Does the Extension Manager "re-check all versions" still work?

[david63]

Try running that again - I had put a .htaccess file in that folder by mistake.

Would you please edit your last post to remove the "Web Server at" line as that is not a website and I do not want it spamming.(also EA117 would you remove it please)

[hurghanico]

Some good news..

First I edited the "Web Server at" line in my previous post so the address is not more visible..

Ok, now the Privacy Policy version check works perfectly as it should, and I can also edit its settings without getting again the fatal error..

however the check of the other extensions versions is still not working

[EA117]

Ok, now the Privacy Policy version check works prefectly as it should, and I can edit its settings without getting again the fatal error.

Perfect. And thanks David for looking into that. Information removed as requested.

however the check of the other extensions versions is still not working

So yes, now we just await whether Paul or whomever has visibility to the right systems can answer why the phbb.com extension version checks are being rejected with HTTP 410, despite the fact that the phpbb.com version checks for phpBB itself are being allowed to succeed.

[hurghanico]

At the moment of writing I can see that in the AlterVista/phpbb forum my post has already 95 views but still no one reply.

My board works fine, except the "re-check all versions" function which now works well only for the Privacy Policy extension by David.

I hope to have some news sooner or later.

[EA117]

I will poke some people to look why it happens in titania.

Agreed. We're still waiting on what Paul can determine about why phpbb.com is denying the extension version check requests (i.e. paths that go through Tatiana) with HTTP 410, even though phpbb.com is successfully responding to version check requests for phpBB itself.

We will ping Paul again by quoting him here in this reply, but he may already be hunting down that answer as fast as can be done, and through whomever it can be done. And that's assuming that the currently-enabled logging holds the answer we need at all.

It does seem as though the only remaining issue now is at phpbb.com's end, and I don't think there is anything more for you to do until Paul or whomever he delegated to comes back with more information. And at least in my opinion, it's reasonable that we could give them a few days to look into this, since it's not "urgently critical." Meaning you still can simply check your extension versions manually, and install any needed updated extensions.

But this is an issue I think both you and phpbb.com ultimately want to investigate to its conclusion, since there isn't much logical reason why the version extension checks should be failing. At least not when the version checks for phpBB itself are still being allowed. If your server was "blocked" or "blacklisted" for any intentional reason, it seems like phpbb.com shouldn't have responded to either type of version check.

Therefore I'm still currently assuming there is an unintentional and solvable reason for the remaining phpbb.com HTTP 410 failure here.

[hurghanico]

it's reasonable that we could give them a few days to look into this, since it's not "urgently critical."

I agree!
..and I'm not in a hurry

[Paul]

To be honest, I still don't think it is something on our end, as then a lot more reports would be coming in .
I have poked internally the right people that maintain titania, they will need to look into it.

Also, keep in mind that while the phpBB version and extension version check are both calling a URL on phpBB.com, they aren't working the same. They are on different servers, and the phpBB version check is a static file while for extensions it is dynamicly generated.

[hurghanico]

I wonder if the TLS 1.2 and HTTP/1.1 not detected (if not a false positive) reported by the paypal donation extension could be also the cause of the other problem faced here..

[EA117]

To be honest, I still don't think it is something on our end, as then a lot more reports would be coming in .

Certainly hard to picture what the technical issue would be at phpbb.com's end, if not something like a blacklist. Something like a blacklist would potentially be consistent with "why aren't a bunch of people reporting this", since we don't know how lucky you needed to be for your IP address to actually be in this list, or whom else is even on it.

Understood regarding how it's separate servers, and could be something that is only employed on systems serving Tatiana. My premise was more from the perspective of "if it had been in response to a previous abuse or denial of service", it wouldn't be hard to picture that the mitigation against it would have been implemented at a point that protected the entire site, rather than just one piece of the site.

But since this board's communication to phpbb.com through /phpbb/version_helper.php is working (for checking phpBB's own version), and since this board's communication to non-phpbb.com hosts (like David's version server) though /phpbb/version_helper.php is working for checking an extension's version, it's also hard to point to evidence that there is something amiss at this phpBB board's end, too.

I wonder if the TLS 1.2 and HTTP/1.1 not detected (if not a false positive) reported by the paypal donation extension could be also the cause of the other problem faced here..

