[atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers

Hi Michael--

Thanks for your followup!  More below…

On Wed 2023-01-25 18:30:59 +0100, Michel Stam wrote:
> I think this may be because the measurement code doesn’t support TLS
> 1.3 yet, and vercel.com does. It’s a known issue, we’d like to add TLS
> 1.3 at some point.

Hm, i don't think that's the full story, because the same probe actually
succeeds for sites that also support TLS 1.3
(e.g. https://www.aclu.org/).  And, when i try to connect to it from a
client that has TLS 1.3 deliberately disabled (e.g. "gnutls-cli
-priority NORMAL:-VERS-TLS1.3 vercel.com") i still have no problem connecting.

Digging into it a bit further, it looks to me like Vercel servers send
an alert if we do not emit the ec_point_format TLS extension.

This is probably a bug on Vercel's side, but it shouldn't block the Atlas'
ability to harvest certificates from it.

> You can find the relevant code here:
> https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/blob/7c03fba082e93b7a1f0f14cc3769bb31e83909e3/eperd/sslgetcert.c#L927

Thanks for this pointer!

I've provided a (mainly untested) pull request with a pretty simple
patch that should hopefully fix the issue:

   https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15

If anyone on this list has the ability to test this patch and follow up
on that issue, i'd appreciate any review.

Regards,

        --dkg