Hello, I did not notice this issue at first, but reflecting back on it now there seems to be a serious issue with my SSL on my laptop. When I was speaking to Erus about a "rotted link" within the AUR, I could not access the website as it kept throwing TLS errors, he could. I assumed it was just because of more strict firefox settings. I have now realised that this plays more of an issue, I am constantly getting errors such as: SSL_ERROR_ACCESS_DENIED_ALERT on firefox, and ERR_SSL_PROTOCOL_ERROR on chromium. This happens to multiple sites, but only to some, there seems to be no link between them. For example: https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so... is one such website I am not able to visit on any browser on my laptop. I assume this is an issue with the certificate verification on my laptop or maybe even openssl? I guess you could consider this karma for using packages within testing :P (but hey at least I am testing) If anyone has any ideas on how to diagnose the issue, on what the issue here is, or links to sources I can look into, please let me know. Have a good night, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
On 2023-03-24 00:53:45, Polarian wrote:
I have now realised that this plays more of an issue, I am constantly getting errors such as:
SSL_ERROR_ACCESS_DENIED_ALERT on firefox, and
ERR_SSL_PROTOCOL_ERROR on chromium.
This happens to multiple sites, but only to some, there seems to be no link between them.
For example: https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so...
I'm not an expert on these things, but I since I had an SSL issue with the dotnet tools recently, I'll share a few resources I used to troubleshoot mine. There's a few resources on Arch Wiki that helps you troubleshoot SSL issues: https://wiki.archlinux.org/title/Transport_Layer_Security https://wiki.archlinux.org/title/OpenSSL https://wiki.archlinux.org/title/Network_Security_Services I used these to check trusted CAs, manually adding the certificates etc. Guessing things like your system time is correct? I'd try accessing them using some other tool like curl, or text-based browsers. If the issues occurs only with browsers, then try clearing browser cache? If the issue is only with some sites, perhaps you don't trust the CA for these sites? In the example you provided, the issuer is GoDaddy. -- Regards, Sadeep PGP: 103BF9E3E750BF7E
On 24 Mar 2023, at 06:18, Sadeep Madurange <sadeep@asciimx.com> wrote:
On 2023-03-24 00:53:45, Polarian wrote:
I have now realised that this plays more of an issue, I am constantly getting errors such as:
SSL_ERROR_ACCESS_DENIED_ALERT on firefox, and
ERR_SSL_PROTOCOL_ERROR on chromium.
This happens to multiple sites, but only to some, there seems to be no link between them.
For example: https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so...
I'm not an expert on these things, but I since I had an SSL issue with the dotnet tools recently, I'll share a few resources I used to troubleshoot mine.
There's a few resources on Arch Wiki that helps you troubleshoot SSL issues:
https://wiki.archlinux.org/title/Transport_Layer_Security https://wiki.archlinux.org/title/OpenSSL https://wiki.archlinux.org/title/Network_Security_Services
I used these to check trusted CAs, manually adding the certificates etc. Guessing things like your system time is correct? I'd try accessing them using some other tool like curl, or text-based browsers. If the issues occurs only with browsers, then try clearing browser cache?
If the issue is only with some sites, perhaps you don't trust the CA for these sites? In the example you provided, the issuer is GoDaddy.
-- Regards, Sadeep PGP: 103BF9E3E750BF7E
Are you maybe hitting this: https://gitlab.com/qemu-project/qemu/-/issues/1471 ? I have'nt read the whole conversation but symptoms sounded like it. //Torxed
I have now realised that this plays more of an issue, I am constantly getting errors such as:
SSL_ERROR_ACCESS_DENIED_ALERT
on firefox, and
ERR_SSL_PROTOCOL_ERROR
on chromium. … If anyone has any ideas on how to diagnose the issue, on what the issue here is, or links to sources I can look into, please let me know.
