On Mon, 4 Mar 2019 at 09:14, Charles Kozler
<ckozleriii(a)gmail.com> wrote:
Recent curl has --tlsv1.2 and --tlsv1.3 options. Do these allow you to
connect to github?
There is a TLDNR discussion of policy management at
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o...
Upon further inspection it seems I am only getting this issue with github host ending in
.112. Requests to 113 seem to work fine
However, I am getting SSL interference via chrome with
lists.fedoraproject.org as well
->
https://i.imgur.com/wlU5FVE.png
So now I am even more confused but of course still not ruling out the ssl decryption for
packet inspection...
[09:04:49]ckozler@myhost:~ > curl
https://github.com --verbose
* Rebuilt URL to:
https://github.com/
* Trying 192.30.253.112...
* TCP_NODELAY set
* Connected to
github.com (192.30.253.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS alert, illegal parameter (559):
* error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback
* Closing connection 0
curl: (35) error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback
^ Error, so I try again
[09:04:51]ckozler@myhost:~ > curl
https://github.com --verbose
* Rebuilt URL to:
https://github.com/
* Trying 192.30.253.113...
* TCP_NODELAY set
* Connected to
github.com (192.30.253.113) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US;
jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco;
O=GitHub, Inc.;
CN=github.com
* start date: May 8 00:00:00 2018 GMT
* expire date: Jun 3 12:00:00 2020 GMT
* subjectAltName: host "github.com" matched cert's "github.com"
* issuer: C=US; O=DigiCert Inc;
OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation
Server CA
* SSL certificate verify ok.
* TLSv1.3 (OUT), TLS app data, [no content] (0):
GET / HTTP/1.1
Host:
github.com
User-Agent: curl/7.61.1
Accept: */*
And trying the ssl command
[09:07:30]ckozler@myhost:~ > !747
openssl s_client -connect github.com:443
CONNECTED(00000004)
depth=2 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert High Assurance EV
Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert SHA2 Extended
Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US, jurisdictionST =
Delaware, serialNumber = 5157550, C = US, ST = California, L = San Francisco, O =
"GitHub, Inc.", CN =
github.com
verify return:1
---
Certificate chain
0 s:businessCategory = Private Organization, jurisdictionC = US, jurisdictionST =
Delaware, serialNumber = 5157550, C = US, ST = California, L = San Francisco, O =
"GitHub, Inc.", CN =
github.com
i:C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert SHA2 Extended
Validation Server CA
1 s:C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert SHA2 Extended
Validation Server CA
i:C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert High Assurance EV Root
CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
-----END CERTIFICATE-----
subject=businessCategory = Private Organization, jurisdictionC = US, jurisdictionST =
Delaware, serialNumber = 5157550, C = US, ST = California, L = San Francisco, O =
"GitHub, Inc.", CN =
github.com
issuer=C = US, O = DigiCert Inc, OU =
www.digicert.com, CN = DigiCert SHA2 Extended
Validation Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3621 bytes and written 386 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 1D343EF008C16BCDF6BDA7AA5636893098AD63013754B70FE543CD02346B7199
Session-ID-ctx:
Resumption PSK: FF94566A1ADC8640EEAAECA578A1AFFF4416DF8A9771E795FF6335F72EC7C642
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - a5 23 b4 47 52 ec f4 62-0d c6 f4 26 3d 21 b9 af .#.GR..b...&=!..
0010 - 77 37 a8 a6 63 48 0f b6-56 50 98 5e 62 3f d1 25 w7..cH..VP.^b?.%
Start Time: 1551794858
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 8ABF9A302A2A03379168C62C4C54678E8C68C7D74A724EFE6017C2B6100D11E6
Session-ID-ctx:
Resumption PSK: 7768F89C69C01E58381F3F63EC706ED78283D332DED9EA6E20246ACA9243520F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b2 09 02 b3 9a 80 23 b1-0b 65 6f 91 19 e6 a9 a7 ......#..eo.....
0010 - d8 3b 3f 68 b6 06 4b 76-07 a5 43 23 ae d8 24 19 .;?h..Kv..C#..$.
Start Time: 1551794858
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
q^[[A^C
[09:07:42]ckozler@myhost:~ > openssl s_client -connect github.com:443
CONNECTED(00000004)
140189224101696:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate
fallback:ssl/statem/statem_lib.c:1929:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 85 bytes and written 329 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[09:07:43]ckozler@myhost:~ >