Problems with HTTPS Continue
list Geoff Hallford
Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00
list Charles Jones
HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles
▸
Geoff Hallford wrote:Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00
list Geoff Hallford
Hi Charles, This is a McAfee Webshield appliance, so I can't go in and check the Apache log. I know the URL is good though because I can access it via any browser from my PC. It's only Hobbit that has an issue with it. Any other thoughts? Thanks.
▸
On 12/18/06, Charles Jones <user-e86b4aeade4e@xymon.invalid> wrote:HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles Geoff Hallford wrote: Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00
--
'If my answers frighten you then you should cease asking scary questions.'
--Sam Jackson from Pulp Fiction
list Charles Jones
Geoff, I guess the next thing to try would be another tool using HTTPs from the hobbit server itself. Either elinks-ssl, curl, or wget w/ SSL support. The goal being to narrow it down to definitely a problem with Hobbit. P.S. I noticed in the Apache banner it says it is on port 1443 instead of the usual 443, so there may be some proxy server or vhost that Hobbit has to go through, which could potentially be part of the problem. Good luck and let us know if you find the answer. -Charles
▸
Geoff Hallford wrote:Hi Charles, This is a McAfee Webshield appliance, so I can't go in and check the Apache log. I know the URL is good though because I can access it via any browser from my PC. It's only Hobbit that has an issue with it. Any other thoughts? Thanks. On 12/18/06, *Charles Jones* <user-e86b4aeade4e@xymon.invalid <mailto:user-e86b4aeade4e@xymon.invalid>> wrote: HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles Geoff Hallford wrote:Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
list Geoff Hallford
Hi Charles, I just used wget w/ SSL to download the file fine but it did complain about the certificate name. Would an invalid certificate affect Hobbit use of HTTPS?: bigbrother:/hobbit/server/www # wget https://142.224.108.83/apps/SCMClientWin32.exe --no-check-certificate --15:27:35-- https://142.224.108.83/apps/SCMClientWin32.exe => `SCMClientWin32.exe' Connecting to 142.224.108.83:443... connected. WARNING: Certificate verification error for 142.224.108.83: self signed certificate WARNING: certificate common name `Webshield.uhn.ca' doesn't match requested host name `142.224.108.83'. HTTP request sent, awaiting response... 200 OK Length: 12,905,984 (12M) [application/octet-stream] 100%[===========================================================================================================>] 12,905,984 3.51M/s ETA 00:00 15:27:41 (3.48 MB/s) - `SCMClientWin32.exe' saved [12905984/12905984]
▸
On 12/18/06, Charles Jones <user-e86b4aeade4e@xymon.invalid> wrote:Geoff, I guess the next thing to try would be another tool using HTTPs from the hobbit server itself. Either elinks-ssl, curl, or wget w/ SSL support. The goal being to narrow it down to definitely a problem with Hobbit. P.S. I noticed in the Apache banner it says it is on port 1443 instead of the usual 443, so there may be some proxy server or vhost that Hobbit has to go through, which could potentially be part of the problem. Good luck and let us know if you find the answer. -Charles Geoff Hallford wrote: Hi Charles, This is a McAfee Webshield appliance, so I can't go in and check the Apache log. I know the URL is good though because I can access it via any browser from my PC. It's only Hobbit that has an issue with it. Any other thoughts? Thanks. On 12/18/06, Charles Jones <user-e86b4aeade4e@xymon.invalid> wrote:HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles Geoff Hallford wrote: Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
list Charles Jones
Geoff, Take my advice with a grain of salt, but my next steps would be: 1. Attempt using other SSL protocols (you can specify in bb-hosts). Your Webshield appliance may be expecting something other than the default method that Hobbit uses. Here is a snippet from the bb-hosts man page: Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems. bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL: * "2", e.g. https2://www.sample.com <http://www.sample.com>/ : use only SSLv2 * "3", e.g. https3://www.sample.com <http://www.sample.com>/ : use only SSLv3 * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers * "10", e.g. http10://www.sample.com <http://www.sample.com>/ : use HTTP 1.0 * "11", e.g. http11://www.sample.com <http://www.sample.com>/ : use HTTP 1.1 These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". I suspect that one of the options above will fix your problem. My only other advice if none of that works would be to check the hobbit logs, especially bb-network.log. I would also consider editing the [bbnet] section of hobbitlaunch.cfg, adding the --debug flag to the CMD options, and then restarting hobbit and then watch stdout and/or the bb-network.log to see if it indicates what the problem is.
