Read first: Previous version support information

TLSv1.3 handshake going into timeout behind company proxy

Options
N_Z_L
N_Z_L
Community Member
in 1Password 7 for Windows

Hi,

I'm asking in case you've already encountered this issue but I have some strange behaviour behind a company proxy (that I don't manage myself).

When I try to access 1password.com (in my browser or using cURL for example), the DNS resolution is OK (I usually end up with an IP that corresponds to a CloudFront host, and the IP changes). Then I see that the TLS certificate is verified without issue. And then the TLSv1.3 handshake between my client and the server goes into timeout.

For example:

curl -v https://1password.com/

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 99.86.88.8:443...
* TCP_NODELAY set
* Connected to 1password.com (99.86.88.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:00:05 --:--:--     0 <<<< goes into timeout

Is there some advice you can give me into what the team that manages the proxy can look at? Has this happened before?

Thanks in advance! :)

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • bundtkate
    bundtkate
    Options

    The first post might have been caught by our spam filter, @N_Z_L – sorry if that was the case. It can be a bit overly aggressive at times, particularly if something you wrote looks like a malformed query off some sort. Obviously, outputs like you quoted can sometimes be a bit more prone to such issues. I'll take a look, but given you managed to post this one, I think you should be fine moving forward. Fingers crossed! 🤞 On the off chance you continue to have troubles, know that we do clear out the spam queue periodically, so if your post gets caught there, it will be seen and moved out once a human has eyes on it.

    As for the proxy, I know you don't manage it, but do you have a general understanding of how it works? There are a few things that I could see as the cause here. It could be as simple as 1Password not properly detecting the proxy. This should happen automatically in most cases, but depending on how the proxy is configured, you might need to manually add proxy details in settings. What I see fairly often in a work setting, though, are proxies designed to sniff all traffic. This is done, of course, for perfectly legit reasons – either to block certain sites or to ensure connections are following a certain set of rules – but 1Password can't tell the difference between this and a man in the middle, so it refuses to connect. I'm leaning towards the former as a timeout aligns better with that scenario, but knowing a bit more about how that proxy is expected to behave would help.

    Do you have any trouble signing into your 1Password account in your browser? To your knowledge, is browser traffic treated any differently by the proxy? Again, kind of tough to say anything for sure until I know whether behavior is different in the browser, but having that answer (and sharing it with the team managing the proxy) could be helpful. It might not mean much to us without some more details about the setup, but it's probably useful data for them.

This discussion has been closed.