Fractal Softworks Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Starsector 0.97a is out! (02/02/24); New blog post: Simulator Enhancements (03/13/24)

Pages: 1 ... 6 7 [8] 9 10

Author Topic: [0.9.1a] Version Checker v2.0b (released 2020-08-28)  (Read 367187 times)

Natti

  • Ensign
  • *
  • Posts: 13
  • Disgruntled Orc Shaman
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #105 on: August 28, 2020, 05:31:05 AM »

Hello! I ran into a weird issue with version checker today where all the Bitbucket-hosted mods fail the check, but a few that are hosted on GitHub don't have any issues. In addition, the Starsector version check fails with an SSLHandshakeException. Any idea where to even start with troubleshooting this?
Logged

Jaghaimo

  • Admiral
  • *****
  • Posts: 661
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #106 on: August 28, 2020, 05:53:32 AM »

Bitbucket dropped support for some ciphers and those left seems to be unsupported by us (old Java most likely lacks support for newer ciphers): https://bitbucket.org/blog/update-to-supported-cipher-suites-in-bitbucket-cloud

Quote
[Update Aug 7, 2020] On Aug 24th, 2020, we will be upgrading our TLS configuration and ending support for some weaker cipher suites

Possible options are:
  • Move elsewhere (Github, Gitlab)
  • Change to use plain HTTP (why we need plain text file over HTTPS is beyond me)
« Last Edit: August 28, 2020, 06:02:27 AM by Jaghaimo »
Logged

Natti

  • Ensign
  • *
  • Posts: 13
  • Disgruntled Orc Shaman
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #107 on: August 28, 2020, 06:44:19 AM »

Well, it's at least nice to know it's not some obscure networking issue on my end. Seeing as this error must have been popping up for people since earlier this month, has mod development mostly moved off these forums or what?
Logged

Modo44

  • Commander
  • ***
  • Posts: 144
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #108 on: August 28, 2020, 07:21:22 AM »

why we need plain text file over HTTPS is beyond me
Because maybe don't open outdated Java to some "fun" HTTP payloads.
Logged

Jaghaimo

  • Admiral
  • *****
  • Posts: 661
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #109 on: August 28, 2020, 07:38:02 AM »

Because maybe don't open outdated Java to some "fun" HTTP payloads.
But we already did that. The only difference is how we're getting this potentially malicious payload - plaintext (HTTP) or encrypted (HTTPS). In the later case we also get the benefit of authenticating the sender (via certificate authorities).

In other words, if I put "funny" payload in my remote version file the version checker will fetch it anyway (in the former case unconditionally, in the later case as long as my TLS certificate is valid and signed by valid certificate authority). As we are not sending any sensitive data over, nor receiving any sensitive data (no authentication, no privacy related data) so there's no reason for encryption.
Logged

Nokhal

  • Ensign
  • *
  • Posts: 2
    • View Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #110 on: August 28, 2020, 01:59:37 PM »

Bump.

"Simple" solution would be to have a server acting as proxy for bitbucket urls :
>Set up a Free tier amazon server with a very simple node/whatever middleware
>Change the mod code to detect that if the url to check is bitbucket, instead query the free tier amazon server with the bitbucket url (and other relevant payloads)
>The amazon server middleware then query bitbucket over https, and then pass trough the answer back to the mod
>Only open to a weird port to prevent some abuse

Users would only have to install a new version of Version Checker. Additionally, querying this 'proxy' server should only happen if the main call fails.
Logged

LazyWizard

  • Global Moderator
  • Admiral
  • *****
  • Posts: 1363
    • View Profile
    • GitHub Profile
Re: [0.9.1a] Version Checker v2.0 (released 2019-03-19)
« Reply #111 on: August 28, 2020, 08:25:44 PM »

Hello! I ran into a weird issue with version checker today where all the Bitbucket-hosted mods fail the check, but a few that are hosted on GitHub don't have any issues. In addition, the Starsector version check fails with an SSLHandshakeException. Any idea where to even start with troubleshooting this?
Sadly this isn't something I can easily fix. It's not a Version Checker bug, it's due to the version of Java Starsector ships with lacking newer cryptographic ciphers. The GCM ciphers that Bitbucket now requires were only added in Java 8 and backported in 1.7.0_131 (which isn't publicly available), whereas Starsector ships with Java 1.7.0_79. I've looked into adding support for these ciphers manually, but a) that's absolute overkill for a tiny project like this, and b) it won't work due to mod classloader restrictions (short of asking users to modify files in their game install like in the old pre-1.6 days, which I really don't want to resort to again).