Certainly the kind of observation to consider whether it relates to the root cause. The reasons I would say the evidence doesn't support this being related are: The /phpbb/file_downloader.php class that /phpbb/version_helper.php uses to retrieve the actual version JSON data is writing its own simple HTTP 1.0 request, regardless of what HTTP version or support exists elsewhere.

And although it's possible for the extension version check to request "this check should be performed via HTTPS", the extension would have to explicitly request SSL in its version-check data. i.e. That's not simply phpBB's choice to "always use SSL", or "use SSL if this phpBB board supports HTTPS" or similar. Extensions like the ones we've mentioned thus far, Privacy Policy and Media Embed, do not request SSL for their version-check data. As such, the version check requests made by all users (not just by you) for these extensions are being performed using non-HTTPS requests.

But a moot point for the current investigation, since we can see in your entire list of extensions that none of them are set to attempt SSL for the version check. i.e. All of them were passing "int(80)" as the port number to /phpbb/file_downloader.php. So there is no HTTPS / SSL / TLS involved, or even requested.


(In fact, as I look at the /phpbb/file_downloader.php code's SSL support, it makes me wonder whether an extension requesting SSL for it's version-check data would even work at this point. With actual SSL becoming deprecated by more hosts and services, ostensibly we need to be attempting TLS 1.1+ negotiation instead. But /php/file_downloader.php hasn't been updated on that point, and probably needs its own bug on this.)

edit: I tested the point regarding an extension requesting SSL for the version check, and at least on PHP 7.2.24 we apparently "get TLS 1.2 for free" in response to specifying the "ssl://" transport prefix. i.e. A LAN trace of the phpBB board's outbound communication confirms TLS 1.2 negotiation.

I was picturing that we could be in a situation like https://tracker.phpbb.com/browse/PHPBB3-15961 for /includes/functions_messenger.php, where allowing latest TLS versions had to be explicitly introduced. But it turns out that case is unique to explicit TLS (STARTTLS), and not the implicit TLS case where "ssl://" or "tls://" initiates negotiation at the very start of the TCP connection. So "no bug."

[hurghanico]

@EA117

Thanks for the explanation.

[david63]

I don't know if there is any relevance but I just ran your domain name through MXToolbox's domain check (https://mxtoolbox.com/domain) and it was throwing up a couple of DNS errors.

[EA117]

For what it's worth, DNS is "very unlikely" for being involved in the current issue, unless Paul comes back with some really interesting and exotic check that was being performed. The phpbb.com servers have no idea about any DNS name(s) of the system that is checking the extension version or phpBB version. They just have the source IP address of the request, and respond back to that same IP address.

Yes, the phpbb.com servers could arbitrarily attempt to perform a reverse lookup using the IP address to determine some kind of DNS name -- if any reverse mapping was even setup -- with an intention to log or evaluate that DNS name in some way. But that would be very hit-and-miss, and something that would be intentionally not reliable for a lot of sites.

And such as in this case, the IP address involved in the version check request sent to phpbb.com isn't related to allabouthd500x.altervista.org. Because allabouthd500x.altervista.org is pointing to Cloudflare servers, and not for leaking the actual phpBB server IP address.

But yes, if hurghanico is using any @allabouthd500x.altervista.org email addresses, or sending mail through *.allabouthd500x.altervista.org SMTP servers, several of the DNS issues listed there could be impacting mail system deliverability, without question. If AlterVista doesn't provide mail service, or hurghanico is using external mail service regardless, that's probably why these DNS entries aren't setup.

[hurghanico]

if hurghanico is using any @allabouthd500x.altervista.org email addresses, or sending mail through *.allabouthd500x.altervista.org SMTP servers, several of the DNS issues listed there could be impacting mail system deliverability, without question. If AlterVista doesn't provide mail service, or hurghanico is using external mail service regardless, that's probably why these DNS entries aren't setup.

my board (and AFAIK AlterVista) doesn't offer any email service, but it sends successfully email notifications to the forum members private addresses, including me.

[Lumpy Burgertushie]

either your host is providing email service or you have set some other email smtp service in your admin panel.
otherwise there would be NO email coming from your board at all.

check in the admin panel for the mail settings and see if you have smtp checked yes and if so, what you have in the blanks.
if set to no, then your host is providing the basic php mail.


robert

[hurghanico]

check in the admin panel for the mail settings and see if you have smtp checked yes and if so, what you have in the blanks.
if set to no, then your host is providing the basic php mail.

the setting "Use SMTP server for email" is set to "NO"