This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Previous message (by thread): [atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Next message (by thread): [atlas] Atlas anchors as ping targets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 25 22:27:01 CET 2023
Hi Michael-- Thanks for your followup! More below… On Wed 2023-01-25 18:30:59 +0100, Michel Stam wrote: > I think this may be because the measurement code doesn’t support TLS > 1.3 yet, and vercel.com does. It’s a known issue, we’d like to add TLS > 1.3 at some point. Hm, i don't think that's the full story, because the same probe actually succeeds for sites that also support TLS 1.3 (e.g. https://www.aclu.org/). And, when i try to connect to it from a client that has TLS 1.3 deliberately disabled (e.g. "gnutls-cli -priority NORMAL:-VERS-TLS1.3 vercel.com") i still have no problem connecting. Digging into it a bit further, it looks to me like Vercel servers send an alert if we do not emit the ec_point_format TLS extension. This is probably a bug on Vercel's side, but it shouldn't block the Atlas' ability to harvest certificates from it. > You can find the relevant code here: > https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/blob/7c03fba082e93b7a1f0f14cc3769bb31e83909e3/eperd/sslgetcert.c#L927 Thanks for this pointer! I've provided a (mainly untested) pull request with a pretty simple patch that should hopefully fix the issue: https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15 If anyone on this list has the ability to test this patch and follow up on that issue, i'd appreciate any review. Regards, --dkg
- Previous message (by thread): [atlas] TLS Certificate probes fail ("handshake failure") against Vercel servers
- Next message (by thread): [atlas] Atlas anchors as ping targets
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]