Hello,
When I try to access a few fedora related resources from my university network, I tend to get certificate errors. I was getting these from fedoramagazine.org, then from meetbot, and I got one when running `fedpkg build` that really freaked me out:
$ fedpkg build Could not execute build: The connection to PDC failed while trying to get the active release branches. The error was: HTTPSConnectionPool(host='pdc.fedoraproject.org', port=443): Max retries exceeded with url: /rest_api/v1/component-branches/?global_component=lifeograph&fields=name&fields=active (Caused by SSLError(SSLCertVerificationError("hostname 'pdc.fedoraproject.org' doesn't match either of 'phishing-alert.herts.ac.uk', 'www.phishing-alert.herts.ac.uk', 'f5-phishing-alert.herts.ac.uk'")))
I tried it again, and it worked (phew!), but I haven't been able to get fedoramagazine to work at all.
I've filed a ticket with university IT already. Their initial comment was: "site is report (sic) to be using an invalid certificate. It is not blocked manually by UH", which is probably inaccurate given that we have no issues with these web resources outside the university network.
Would anyone have any hints on what they may be doing? I know it's a hard problem to diagnose without knowing what the university IT is upto, but any hints that I could pass on to them would be appreciated.
On Sat, 12 Jan 2019 at 07:56, Ankur Sinha sanjay.ankur@gmail.com wrote:
Hello,
When I try to access a few fedora related resources from my university network, I tend to get certificate errors. I was getting these from fedoramagazine.org, then from meetbot, and I got one when running `fedpkg build` that really freaked me out:
$ fedpkg build Could not execute build: The connection to PDC failed while trying to get the active release branches. The error was: HTTPSConnectionPool(host=' pdc.fedoraproject.org', port=443): Max retries exceeded with url: /rest_api/v1/component-branches/?global_component=lifeograph&fields=name&fields=active (Caused by SSLError(SSLCertVerificationError("hostname ' pdc.fedoraproject.org' doesn't match either of 'phishing-alert.herts.ac.uk', 'www.phishing-alert.herts.ac.uk', 'f5-phishing-alert.herts.ac.uk'")))
I tried it again, and it worked (phew!), but I haven't been able to get fedoramagazine to work at all.
I've filed a ticket with university IT already. Their initial comment was: "site is report (sic) to be using an invalid certificate. It is not blocked manually by UH", which is probably inaccurate given that we have no issues with these web resources outside the university network.
Would anyone have any hints on what they may be doing? I know it's a hard problem to diagnose without knowing what the university IT is upto, but any hints that I could pass on to them would be appreciated.
What you are seeing is someone intercepting the traffic between you and the real servers. This could be anything from an ASN BGP attack to a security tool which is to look for phishing, botnets, or other traffic. [Depending on the place, traffic at universities can be 20-65% botnet traffic because they usually have a large pipe and rules to not stop research.] I am going to lean towards this being that the university has put in a f5 proxy tool to try to stop that traffic by redirecting any certs it finds troublesome as bad. [And I am going to guess that Let's Encrypt is being treated as troublesome.]
-- Thanks, Regards,
Ankur Sinha "FranciscoD" https://fedoraproject.org/wiki/User:Ankursinha
Time zone: Europe/London _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
On Sat, Jan 12, 2019 10:16:38 -0500, Stephen John Smoogen wrote:
On Sat, 12 Jan 2019 at 07:56, Ankur Sinha sanjay.ankur@gmail.com wrote:
What you are seeing is someone intercepting the traffic between you and the real servers. This could be anything from an ASN BGP attack to a security tool which is to look for phishing, botnets, or other traffic. [Depending on the place, traffic at universities can be 20-65% botnet traffic because they usually have a large pipe and rules to not stop research.] I am going to lean towards this being that the university has put in a f5 proxy tool to try to stop that traffic by redirecting any certs it finds troublesome as bad. [And I am going to guess that Let's Encrypt is being treated as troublesome.]
Thank you for your reply, Stephen. I've updated the ticket at the university with more information based on it. I do hope they can fix whatever it is they're up to. Otherwise, I will be unable to do any Fedora related work from university (or when connected to their VPN). :(
infrastructure@lists.fedoraproject.org