Considering this is the fourth time Bitbucket has made a change that breaks this mod in the last three years, plus the site's semi-frequent downtimes, I'd say the best solution would be for modders using Bitbucket for version file hosting to move to a different and more reliable service (such as GitHub, which hasn't caused a single issue in the six years this mod has been around), and for me to apologize for suggesting Bitbucket in the first place. 2014 was a different time, and GitHub's free version has long since become superior to Bitbucket's offering.

I'll finish moving my own mods' version files to GitHub tonight if I can. Any other mods with broken checks will require an update from their authors. I apologize for the inconvenience.


Well, it's at least nice to know it's not some obscure networking issue on my end. Seeing as this error must have been popping up for people since earlier this month, has mod development mostly moved off these forums or what?
The cipher change actually only happened on the 24th, and possibly later than that (they're terrible about announcing dates then missing them). As for reports, for the last several months I've only been watching replies on my mod threads or on my GitHub. Yours is the first and only bug report that I've seen about this.


As we are not sending any sensitive data over, nor receiving any sensitive data (no authentication, no privacy related data) so there's no reason for encryption.
The HTTPS requirement is on Bitbucket's side. If you were to host a version file over a plain HTTP connection the mod would work just fine. Sites like Bitbucket and GitHub were chosen for most mod's hosting because this mod requires a site that allows you to link to the raw .version file (no ads, no redirects, no captchas after X number of requests), and allows you to edit said file without changing the URL. Source code hosting sites were among the few free options that met those requirements when this mod was released. I haven't looked into things since. If there's another site that meets said requirements, I'd love to hear about it.


Spoiler
Bump.

"Simple" solution would be to have a server acting as proxy for bitbucket urls :
>Set up a Free tier amazon server with a very simple node/whatever middleware
>Change the mod code to detect that if the url to check is bitbucket, instead query the free tier amazon server with the bitbucket url (and other relevant payloads)
>The amazon server middleware then query bitbucket over https, and then pass trough the answer back to the mod
>Only open to a weird port to prevent some abuse

Users would only have to install a new version of Version Checker. Additionally, querying this 'proxy' server should only happen if the main call fails.
[close]
Unfortunately that goes against one of the main goals of this mod, which is to have it not be reliant on a central maintainer. Ideally Version Checker should continue to work in perpetuity with or without my presence. The only active maintenance required is keeping a single file up to date to track Starsector updates.

Of course, things haven't worked out quite how I'd hoped. As I said already, Bitbucket's broken things on their end four times now, not to mention Dropbox removing public links and breaking support for tons of mods in this project's infancy.

Oh well. C'est la vie.
Logged

LazyWizard

  • Global Moderator
  • Admiral
  • *****
  • Posts: 1363
    • View Profile
    • GitHub Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #112 on: August 28, 2020, 08:32:55 PM »

Version 2.0b is out, get it here.

This adds no new features, and only moves the mod's version files from Bitbucket (which can no longer be connected to with the outdated JRE that Starsector ships with) to GitHub.

Any other mods that rely on Bitbucket for hosting will need to be updated by their individual authors. Updates for my own mods will be coming shortly.
Logged

MesoTroniK

  • Admiral
  • *****
  • Posts: 1731
  • I am going to destroy your ships
    • View Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #113 on: August 29, 2020, 12:03:10 AM »

The HTTPS requirement is on Bitbucket's side. If you were to host a version file over a plain HTTP connection the mod would work just fine. Sites like Bitbucket and GitHub were chosen for most mod's hosting because this mod requires a site that allows you to link to the raw .version file (no ads, no redirects, no captchas after X number of requests), and allows you to edit said file without changing the URL. Source code hosting sites were among the few free options that met those requirements when this mod was released. I haven't looked into things since. If there's another site that meets said requirements, I'd love to hear about it.
I just tried in the Tiandong dev, using PasteBin to host the version file (raw link) and it works fine. But I also have a pro account.

It also works for guests and free accounts, since even though the links are random hashes VC doesn't care about the link matching only the version data (though you can edit with free account, but certainly cannot with guest) so you simply upload and then edit the link in the offline version. BUT, non paid accounts *might* have issues with great numbers of views, I am actually not sure on that.

LazyWizard

  • Global Moderator
  • Admiral
  • *****
  • Posts: 1363
    • View Profile
    • GitHub Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #114 on: August 29, 2020, 12:10:35 AM »

PasteBin was one of the suggested sites in the past, but unfortunately it falls under the "user must solve a captcha after X requests" category I mentioned (at least for the free version). Once you hit that threshold it'll serve a webpage instead of the raw file, causing VC to show an error message.
Logged

MesoTroniK

  • Admiral
  • *****
  • Posts: 1731
  • I am going to destroy your ships
    • View Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #115 on: August 29, 2020, 12:16:07 AM »

2. Captcha Free Experience
PRO users will not be asked to enter a captcha code when they paste something. Note: Certain banned keywords will still spawn captcha requests for PRO users.