▸
-Charles
Geoff Hallford wrote:Hi Charles, I just used wget w/ SSL to download the file fine but it did complain about the certificate name. Would an invalid certificate affect Hobbit use of HTTPS?: bigbrother:/hobbit/server/www # wget https://142.224.108.83/apps/SCMClientWin32.exe --no-check-certificate --15:27:35-- https://142.224.108.83/apps/SCMClientWin32.exe => `SCMClientWin32.exe'
Connecting to 142.224.108.83:443 <http://142.224.108.83:443>;... connected. WARNING: Certificate verification error for 142.224.108.83 <http://142.224.108.83>;: self signed certificate
▸
WARNING: certificate common name `Webshield.uhn.ca' doesn't match requested host name `142.224.108.83'. HTTP request sent, awaiting response... 200 OK Length: 12,905,984 (12M) [application/octet-stream] 100%[===========================================================================================================>] 12,905,984 3.51M/s ETA 00:00 15:27:41 (3.48 MB/s) - `SCMClientWin32.exe' saved [12905984/12905984] On 12/18/06, *Charles Jones* < user-e86b4aeade4e@xymon.invalid <mailto:user-e86b4aeade4e@xymon.invalid>> wrote: Geoff, I guess the next thing to try would be another tool using HTTPs from the hobbit server itself. Either elinks-ssl, curl, or wget w/ SSL support. The goal being to narrow it down to definitely a problem with Hobbit. P.S. I noticed in the Apache banner it says it is on port 1443 instead of the usual 443, so there may be some proxy server or vhost that Hobbit has to go through, which could potentially be part of the problem. Good luck and let us know if you find the answer. -Charles Geoff Hallford wrote:Hi Charles, This is a McAfee Webshield appliance, so I can't go in and check the Apache log. I know the URL is good though because I can access it via any browser from my PC. It's only Hobbit that has an issue with it. Any other thoughts? Thanks. On 12/18/06, *Charles Jones* <user-e86b4aeade4e@xymon.invalid <mailto:user-e86b4aeade4e@xymon.invalid> > wrote: HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles Geoff Hallford wrote:Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
list Geoff Hallford
Charles, I switched over to testing a regular OWA 2003 implementation, so that it wouldn't have any weird configuration the Webshield's (SCM) might have but I can't get it to work and this one times out. I tried to mimic IE with the browser= setting as well with no effect. I enabled debug on the bbnet-test and collected the following information which doesn't give many hints as to the issue. I can still use WGET though to get the webpage requested by Hobbit, so I really feel the issue is somewhere in Hobbit. Any help from anyone would be appreciated. Logs: ###[ BB-NETWORK.LOG ]### 2006-12-19 10:43:02 Adding hostname 'webmail.uhn.on.ca' to resolver queue 2006-12-19 10:43:02 Got DNS result for host webmail.uhn.on.ca : 205.211.160.83 URL : https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp HTTP status : 0 HTTP headers (NULL) HTTP output (NULL) 2006-12-19 11:00:17 Calc http color host WEBSHIELD-83 : 2006-12-19 11:00:17 https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp(red) 2006-12-19 11:00:17 --> red ###[ WGET OUTPUT ]### bigbrother:/hobbit/server/etc # wget https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp --10:55:50-- https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp => `owalogon.asp' Resolving webmail.uhn.on.ca... 205.211.160.83 Connecting to webmail.uhn.on.ca|205.211.160.83|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 9,532 (9.3K) [text/html] 100%[===================================================================================================================================>] 9,532 8.34K/s 10:55:51 (8.33 KB/s) - `owalogon.asp' saved [9532/9532]
▸
On 12/18/06, Charles Jones <user-e86b4aeade4e@xymon.invalid> wrote:Geoff, Take my advice with a grain of salt, but my next steps would be: 1. Attempt using other SSL protocols (you can specify in bb-hosts). Your Webshield appliance may be expecting something other than the default method that Hobbit uses. Here is a snippet from the bb-hosts man page: Some SSL sites will only allow you to connect, if you use specific "dialects" of HTTP or SSL. Normally this is auto-negotiated, but experience shows that this fails on some systems. bbtest-net can be told to use specific dialects, by adding one or more "dialect names" to the URL scheme, i.e. the "http" or "https" in the URL: * "2", e.g. https2://www.sample.com/ : use only SSLv2 * "3", e.g. https3://www.sample.com/ : use only SSLv3 * "m", e.g. httpsm://www.sample.com/ : use only 128-bit ciphers * "h", e.g. httpsh://www.sample.com/ : use only >128-bit ciphers * "10", e.g. http10://www.sample.com/ : use HTTP 1.0 * "11", e.g. http11://www.sample.com/ : use HTTP 1.1 These can be combined where it makes sense, e.g to force SSLv2 and HTTP 1.0 you would use "https210". I suspect that one of the options above will fix your problem. My only other advice if none of that works would be to check the hobbit logs, especially bb-network.log. I would also consider editing the [bbnet] section of hobbitlaunch.cfg, adding the --debug flag to the CMD options,
and then restarting hobbit and then watch stdout and/or the bb-network.logto see if it indicates what the problem is.