I'm guessing the output of `curl -v https://…` might be helpful (if it exhibits the same symptoms) -- damjan
Here is the output: ~ on ☁ ❯ curl -v https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so... * Trying 207.241.237.3:443... * Connected to web.archive.org (207.241.237.3) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS alert, access denied (561): * OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied * Closing connection 0 curl: (35) OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied Same isssue! -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
On 2023-03-24 11:34:20, Polarian wrote:
Here is the output:
~ on ☁ ❯ curl -v https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so... * Trying 207.241.237.3:443... * Connected to web.archive.org (207.241.237.3) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS alert, access denied (561): * OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied * Closing connection 0 curl: (35) OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied
I think it's your TLS version. You probably need TLS 1.3. -- Regards, Sadeep PGP: 103BF9E3E750BF7E
Nope, it is not the issue, connecting to https://www.google.com/ is fine, and I am connected over TLS 1.3 (I checked the certificate). So I am not sure what is causing this issue. Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
On 2023-03-24 11:34:20, Polarian wrote:
Here is the output:
~ on ☁ ❯ curl -v https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so... * Trying 207.241.237.3:443... * Connected to web.archive.org (207.241.237.3) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS alert, access denied (561): * OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied * Closing connection 0 curl: (35) OpenSSL/3.0.8: error:0A000419:SSL routines::tlsv1 alert access denied
I think it's your TLS version. You probably need TLS 1.3. -- Regards, Sadeep PGP: 103BF9E3E750BF7E
Hi Polarian,
$ curl -v https://web.archive.org/web/20130824024508/http://www.baycom.org/~tom/ham/so...
What's the output of openssl s_client web.archive.org:443 </dev/null -- Cheers, Ralph.
Hello, Here is the output you wanted: ~ on ☁ ❯ openssl s_client web.archive.org:443 </dev/null CONNECTED(00000003) 40A7CAD1607F0000:error:0A000419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied:ssl/record/rec_layer_s3.c:1605:SSL alert number 49 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 321 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- Thank you, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hello,
Seems to work here on Arch (with testing repos). Check your packages are up-to-date Might be something in your network (man-in-the-middle attack?) # pacman -Q curl openssl glibc curl 8.0.1-1 openssl 3.0.8-1 glibc 2.37-2 # curl --version curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.10 .0 nghttp2/1.52.0 Release-Date: [unreleased] Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSock ets zstd # curl -v https://web.archive.org * Trying 207.241.237.3:443... * Connected to web.archive.org (207.241.237.3) port 443 (#0) * ALPN: offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN: server accepted h2 * Server certificate: * subject: CN=*.archive.org * start date: Jan 19 18:59:49 2023 GMT * expire date: Feb 20 18:59:49 2024 GMT * subjectAltName: host "web.archive.org" matched cert's "*.archive.org" * issuer: C=US; ST=Arizona; L=Scottsdale; O=GoDaddy.com, Inc.; OU=http://certs.godaddy.com/repository/; CN=Go Daddy Secure Certificate Authority - G2 * SSL certificate verify ok. * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /] * h2h3 [:scheme: https] * h2h3 [:authority: web.archive.org] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x56276070aea0)
GET / HTTP/2 Host: web.archive.org user-agent: curl/8.0.1 accept: */*
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing < HTTP/2 200 < server: nginx/1.19.5 < date: Fri, 24 Mar 2023 12:12:27 GMT < content-type: text/html; charset=utf-8 < x-app-server: wwwb-app220 < x-ts: 200 < x-tr: 2 < x-location: Slash < x-rl: 0 < x-na: 0 < x-page-cache: MISS < x-nid: - < referrer-policy: no-referrer-when-downgrade < permissions-policy: interest-cohort=() -- damjan
Nope, everything is fine on my end: curl 8.0.1-1 openssl 3.0.8-1 glibc 2.37-2 Maybe it could be my mobile data, I am currently not home. I can verify this by connecting to my mifi using my phone and attempting to open the website, if it fails my mobile data provider is to blame, if not, there is another issue (maybe certificate authority trust?) Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
Hello, I can confirm this is the issue, on smarty (Three backhaul), the TLS connection fails, when I am on Lebara (Vodafone backhaul) I can access the website. I believe this is in fact MITM, but due to governmental restrictions. Archive.org is considered as illegal, due to the redistribution of copyrighted archived data, there is a good chance this failure is intentional to prevent AND OR log, who is trying to access archive.org I noticed, this issue only arrises within torrent trackers (legal ones btw) and other shady sites. This is scary, because it is not a simple ip block, but a TLS failure? what are they doing? As a note I am using a local recursive DNS server, I am not sure if they DNS block these domains too. Anyone got any ideas or recommendations to do with a shady cellular provider? Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
On Friday, 24 March 2023 at 00:53 (+0000), Polarian wrote:
I did not notice this issue at first, but reflecting back on it now there seems to be a serious issue with my SSL on my laptop.
Whenever I've had the same problem, the culprit was an incorrect system clock. With the prevalence of OCSP stapling, this causes many hard TLS failures. Hope this is helpful, Jaron
Hello, Unfortunately my system click is syncronised, so this can't be the issue. Thanks, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@polarian.dev
participants (6)
-
Anton Hvornum
-
Damjan Georgievski
-
Jaron Kent-Dobias
-
Polarian
-
Ralph Corderoy
-
Sadeep Madurange