<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 14, 2022 at 6:07 AM Lukas Tribus <<a href="mailto:lukas@ltri.eu">lukas@ltri.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" dir="auto"><br>
Most likely TCP session kill based on the server response (certificate).<br>
<br>
It could also be a combination of multiple indicators. IP addresses,<br>
SNI, TTL, but here it seems more likely to be the first one.<br>
<br>
This could be proven: put a self-signed cert of <a href="http://www.facebook.com" rel="noreferrer" target="_blank">www.facebook.com</a> on a<br>
server and try to repeat the IP address based check.</blockquote><div dir="auto"><br></div><div dir="auto">This is indeed what I could see last week.</div><div dir="auto">For instance, providing a SNI of Instagram.com (1 week ago) would get through, providing an SNI of <a href="http://foo.com">foo.com</a> would fail verification (expected), providing an empty value for SNI would also fail with client hello read timeout. When no SNI is provided, the default cert is for *.Facebook.com. </div><div dir="auto"><br></div><div dir="auto">Asking for Facebook.com against a Cloudflare IP was also showing the read timeout.</div><div dir="auto">Request to CF IP with empty SNI would successfully return a cert.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" dir="auto"></blockquote><div dir="auto"><br></div><div dir="auto">This suggest that either SNI filtering is done on return client hello so it can catch the default cert when no SNI is provided, or that there is a combination of dropping outgoing client hello with specific name + dropping empty SNI to specific ranges, or a combination of both.</div><div dir="auto"><br></div><div dir="auto">The CF example makes he believe it is the second option.</div><div dir="auto"><br></div><div dir="auto">I will send example probes when I get to a device with a keyboard.</div><div dir="auto"><br></div><div dir="auto">Manu</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" dir="auto"><br>
<br>
Lukas<br>
<br>
-- <br>
ripe-atlas mailing list<br>
<a href="mailto:ripe-atlas@ripe.net" target="_blank">ripe-atlas@ripe.net</a><br>
<a href="https://mailman.ripe.net/" rel="noreferrer" target="_blank">https://mailman.ripe.net/</a><br>
</blockquote></div></div>