Author Topic: Skype (v7.36) not connecting when Avast 2015 (v11.17) Web Shield activated...  (Read 3074 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Hey,

Recently I installed Avast 2015 free version, (v11.17) on our MacBooks running El Capitan OSX 10.11.6.

Since then I've noticed that Skype (v7.36) is NOT connecting while Avast Web Shield is activated.
Skype simply shows the coloured message banner, "Connecting...", although it never connects, until the Avast Web Shield is deactivated.

Does anyone else have the same issue?
How do I resolve this please?
I'm guessing one solution might be to add "excluded servers" under Web Shield>Settings. But I've not been able to determine nor find any appropriate list of Skype server/s.

Thanks,
-a

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
Hi,
Yes, the latest Skype update has broken the ability of Skype to run behind transparent proxies. We have reported the issue to Skype (see the attached mail), but we have not received any response from Skype since then... A workaround solution for now is either to add all the broken skype servers to Avast webshield exclusions or to disable IPv6 scanning in the Avast webshield configuration.

Quote
Subject: Re: Skype and Avast AV on Mac
Date: Thu, 15 Sep 2016 09:55:45 +0200
From: Martin Tůma <tuma@avast.com>
To: <censored list of skype contacts>

Hi,
I have investigated the problems and the result is following - the "incompatability" is based on two bugs/broken configurations in Skype/Skype servers that together make it impossible for Skype for Mac to work behind a transparent proxy (which is the way how the Avast webshield works, but it applies to other transparent proxies as well)

1) The server "mscomajax.vo.msecnd.net" has a broken configuration. It has an IPv6 address asigned, but the service does not work on IPv6.
2) "mscomajax.vo.msecnd.net" is accessed using obsolete and insecure SSL 3 connections* without TLS SNI.

If at least one of those two bugs get fixed, Skype for Mac behind transparent proxies should start working. A reasonable aproach is of course to fix both of the issues, as the first one generaly causes performance issues and the second one security issues.

Martin Tůma

* It is also accessed using TLS in other connections and when those TLS connections happen before the SSL3 connection, it works as the proxy has already setup an IPv4 fallback for the broken IPv6 address.

REDACTED

  • Guest
Hi,
Yes, the latest Skype update has broken the ability of Skype to run behind transparent proxies. We have reported the issue to Skype (see the attached mail), but we have not received any response from Skype since then... A workaround solution for now is either to add all the broken skype servers to Avast webshield exclusions or to disable IPv6 scanning in the Avast webshield configuration.

Quote
Subject: Re: Skype and Avast AV on Mac
Date: Thu, 15 Sep 2016 09:55:45 +0200
From: Martin Tůma <tuma@avast.com>
To: <censored list of skype contacts>

Hi,
I have investigated the problems and the result is following - the "incompatability" is based on two bugs/broken configurations in Skype/Skype servers that together make it impossible for Skype for Mac to work behind a transparent proxy (which is the way how the Avast webshield works, but it applies to other transparent proxies as well)

1) The server "mscomajax.vo.msecnd.net" has a broken configuration. It has an IPv6 address asigned, but the service does not work on IPv6.
2) "mscomajax.vo.msecnd.net" is accessed using obsolete and insecure SSL 3 connections* without TLS SNI.

If at least one of those two bugs get fixed, Skype for Mac behind transparent proxies should start working. A reasonable aproach is of course to fix both of the issues, as the first one generaly causes performance issues and the second one security issues.

Martin Tůma

* It is also accessed using TLS in other connections and when those TLS connections happen before the SSL3 connection, it works as the proxy has already setup an IPv4 fallback for the broken IPv6 address.

Thank you Martin.
Subsequent to my post, I made a couple of quick experiments before running out of the office for my next meeting. I found the Skype for Business page which listed various FQDNs, and tried entering these in the Avast Excluded Servers list, without success. In my final two minutes remaining, I tested disabling the IPv6, and noticed this was an immediate, if not ideal workaround.

This is my first chance to return and respond with my findings, but you've beat me to the punch.
Thank you again.