Went and looked at their page shilling the pro account, and oh dear. I doubt even the paid one would be immune to the issue you mentioned.

Histidine

  • Admiral
  • *****
  • Posts: 4661
    • View Profile
    • GitHub profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #116 on: August 29, 2020, 12:42:25 AM »

Hosting the version file as a shared file on Dropbox seems to work.
(When generating the shared link, change the ?dl=0 at the end to ?dl=1)
Logged

Jaghaimo

  • Admiral
  • *****
  • Posts: 661
    • View Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #117 on: August 29, 2020, 02:52:53 AM »

Using plain http works as well. Do note however that bitbucket redirects (as it hosts in aws), so the actual end link uses https as well. Example:
Code
http://bitbucket.org/LazyWizard/common-radar/downloads/radar.version
https://bitbucket.org/LazyWizard/common-radar/downloads/radar.version
Becomes:
Code
https://bbuseruploads.s3.amazonaws.com/28f61879-1a03-4984-a85e-4721d4286f43/downloads/79d45eaa-fdc8-45e7-9796-9a8d9ede4912/radar.version?Signature=n02Hqd0B0buKIdi5yi%2BYwe%2BjGzI%3D&Expires=1598696323&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=uDt_ok35kJmlLOHoxMLu0texPAGn.u3i&response-content-disposition=attachment%3B%20filename%3D%22radar.version%22
What could be done is (on version checker side) strip protocol from original uri, and redirected uri (if any) and supply plain http protocol. That way no mods would need updating.
« Last Edit: August 29, 2020, 03:27:04 AM by Jaghaimo »
Logged

MesoTroniK

  • Admiral
  • *****
  • Posts: 1731
  • I am going to destroy your ships
    • View Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #118 on: August 29, 2020, 03:02:20 AM »

I like that suggestion a lot, would be a good hold me over for mods so they can take their time updating like normal rather than being encouraged to rush doing it sooner.

But still should eventually move the version files off BitBucket, since unsecured connections are not likely to work there forever as pretty much every website is slowly phasing them out (for good reasons).
« Last Edit: August 29, 2020, 03:05:45 AM by MesoTroniK »
Logged

LazyWizard

  • Global Moderator
  • Admiral
  • *****
  • Posts: 1363
    • View Profile
    • GitHub Profile
Re: [0.9.1a] Version Checker v2.0b (released 2020-08-28)
« Reply #119 on: August 29, 2020, 03:32:48 AM »

Spoiler
Using plain http works as well. Do note however that bitbucket redirects (as it hosts in aws), so the actual end link uses https as well. Example:
Code
http://bitbucket.org/LazyWizard/common-radar/downloads/radar.version
https://bitbucket.org/LazyWizard/common-radar/downloads/radar.version
Becomes:
Code
https://bbuseruploads.s3.amazonaws.com/28f61879-1a03-4984-a85e-4721d4286f43/downloads/79d45eaa-fdc8-45e7-9796-9a8d9ede4912/radar.version?Signature=n02Hqd0B0buKIdi5yi%2BYwe%2BjGzI%3D&Expires=1598696323&AWSAccessKeyId=AKIA6KOSE3BNJRRFUUX6&versionId=uDt_ok35kJmlLOHoxMLu0texPAGn.u3i&response-content-disposition=attachment%3B%20filename%3D%22radar.version%22
What could be done is (on version checker side) string protocol from original uri, and redirected uri (if any) and supply plain http protocol. That way no mods would need updating.
[close]
I might be missing something here, but how would that work? HTTP Bitbucket redirects to HTTPS Bitbucket, which then redirects to HTTPS AWS containing the actual content. The middle one is the problem, since Java is unable to connect to #2 to learn the redirect to #3.

Code
> Following redirects from http://bitbucket.org/LazyWizard/version-checker/downloads/versionchecker.version

http://bitbucket.org/LazyWizard/version-checker/downloads/versionchecker.version -> https://bitbucket.org/LazyWizard/version-checker/downloads/versionchecker.version

https://bitbucket.org/LazyWizard/version-checker/downloads/versionchecker.version -> https://bbuseruploads.s3.amazonaws.com/9b1d5e81-7bc4-4dda-84f6-a5bbd415c014/downloads/6962e609-fd53-4d09-b8e8-fba545f6c648/versionchecker.version?[SESSIONDATA]

I can't follow this chain of redirects if one link in the chain can't be completed (the above program will fail if run under Starsector's bundled JRE).
« Last Edit: August 29, 2020, 03:34:21 AM by LazyWizard »
Logged
Pages: 1 ... 6 7 [8] 9 10