bird.network.cz HTTPS does not verify on some systems

Leon Meßner elon at physik.tu-berlin.de
Thu Aug 9 18:41:07 CEST 2018 

On Thu, 9 Aug 2018 17:53:00 +0200
Ondrej Filip <feela at network.cz> wrote:

> On 9.8.2018 17:22, Leon Meßner wrote:
> > Hi,  
> 
> Hi!
> Thank you for the report. I believe the issue is fixed now.

looks good.

Thank you,
Leon

> 
> 	Ondrej
> 
> > 
> > since lately Debian9 has problems fetching the bird repository here. I
> > suppose this is because bird.network.cz does not send the Let's Encrypt
> > certificate and http redirects to https now. Output of openssl is
> > below[1]. If you run the same command against
> > helloworld.letsencrypt.org it verifies correctly. I assume because LE's
> > cert is also sent. Using a web browser, bird.network.cz works because
> > of some magic.
> > 
> > Regards,
> > Leon
> > 
> > [1]:
> > openssl s_client -verify 5 -host bird.network.cz -port 443
> > 
> > CONNECTED(00000003)
> > ---
> > Certificate chain
> >  0 s:/CN=trubka.network.cz
> >    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIGHjCCBQagAwIBAgISBP4LGoUGP5l81RdhMqoieW+4MA0GCSqGSIb3DQEBCwUA
> > MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> > ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTQyMTAwMTNaFw0x
> > ODA5MTIyMTAwMTNaMBwxGjAYBgNVBAMTEXRydWJrYS5uZXR3b3JrLmN6MIIBIjAN
> > BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs167eO/VgX3zZyKtlhObqnANKpxm
> > l+LTG1QX2KCyn3qJeNcicZ/M8PUs+69x+ZPfnIdxEwfZrzGg11yLvQnUAaoHpNve
> > Ro/iuO8uTM2r/Z8Ezc6UcFNrQwzll6kuSfGMnM4ybXwOHit3RGSRrwEDPWFBD/UO
> > 982tn0P1TJur3Q4kR+V4xj9Fm6S7Y4dJin/CqjYVsj4W4adzKEpTVOEH/BGQ2IKJ
> > 3ymQczLb2ubk7RfKBU/Q3srKCxlEi1J8Ywbs+4M2sdTVP0QUToIbfimS37XU3WNE
> > MEjaBpS1PY8vlqpvkk2wab2AYo6Ebv2CENbYEzKBAdyi3vHbfENgvnj5CQIDAQAB
> > o4IDKjCCAyYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
> > BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSgPnFxv8QSbGhLofscEjTS
> > qCnvaTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
> > AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
> > dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
> > dC5vcmcvMC0GA1UdEQQmMCSCD2JpcmQubmV0d29yay5jeoIRdHJ1YmthLm5ldHdv
> > cmsuY3owgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
> > MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
> > BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
> > cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
> > dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
> > bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
> > ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZABQNF0AAAQDAEcw
> > RQIgVcoX61l0XSOMCvzPBTv2u8cO7oyNBDj9IWku74NwngUCIQDedkTRbe3PCvaq
> > jM4xV3NFgawt6JIrtUzaiqaXNGegcgB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGD
> > x12dTze2H79kAAABZABQNIcAAAQDAEcwRQIgML48N4VM1PeN6diunYt/X6NQrHj2
> > 2avg1yyONjos8IcCIQDtSVYatJVvikyZAO1Q4sc7hCfwg5Drs2+qRLXA2rI63zAN
> > BgkqhkiG9w0BAQsFAAOCAQEAJaWpxMV9a69QwxQEc28YMmi1ytMT0IOwBID0d5fv
> > kTOf8eRAiIePMPcvtX2sTw5WAxX5NeRteNioS6/UWiQxSUZgRig1XqVsYZIIZmyE
> > 8m/YfLHtAsTH9OnP4tgx7Ys02xAqiexhvA2eL3Kv6VMcPng6UPZsqwuvhUh/bxEj
> > psPvNGkid+vsG7v7n1koY5qDhrNu2nSBsJlVSUP7VMmaZma7fE4iFJhOJWTh15v/
> > Z3Q2sp3tJA9an/TiNc8wLivntS9AoxsajltiSozfw67JjrVJH+bnCEQSJ9LFpPO3
> > jsrxaWvY/l0MnEfMxPt5riHpgyFT3nQ3KPZP6Ifrs3M7WA==
> > -----END CERTIFICATE-----
> > subject=/CN=trubka.network.cz
> > issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA512
> > Server Temp Key: X25519, 253 bits
> > ---
> > SSL handshake has read 2227 bytes and written 269 bytes
> > Verification error: unable to verify the first certificate
> > ---
> > New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> > Server public key is 2048 bit
> > Secure Renegotiation IS supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > SSL-Session:
> >     Protocol  : TLSv1.2
> >     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
> >     Session-ID: 48FBE690BAB54A4EF0BCF647D3EC40F771EF070B92B2ADA82BBC78495A0E28A9
> >     Session-ID-ctx: 
> >     Master-Key: 4BF3560B6E3542C49A2E40534746B31AB97C1751C195C6A453B6B3C5687AAD7B48DA17D20FA8D4765BD627095BB0AF93
> >     PSK identity: None
> >     PSK identity hint: None
> >     SRP username: None
> >     TLS session ticket lifetime hint: 300 (seconds)
> >     TLS session ticket:
> >     0000 - 05 e6 6b 5b d2 a0 81 8d-e0 16 45 6f 44 d8 b0 86   ..k[......EoD...
> >     0010 - b6 d9 24 8b 5f e3 e9 24-74 3c 77 55 98 cc 1a cf   ..$._..$t<wU....
> >     0020 - 41 6e d3 41 48 c1 dc 8a-c9 b9 5c 67 e4 bb a0 bb   An.AH.....\g....
> >     0030 - 1f 64 10 48 14 1c 38 75-18 f7 33 2f 22 9e 3d eb   .d.H..8u..3/".=.
> >     0040 - 8d 7d aa e4 1b 7d d4 94-b1 ba d9 6c 1e d9 f5 0d   .}...}.....l....
> >     0050 - 5e af de 8f 33 31 b2 b0-fa 62 02 5b 9b c6 a0 a7   ^...31...b.[....
> >     0060 - f2 0b 7f d9 2e ae 24 b6-91 e6 62 5d 8d f6 c5 02   ......$...b]....
> >     0070 - 38 05 25 75 90 51 0a 0a-47 67 79 08 89 b1 dd 3a   8.%u.Q..Ggy....:
> >     0080 - 92 3c d5 9d b9 1a 38 34-12 d0 09 07 30 60 d6 0e   .<....84....0`..
> >     0090 - 5f f6 8a 04 10 11 94 29-75 99 94 2d eb 1f 7f 03   _......)u..-....
> >     00a0 - a9 fb 77 85 07 43 35 25-a1 de d4 d7 b3 50 b3 bb   ..w..C5%.....P..
> >     00b0 - 06 90 9d a0 49 02 64 0a-66 47 88 ac 38 10 a1 ea   ....I.d.fG..8...
> > 
> >     Start Time: 1533827231
> >     Timeout   : 7200 (sec)
> >     Verify return code: 21 (unable to verify the first certificate)
> >     Extended master secret: yes
> > ---
> >   
>

More information about the Bird-users mailing list