Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there an issue with the tls config on tldp.org #101

Closed
beazlr02 opened this issue Feb 8, 2021 · 4 comments
Closed

Is there an issue with the tls config on tldp.org #101

beazlr02 opened this issue Feb 8, 2021 · 4 comments

Comments

@beazlr02
Copy link

beazlr02 commented Feb 8, 2021

dont really know who else to tell

im getting this output from openssl

openssl s_client -showcerts -servername tldp.org -connect tldp.org:443
CONNECTED(00000006)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = jazz1.tldp.org
verify return:1
---
Certificate chain
 0 s:/CN=jazz1.tldp.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIF9DCCBNygAwIBAgISBC5ytmOjX7gAqnrAiumIotpWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMTcwNTMxMjRaFw0y
MTAyMTUwNTMxMjRaMBkxFzAVBgNVBAMTDmphenoxLnRsZHAub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtgN4tbHgCXhsuRrX5dbTO64H6MGGBGkB
9oj+lDOk/zlk66bxpzzFUuyQRXzAo/zKeN9/RrpgQLbK19e9heU0DMwE/Hk6GjBm
+hFu7BRwjmiLwxgYt+nQJQylm18/+Nk/d06C2eg2Cu3dxKEBcqs8co6zsndFNeGH
pVfQi+N2kgftBG69KgkCmZWfhbxEgbbtK79wWw6XZ6nGxCtVk01dPWwscZsDf8/D
3zVrl5/7ljJj9dJhHHos/BVk12tUg+i449tpKI9e0jGf3R7lpLBQNpCywqVb1ZOJ
vch1MaEz420WpNp2JU6nAVpmNzX5Vc6gG088Yf/2Y5/PqsYZywghvQIDAQABo4ID
AzCCAv8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRmtK66bLyFU6eyWzDrEwX+0TOL
mTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMIG3BgNVHREEga8wgayCC2VuLnRsZHAub3JnggxnaXQudGxkcC5vcmeCD2lu
ZnJhMS50bGRwLm9yZ4IPaW5mcmEyLnRsZHAub3Jngg5qYXp6MS50bGRwLm9yZ4IO
amF6ejIudGxkcC5vcmeCDmxpc3RzLnRsZHAub3Jnggh0bGRwLm5ldIIIdGxkcC5v
cmeCDXdpa2kudGxkcC5vcmeCDHd3dy50bGRwLm5ldIIMd3d3LnRsZHAub3JnMEwG
A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF11OaeGgAA
BAMARzBFAiEAyhikLO60obhjLIEwuEwbReAGhVHZs342mcAFT7jQdGQCIEbCFzKX
YcaJzpNEs5nFoM4uNW8GRr3R9gGx8dePUDK3AHcAfT7y+I//iFVoJMLAyp5SiXkr
xQ54CX8uapdomX4i8NcAAAF11OaeOwAABAMASDBGAiEA78sv989zQCKn4K31l1y2
MRAviUV+Sxv3FG/pNndUfv4CIQCAF3aLXgC3q8yRGpUjfBUR2LjKBhcMHz0ju8Yl
vll2XTANBgkqhkiG9w0BAQsFAAOCAQEAlhHEnk9L2ihNoA9oxJUs1awVU10Oe5fL
/9ERud56N5E4D6IxEEgx6G2m6oDh+kHJJrB/PHgRkohFpOAFCEtENUz7yJhLM3nQ
L4ozvAqG2dI9BunwnPhq11tE0vOAjsiu0fl9qZOgowvHM0daCN2lDtK7fTPVEso1
eE8qAps/RphH3Pp/jq8wq+0BgCymGlcMfmdDLTAnXbD0+gk3S8FrZaSiL3P9oub1
kQ3Vzd9qvBmgtDHPvgpRnGKL3XZyk3/vDahdgdDLkSwffS880ElZiUVB8wdKRNby
M6whwCvd/REci9PpyD1K1lL3vlPClmYGkH/QMai7LfmMGP7HB9F9xA==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=jazz1.tldp.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3427 bytes and written 371 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6324383F0D1ADFD804CFC1448C743E660EC24D8646A9DE2DC603E7FDE4704661
    Session-ID-ctx: 
    Master-Key: 8B61148299E0E9382973230E4BA20C8FD25202EE7D2E0B3175A1B009E25F66AD357565EC3DE5C5E2AE0D1606668884EF
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 46 e2 2b 66 cf 16 64 a4-f8 05 c8 20 5f 74 28 97   F.+f..d.... _t(.
    0010 - c8 56 b9 f4 93 52 06 70-46 7b 68 5a 74 69 7f 42   .V...R.pF{hZti.B
    0020 - 8c 1a c2 32 59 c9 96 69-ba cb 8e 8a 88 18 19 6e   ...2Y..i.......n
    0030 - 3b 6b 26 94 e6 cc d2 7b-a0 67 ca 8d ec 16 86 b7   ;k&....{.g......
    0040 - 98 74 b4 68 5e b5 bc 0b-b0 42 17 44 86 3e af 6e   .t.h^....B.D.>.n
    0050 - 0a 94 5b f6 f3 7d 2d 8d-4e 18 66 91 41 45 ab a3   ..[..}-.N.f.AE..
    0060 - 22 69 4b 46 29 99 a5 bd-83 8c 8b 55 92 1e 9c 01   "iKF)......U....
    0070 - 58 e7 3b 49 6c ee 1f d6-d5 72 b6 37 2e f5 ac 84   X.;Il....r.7....
    0080 - 06 63 3c 58 91 25 af 89-3b 38 61 a5 25 e0 5a 53   .c<X.%..;8a.%.ZS
    0090 - cb 12 36 85 8e bc 7e a4-97 3a 84 90 cb 37 dc 91   ..6...~..:...7..
    00a0 - 74 76 f4 f8 b6 77 73 ed-89 f9 4f 8b 6a 1d 8f 8f   tv...ws...O.j...
    00b0 - b7 4d 3d 07 76 88 61 07-dd 00 5b 13 49 bc 7b af   .M=.v.a...[.I.{.

    Start Time: 1612780171
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
@pbiering
Copy link
Contributor

pbiering commented Feb 8, 2021

Hmm, neither "Firefox" nor "curl" is claiming about the certificate.

Certifcate contains a bunch of SAN:
X509v3 Subject Alternative Name:
DNS:en.tldp.org, DNS:git.tldp.org, DNS:infra1.tldp.org, DNS:infra2.tldp.org, DNS:jazz1.tldp.org, DNS:jazz2.tldp.org, DNS:lists.tldp.org, DNS:tldp.net, DNS:tldp.org, DNS:wiki.tldp.org, DNS:www.tldp.net, DNS:www.tldp.org

and result is comparable to

openssl s_client  -servername ip.bieringer.de -connect ip.bieringer.de:443

-> looks like the "verify return:1" is acceptable

@beazlr02
Copy link
Author

beazlr02 commented Feb 8, 2021

actually, looks like there might be wierd shizzle going on my end after all it works phone on my phone

@beazlr02 beazlr02 closed this as completed Feb 8, 2021
@ser
Copy link
Contributor

ser commented Feb 11, 2021

Hi I do confirm that we had temporary problems with one of certificates. I hope it was fixed.

@andrewsf
Copy link

andrewsf commented May 3, 2021

I suspect the reporter ran into the problem in a browser against one server, but all tests were done against the other server's IP. Please see #102 for host-specific details of what I'm seeing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ser @andrewsf @beazlr02 @pbiering