▸
-Charles Geoff Hallford wrote: Hi Charles, I just used wget w/ SSL to download the file fine but it did complain about the certificate name. Would an invalid certificate affect Hobbit use of HTTPS?: bigbrother:/hobbit/server/www # wget https://142.224.108.83/apps/SCMClientWin32.exe --no-check-certificate --15:27:35-- https://142.224.108.83/apps/SCMClientWin32.exe => `SCMClientWin32.exe' Connecting to 142.224.108.83:443... connected. WARNING: Certificate verification error for 142.224.108.83: self signed certificate WARNING: certificate common name `Webshield.uhn.ca' doesn't match requested host name `142.224.108.83'. HTTP request sent, awaiting response... 200 OK Length: 12,905,984 (12M) [application/octet-stream] 100%[===========================================================================================================>] 12,905,984 3.51M/s ETA 00:00 15:27:41 (3.48 MB/s) - `SCMClientWin32.exe' saved [12905984/12905984] On 12/18/06, Charles Jones < user-e86b4aeade4e@xymon.invalid> wrote:Geoff, I guess the next thing to try would be another tool using HTTPs from the hobbit server itself. Either elinks-ssl, curl, or wget w/ SSL support. The goal being to narrow it down to definitely a problem with Hobbit. P.S. I noticed in the Apache banner it says it is on port 1443 instead of the usual 443, so there may be some proxy server or vhost that Hobbit has to go through, which could potentially be part of the problem. Good luck and let us know if you find the answer. -Charles Geoff Hallford wrote: Hi Charles, This is a McAfee Webshield appliance, so I can't go in and check the Apache log. I know the URL is good though because I can access it via any browser from my PC. It's only Hobbit that has an issue with it. Any other thoughts? Thanks. On 12/18/06, Charles Jones <user-e86b4aeade4e@xymon.invalid > wrote:HTTPS is definitely working, or else you would not get the Apache banner at the end. It looks like you are simply checking an invalid URL. Check your apache error log and see if it indicates that SCMClientWin32.exe is being requested from an incorrect path or something. -Charles Geoff Hallford wrote: Hi Everyone, I still have problems getting Hobbit to check URL's that are HTTP*S*. I have compiled with SSL support and the testing does work on items such as LDAPS and SSH but it will not work for HTTPS. Does anyone have any thoughts? I get the following message: --- Mon Dec 18 14:01:59 2006: https://142.224.108.83/apps/SCMClientWin32.exe - Not Found The requested URL /error/HTTP_BAD_REQUEST.html.var was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.55 (Unix) Server at localhost Port 1443 Seconds: 0.00-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction
list Henrik Størner
▸
On Tue, Dec 19, 2006 at 11:13:57AM -0500, Geoff Hallford wrote:
I switched over to testing a regular OWA 2003 implementation, so that it wouldn't have any weird configuration the Webshield's (SCM) might have but I can't get it to work and this one times out. I tried to mimic IE with the browser= setting as well with no effect. I enabled debug on the bbnet-test and collected the following information which doesn't give many hints as to the issue.
