[atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Previous message (by thread): [atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Next message (by thread): [atlas] Atlas anchors as ping targets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 25 22:27:01 CET 2023
Hi Michael-- Thanks for your followup! More below… On Wed 2023-01-25 18:30:59 +0100, Michel Stam wrote: > I think this may be because the measurement code doesn’t support TLS > 1.3 yet, and vercel.com does. It’s a known issue, we’d like to add TLS > 1.3 at some point. Hm, i don't think that's the full story, because the same probe actually succeeds for sites that also support TLS 1.3 (e.g. https://www.aclu.org/). And, when i try to connect to it from a client that has TLS 1.3 deliberately disabled (e.g. "gnutls-cli -priority NORMAL:-VERS-TLS1.3 vercel.com") i still have no problem connecting. Digging into it a bit further, it looks to me like Vercel servers send an alert if we do not emit the ec_point_format TLS extension. This is probably a bug on Vercel's side, but it shouldn't block the Atlas' ability to harvest certificates from it. > You can find the relevant code here: > https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/blob/7c03fba082e93b7a1f0f14cc3769bb31e83909e3/eperd/sslgetcert.c#L927 Thanks for this pointer! I've provided a (mainly untested) pull request with a pretty simple patch that should hopefully fix the issue: https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15 If anyone on this list has the ability to test this patch and follow up on that issue, i'd appreciate any review. Regards, --dkg
- Previous message (by thread): [atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Next message (by thread): [atlas] Atlas anchors as ping targets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]