Cannot connect to downloads.joomla.org (only from server)

[aubreybox]

Steps to reproduce the issue

openssl s_client -connect downloads.joomla.org:443

Expected result

CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = joomla-org.directrouter.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 1 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
   i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
 2 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIRAJv/yrm3T1x6kxqghdkPpnEwDQYJKoZIhvcNAQELBQAw
cjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRUw
EwYDVQQKEwxjUGFuZWwsIEluYy4xLTArBgNVBAMTJGNQYW5lbCwgSW5jLiBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA0MDIwMDAwMDBaFw0xODA0MDIyMzU5
NTlaMF8xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UE
CxMLUG9zaXRpdmVTU0wxJDAiBgNVBAMTG2pvb21sYS1vcmcuZGlyZWN0cm91dGVy
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJWDHFBLXf6F8wUq
amDsYwta1OdHykgQr9s238Q/nIuoet22msUGD+DnwkSEPK9baXqWcp7/FWSvsqDD
RvlFcbx/9zMnAr7qZiGlyL9U938UtgC2yVTF/EWOG6ihTGRfIvKUB01ttHM/uUn/
6S5KH5FfF+4de3WGWjZFwV/RmsCyBW8i7515KB2JD6qcl4WjCZMZhaigLXEN+LLC
nQK4ilfXHUq5oXzRGw3KJoWGb7TK86xXa4C9hSFKwmCgilp2oOagh1yJcx/HBZHg
DZ7cjJBYQdAiHckhv2HsUEY3ol8CEVnrHI5P+WqSdY/7g7/jzlhL/TZEycyyG0mw
GWajwb0CAwEAAaOCAegwggHkMB8GA1UdIwQYMBaAFH4DWmVBa6d+CuG4nQjqHY4d
asdlMB0GA1UdDgQWBBSsATEz8LDJyvxPoC7lVtrL/4y4QjAOBgNVHQ8BAf8EBAMC
BaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
TwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICNDArMCkGCCsGAQUFBwIBFh1odHRwczov
L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwTAYDVR0fBEUwQzBBoD+g
PYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20vY1BhbmVsSW5jQ2VydGlmaWNhdGlv
bkF1dGhvcml0eS5jcmwwfQYIKwYBBQUHAQEEcTBvMEcGCCsGAQUFBzAChjtodHRw
Oi8vY3J0LmNvbW9kb2NhLmNvbS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9y
aXR5LmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMEcG
A1UdEQRAMD6CG2pvb21sYS1vcmcuZGlyZWN0cm91dGVyLmNvbYIfd3d3Lmpvb21s
YS1vcmcuZGlyZWN0cm91dGVyLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAgR8LQ+N+
LvXTf2taGdqRjV0/IIOrWlWj/o7jHc2xxiJFjp+Uw3gJMl650cw+7GGs5e4eYt7k
Bx0rGLqQkD/Ya0qtrIZ/ES5/e8ITNpRaCiloNDjttJWnwyfhf+v66vTRC/15ji9J
3wkI5t+wXCwUi39fqECHhpiGl5IGI2pnD9YlMrhB2SxGSHyOppT9RibUYVTSOFOY
jgipcKtT+I/SefTD2835foXQM4OlQXf96E2K88iopx6JCH8qJxjVq9qC50z+gbEZ
LKLm9eKUld6R2j5uUoFOuPubrtp6lOD7AsTYzADc6zO6xd27670UFa4p+ZJ1gu0H
Ge2dhRG1uMrSvw==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6298 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6ECCBA0B435C2F90FA75E27395C809EE57DACEEFB0D168D5B98C117D01E0E36E
    Session-ID-ctx: 
    Master-Key: A155064B8CF1F38E0A85A0D8DD02A9BFED8013FC1DB1BC8DE8BEDDB1D5EECA664EFA521AB0884B0048AFB7B3F46FEA11
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 18 b1 99 5d 17 59 9b 6e-fb e1 e2 2a 21 f9 e4 88   ...].Y.n...*!...
    0010 - 38 3a 94 70 ac 30 ca 75-4d 0e bb a8 d6 bd bd 41   8:.p.0.uM......A
    0020 - a9 cc a2 35 08 d3 f8 90-7c 51 8e 73 0f 3c 53 48   ...5....|Q.s.<SH
    0030 - f2 0c f7 4e b0 cc 30 73-d3 bd 4f 5b b9 cd 0c f6   ...N..0s..O[....
    0040 - 7f 72 5e 3d 38 ec 7b ea-66 f9 f7 c4 18 53 11 e9   .r^=8.{.f....S..
    0050 - 3e 6d c5 1d 58 1c 04 f0-75 7f e0 5c 92 90 ae 13   >m..X...u..\....
    0060 - cb 28 b0 82 be 87 ff 9f-40 47 b3 44 fa a2 5b c4   .(......@G.D..[.
    0070 - fc ce fa ea c6 af bc fa-17 68 ed f1 e1 37 72 e0   .........h...7r.
    0080 - 38 24 ef bc 5a eb 91 22-bc d2 ff 51 0b 75 49 a9   8$..Z.."...Q.uI.
    0090 - 6a 5d 26 33 91 9e de d8-83 ac c0 57 16 06 61 2a   j]&3.......W..a*

    Start Time: 1517056964
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

Actual result

nothing

System information (as much as possible)

Absolutely no connection to 72.29.124.146 possible (ping)

Connections from other servers to downloads.joomla.org:443 work
Connections to other joomla servers work as well: e.g. update.joomla.org:443

Any idea what the reason could be?

[brianteeman]

A firewall on your server?

[aubreybox]

No, even if i'd flush all iptables rules, the result is the same.
Furthermore that would probably block update.joomla.org as well

[andrepereiradasilva]

The only thing i see in downloads.joomla.org:

1. is sending the CA certificate with is not needed since the CA root certificates are in all OS - that's the base of the chain of trust
2. not supporting old clients without SNI.
3. using a certificate that will be distrusted by Google and Mozilla from March 2018 (Existing Symantec Certificates)

See https://www.ssllabs.com/ssltest/analyze.html?d=downloads.joomla.org&hideResults=on&latest

So to test this with SNI support you should use:

openssl s_client -connect downloads.joomla.org:443 -servername downloads.joomla.org

For update.joomla.org, the only thing is:

1. using a certificate that will be distrusted by Google and Mozilla from September 2018 (Existing Symantec Certificates)
   And https://www.ssllabs.com/ssltest/analyze.html?d=update.joomla.org&hideResults=on&latest

[mbabker]

1. downloads.joomla.org and update1.joomla.org (the subdomain which the update server CDN is based on) are on the same physical server. update.joomla.org is on a CDN, so connections to that specific subdomain address would use a different path/resource.

2. Without an IP address if there is a block in place for some reason we can't do anything about it.

[aubreybox]

@andrepereiradasilva
The SNI/Cert related issues would not affect pinging. So the -servername option had no effect.

@mbabker
update1.joomla.org didn't work either.
I just sent you the ip via email

[mbabker]

Should be unblocked now.

[aubreybox]

Indeed it works now. Do you know the reason for blocking?
Thank you very much anyway.

[brianteeman]

Closed as issue is resolved

[aubreybox]

reopen, same problem:(