URL : https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp HTTP status : 0
This means Hobbit managed to connect to the port, but didn't get any data. I wonder if your OpenSSL library might be the problem. I've tried setting up a test from here to the same URL - it's publicly accessible - and it works just fine: 2006-12-19 17:26:18 Adding hostname 'webmail.uhn.on.ca' to resolver queue 2006-12-19 17:26:18 Processing 1 DNS lookups with ARES 2006-12-19 17:26:18 Got DNS result for host webmail.uhn.on.ca : 205.211.160.83 2006-12-19 17:26:18 Adding tcp test IP=205.211.160.83, port=443, service=https, silent=0 2006-12-19 17:26:18 About to do 1 TCP tests running 246 in parallel <snip lots of debug output> 2006-12-19 17:26:19 Calc http color host webmail.uhn.on.ca : 2006-12-19 17:26:19 https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp(green) 2006-12-19 17:26:19 --> green 2006-12-19 17:26:19 Adding to combo msg: status webmail,uhn,on,ca.http green Tue Dec 19 17:26:18 2006: OK 2006-12-19 17:26:19 Calc content color host webmail.uhn.on.ca : 2006-12-19 17:26:19 Adding to combo msg: status webmail,uhn,on,ca.sslcert green Tue Dec 19 17:26:18 2006 2006-12-19 17:26:19 Flushing combo message status webmail,uhn,on,ca.http green Tue Dec 19 17:26:18 2006: OK &green https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp - OK HTTP/1.1 200 OK Connection: close Content-Length: 9532 Expires: Tue, 19 Dec 2006 16:25:17 GMT Date: Tue, 19 Dec 2006 16:26:16 GMT Content-Type: text/html Cache-Control: no-cache Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: PartnersWebmail=None; expires=Sun, 17-Jun-2007 15:26:16 GMT; domain=webmail.uhn.on.ca; path=/exchweb/bin/auth/; secure Seconds: 0.77 status webmail,uhn,on,ca.sslcert green Tue Dec 19 17:26:18 2006 &green SSL certificate for https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp expires in 612 days Server certificate: subject:/C=CA/ST=Ontario/L=Toronto/O=University Health Network/OU=Shared Information Management Systems/CN=webmail.uhn.on.ca start date: 2006-07-11 00:00:00 GMT expire date:2008-08-22 23:59:59 GMT This is with OpenSSL version 0.9.8b, and Hobbit 4.2.0. Regards, Henrik
list Geoff Hallford
Thanks. I am running OpenSSL version 0.9.7g and Hobbit 4.2.0 on SuSE 10.0. I will try and upgrade the SSL to 0.9.8b and recompile Hobbit.
▸
On 12/19/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:On Tue, Dec 19, 2006 at 11:13:57AM -0500, Geoff Hallford wrote:I switched over to testing a regular OWA 2003 implementation, so that it wouldn't have any weird configuration the Webshield's (SCM) might have but I can't get it to work and this one times out. I tried to mimic IE with the browser= setting as well with no effect. I enabled debug on the bbnet-test and collected the following information which doesn't give many hints as to the issue. URL : https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp HTTP status : 0This means Hobbit managed to connect to the port, but didn't get any data. I wonder if your OpenSSL library might be the problem. I've tried setting up a test from here to the same URL - it's publicly accessible - and it works just fine: 2006-12-19 17:26:18 Adding hostname 'webmail.uhn.on.ca' to resolver queue 2006-12-19 17:26:18 Processing 1 DNS lookups with ARES 2006-12-19 17:26:18 Got DNS result for host webmail.uhn.on.ca : 205.211.160.83 2006-12-19 17:26:18 Adding tcp test IP=205.211.160.83, port=443, service=https, silent=0 2006-12-19 17:26:18 About to do 1 TCP tests running 246 in parallel <snip lots of debug output> 2006-12-19 17:26:19 Calc http color host webmail.uhn.on.ca : 2006-12-19 17:26:19 https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp(green) 2006-12-19 17:26:19 --> green
2006-12-19 17:26:19 Adding to combo msg: status webmail,uhn,on,ca.httpgreen Tue Dec 19 17:26:18 2006: OK
2006-12-19 17:26:19 Calc content color host webmail.uhn.on.ca :
2006-12-19 17:26:19 Adding to combo msg: status webmail,uhn,on,ca.sslcertgreen Tue Dec 19 17:26:18 2006
▸
2006-12-19 17:26:19 Flushing combo message status webmail,uhn,on,ca.http green Tue Dec 19 17:26:18 2006: OK &green https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp - OK HTTP/1.1 200 OK Connection: close Content-Length: 9532 Expires: Tue, 19 Dec 2006 16:25:17 GMT Date: Tue, 19 Dec 2006 16:26:16 GMT Content-Type: text/html Cache-Control: no-cache Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: PartnersWebmail=None; expires=Sun, 17-Jun-2007 15:26:16 GMT; domain=webmail.uhn.on.ca; path=/exchweb/bin/auth/; secure Seconds: 0.77 status webmail,uhn,on,ca.sslcert green Tue Dec 19 17:26:18 2006 &green SSL certificate for https://webmail.uhn.on.ca/exchweb/bin/auth/owalogon.asp expires in 612 days Server certificate: subject:/C=CA/ST=Ontario/L=Toronto/O=University Health Network/OU=Shared Information Management Systems/CN=webmail.uhn.on.ca start date: 2006-07-11 00:00:00 GMT expire date:2008-08-22 23:59:59 GMT This is with OpenSSL version 0.9.8b, and Hobbit 4.2.0. Regards, Henrik
-- 'If my answers frighten you then you should cease asking scary questions.' --Sam Jackson from Pulp Fiction