitely something to do with lsass.exe, and I do not like the idea of opening my system. Lsass.exe was never meant to be fully opened to the wild! Very critical services depend on it...

http://104thphoenix.com/
Link to comment
Share on other sites
ECV56_FOXONE

ECV56_FOXONE

Posted
Posted
Neither-nor. And I described it quite clearly in my previous bug-report for 1.2.8-beta...

 

BTW, you started to show colors, so there is no need to wait: yes, I found it myself. You changed the way users log in to "your" server. What I do not know is: are you aware of security implications you caused by this modification? Let me explain it in more details:

 

Yes, you are now using standard OS-service called "Local Security Authentication Server" (Local Security Authority Process). But because of this, one more than generous firewall-rule must be active: For the process "lsass.exe" (which itself is frequently targeted by malware) free communication with any system on the internet must be granted (in addition to that granted to DCS.exe)! Or at least for those destination IP-addresses belonging to Akamai Content Delivery Network which you use (that's one or more B-class networks, if someone knows all them). And to make things even worse, this single particular process handles multiple sensitive services, i.e.:

 

CNG Key Isolation

Creditential Manager

Encrypting File System

Netlogon

Protected Storage

Security Accounts Manager

 

Maybe I forgot something, but it does not matter, because what I found is more than enough to make me worry. Exposing any service having something to do with system-security and encryption/protection for free access to/from internet? And all of this becaues of DCS? With all do respect, the one in ED who came with this "idea" must be (hard self-censorship follows) complete madman! Any local process (even malware running in user-space!) can now communicate with internet using this service and what's even worse, any node on the internet can communicate with this local process (thus easily bypasing any firewall)! Hey, all you brute-force wanna-be hackers: welcome to my system, and play with it as much as you want! No, do not thank me. Thanks should go to Eagle Dynamics who forced us to open this door for you...

 

Only one question remains: ED, did you force us to open this security-leak purposely?

 

FYI: as soon as I opened firewall for lsass.exe, DCS works. But I'm not going to keep it that way!

 

I opened file on firewall but can´t connect to master server and module manager yet.

 

Its incredible.

Link to comment
Share on other sites
Rhinox

Rhinox

Posted
  • Author
Posted
Its incredible.

Rule number one:

1. If something works, do not touch it!

 

Maybe ED-devs should read it a few times. Honestly, I have no idea why ED changed the way users connect to master-servers. There must be probably some reason for it, but by using "Schannel" we are now at mercy of Microsoft. If M$ screw something, we can only wait till it's fixed...

Link to comment
Share on other sites
  • ED Team
c0ff

c0ff

Posted
  • ED Team
Posted

It would be very helpful if anyone with the error, will try to gather some windows event log records about failed login attempts. It requires some moderate technical skills: You will have to temporarily increase SChannel logging level on your system: http://ipswitchft.force.com/kb/articles/FAQ/How-do-I-gather-more-debugging-on-SSL-errors-such-as-SSL-handshake-failed-1307565984914

After doing this, try to login and then take a look into windows system event log for "schannel"-related errors.

 

We still can't reproduce the bug on systems which are available to us, so your help will be greatly appreciated.

Dmitry S. Baikov @ Eagle Dynamics

LockOn FC2 Soundtrack Remastered out NOW everywhere - https://band.link/LockOnFC2.

Link to comment
Share on other sites
Rhinox

Rhinox

Posted
  • Author
Posted
...You will have to temporarily increase SChannel logging level on your system...

That's probably why I did not find anything in event-log. But I will try it again...

 

Concerning my configuration: it is Windows7/64bit/SP1 with all critical/recommended patches installed. No antivir.

Link to comment
Share on other sites
dimitriov

dimitriov

Posted
Posted

Hi c0ff,

 

Could you give me a better explanation on how doing this : After doing this, try to login and then take a look into windows system event log for "schannel"-related errors.

 

I don't have the issue but it's for a friend who has it...

Link to comment
Share on other sites
LUSO

LUSO

Posted
Posted (edited)
It would be very helpful if anyone with the error, will try to gather some windows event log records about failed login attempts. It requires some moderate technical skills: You will have to temporarily increase SChannel logging level on your system: http://ipswitchft.force.com/kb/articles/FAQ/How-do-I-gather-more-debugging-on-SSL-errors-such-as-SSL-handshake-failed-1307565984914

After doing this, try to login and then take a look into windows system event log for "schannel"-related errors.

 

We still can't reproduce the bug on systems which are available to us, so your help will be greatly appreciated.

 

 

I think doing what you ask, here's a file in XML result:

 

https://dl.dropboxusercontent.com/u/55220861/Schannel%20(1).xml

 

Tell us if this is it.

 

Windows 8.1/64bits, Windows Defender.


Edited by LUSO

[sIGPIC]http://www.131st.net/ipb/public/style_extra/calltags/calltag_luso.png[/sIGPIC]

Link to comment
Share on other sites
  • ED Team
c0ff

c0ff

Posted
  • ED Team
Posted
Me i'm just can´t log in with the master server, and no problem with the module manager.I specify.

 

Hm, that's a completely different problem then. Make sure your firewall/antivirus allows DCS.exe to make connections to master.eagle.ru port 5222

Dmitry S. Baikov @ Eagle Dynamics

LockOn FC2 Soundtrack Remastered out NOW everywhere - https://band.link/LockOnFC2.

Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...