bird.network.cz HTTPS does not verify on some systems

Leon Meßner elon at physik.tu-berlin.de
Thu Aug 9 17:22:09 CEST 2018


Hi,

since lately Debian9 has problems fetching the bird repository here. I
suppose this is because bird.network.cz does not send the Let's Encrypt
certificate and http redirects to https now. Output of openssl is
below[1]. If you run the same command against
helloworld.letsencrypt.org it verifies correctly. I assume because LE's
cert is also sent. Using a web browser, bird.network.cz works because
of some magic.

Regards,
Leon

[1]:
openssl s_client -verify 5 -host bird.network.cz -port 443

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=trubka.network.cz
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGHjCCBQagAwIBAgISBP4LGoUGP5l81RdhMqoieW+4MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTQyMTAwMTNaFw0x
ODA5MTIyMTAwMTNaMBwxGjAYBgNVBAMTEXRydWJrYS5uZXR3b3JrLmN6MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs167eO/VgX3zZyKtlhObqnANKpxm
l+LTG1QX2KCyn3qJeNcicZ/M8PUs+69x+ZPfnIdxEwfZrzGg11yLvQnUAaoHpNve
Ro/iuO8uTM2r/Z8Ezc6UcFNrQwzll6kuSfGMnM4ybXwOHit3RGSRrwEDPWFBD/UO
982tn0P1TJur3Q4kR+V4xj9Fm6S7Y4dJin/CqjYVsj4W4adzKEpTVOEH/BGQ2IKJ
3ymQczLb2ubk7RfKBU/Q3srKCxlEi1J8Ywbs+4M2sdTVP0QUToIbfimS37XU3WNE
MEjaBpS1PY8vlqpvkk2wab2AYo6Ebv2CENbYEzKBAdyi3vHbfENgvnj5CQIDAQAB
o4IDKjCCAyYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSgPnFxv8QSbGhLofscEjTS
qCnvaTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMC0GA1UdEQQmMCSCD2JpcmQubmV0d29yay5jeoIRdHJ1YmthLm5ldHdv
cmsuY3owgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZABQNF0AAAQDAEcw
RQIgVcoX61l0XSOMCvzPBTv2u8cO7oyNBDj9IWku74NwngUCIQDedkTRbe3PCvaq
jM4xV3NFgawt6JIrtUzaiqaXNGegcgB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGD
x12dTze2H79kAAABZABQNIcAAAQDAEcwRQIgML48N4VM1PeN6diunYt/X6NQrHj2
2avg1yyONjos8IcCIQDtSVYatJVvikyZAO1Q4sc7hCfwg5Drs2+qRLXA2rI63zAN
BgkqhkiG9w0BAQsFAAOCAQEAJaWpxMV9a69QwxQEc28YMmi1ytMT0IOwBID0d5fv
kTOf8eRAiIePMPcvtX2sTw5WAxX5NeRteNioS6/UWiQxSUZgRig1XqVsYZIIZmyE
8m/YfLHtAsTH9OnP4tgx7Ys02xAqiexhvA2eL3Kv6VMcPng6UPZsqwuvhUh/bxEj
psPvNGkid+vsG7v7n1koY5qDhrNu2nSBsJlVSUP7VMmaZma7fE4iFJhOJWTh15v/
Z3Q2sp3tJA9an/TiNc8wLivntS9AoxsajltiSozfw67JjrVJH+bnCEQSJ9LFpPO3
jsrxaWvY/l0MnEfMxPt5riHpgyFT3nQ3KPZP6Ifrs3M7WA==
-----END CERTIFICATE-----
subject=/CN=trubka.network.cz
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2227 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 48FBE690BAB54A4EF0BCF647D3EC40F771EF070B92B2ADA82BBC78495A0E28A9
    Session-ID-ctx: 
    Master-Key: 4BF3560B6E3542C49A2E40534746B31AB97C1751C195C6A453B6B3C5687AAD7B48DA17D20FA8D4765BD627095BB0AF93
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 05 e6 6b 5b d2 a0 81 8d-e0 16 45 6f 44 d8 b0 86   ..k[......EoD...
    0010 - b6 d9 24 8b 5f e3 e9 24-74 3c 77 55 98 cc 1a cf   ..$._..$t<wU....
    0020 - 41 6e d3 41 48 c1 dc 8a-c9 b9 5c 67 e4 bb a0 bb   An.AH.....\g....
    0030 - 1f 64 10 48 14 1c 38 75-18 f7 33 2f 22 9e 3d eb   .d.H..8u..3/".=.
    0040 - 8d 7d aa e4 1b 7d d4 94-b1 ba d9 6c 1e d9 f5 0d   .}...}.....l....
    0050 - 5e af de 8f 33 31 b2 b0-fa 62 02 5b 9b c6 a0 a7   ^...31...b.[....
    0060 - f2 0b 7f d9 2e ae 24 b6-91 e6 62 5d 8d f6 c5 02   ......$...b]....
    0070 - 38 05 25 75 90 51 0a 0a-47 67 79 08 89 b1 dd 3a   8.%u.Q..Ggy....:
    0080 - 92 3c d5 9d b9 1a 38 34-12 d0 09 07 30 60 d6 0e   .<....84....0`..
    0090 - 5f f6 8a 04 10 11 94 29-75 99 94 2d eb 1f 7f 03   _......)u..-....
    00a0 - a9 fb 77 85 07 43 35 25-a1 de d4 d7 b3 50 b3 bb   ..w..C5%.....P..
    00b0 - 06 90 9d a0 49 02 64 0a-66 47 88 ac 38 10 a1 ea   ....I.d.fG..8...

    Start Time: 1533827231
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
---


More information about the Bird-users mailing list