bird.network.cz HTTPS does not verify on some systems

Ondrej Filip feela at network.cz
Thu Aug 9 17:53:00 CEST 2018 

On 9.8.2018 17:22, Leon Meßner wrote:
> Hi,

Hi!
Thank you for the report. I believe the issue is fixed now.

	Ondrej

> 
> since lately Debian9 has problems fetching the bird repository here. I
> suppose this is because bird.network.cz does not send the Let's Encrypt
> certificate and http redirects to https now. Output of openssl is
> below[1]. If you run the same command against
> helloworld.letsencrypt.org it verifies correctly. I assume because LE's
> cert is also sent. Using a web browser, bird.network.cz works because
> of some magic.
> 
> Regards,
> Leon
> 
> [1]:
> openssl s_client -verify 5 -host bird.network.cz -port 443
> 
> CONNECTED(00000003)
> ---
> Certificate chain
>  0 s:/CN=trubka.network.cz
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGHjCCBQagAwIBAgISBP4LGoUGP5l81RdhMqoieW+4MA0GCSqGSIb3DQEBCwUA
> MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MTQyMTAwMTNaFw0x
> ODA5MTIyMTAwMTNaMBwxGjAYBgNVBAMTEXRydWJrYS5uZXR3b3JrLmN6MIIBIjAN
> BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs167eO/VgX3zZyKtlhObqnANKpxm
> l+LTG1QX2KCyn3qJeNcicZ/M8PUs+69x+ZPfnIdxEwfZrzGg11yLvQnUAaoHpNve
> Ro/iuO8uTM2r/Z8Ezc6UcFNrQwzll6kuSfGMnM4ybXwOHit3RGSRrwEDPWFBD/UO
> 982tn0P1TJur3Q4kR+V4xj9Fm6S7Y4dJin/CqjYVsj4W4adzKEpTVOEH/BGQ2IKJ
> 3ymQczLb2ubk7RfKBU/Q3srKCxlEi1J8Ywbs+4M2sdTVP0QUToIbfimS37XU3WNE
> MEjaBpS1PY8vlqpvkk2wab2AYo6Ebv2CENbYEzKBAdyi3vHbfENgvnj5CQIDAQAB
> o4IDKjCCAyYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
> BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSgPnFxv8QSbGhLofscEjTS
> qCnvaTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
> AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
> dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
> dC5vcmcvMC0GA1UdEQQmMCSCD2JpcmQubmV0d29yay5jeoIRdHJ1YmthLm5ldHdv
> cmsuY3owgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
> MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
> BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
> cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
> dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
> bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
> ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZABQNF0AAAQDAEcw
> RQIgVcoX61l0XSOMCvzPBTv2u8cO7oyNBDj9IWku74NwngUCIQDedkTRbe3PCvaq
> jM4xV3NFgawt6JIrtUzaiqaXNGegcgB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGD
> x12dTze2H79kAAABZABQNIcAAAQDAEcwRQIgML48N4VM1PeN6diunYt/X6NQrHj2
> 2avg1yyONjos8IcCIQDtSVYatJVvikyZAO1Q4sc7hCfwg5Drs2+qRLXA2rI63zAN
> BgkqhkiG9w0BAQsFAAOCAQEAJaWpxMV9a69QwxQEc28YMmi1ytMT0IOwBID0d5fv
> kTOf8eRAiIePMPcvtX2sTw5WAxX5NeRteNioS6/UWiQxSUZgRig1XqVsYZIIZmyE
> 8m/YfLHtAsTH9OnP4tgx7Ys02xAqiexhvA2eL3Kv6VMcPng6UPZsqwuvhUh/bxEj
> psPvNGkid+vsG7v7n1koY5qDhrNu2nSBsJlVSUP7VMmaZma7fE4iFJhOJWTh15v/
> Z3Q2sp3tJA9an/TiNc8wLivntS9AoxsajltiSozfw67JjrVJH+bnCEQSJ9LFpPO3
> jsrxaWvY/l0MnEfMxPt5riHpgyFT3nQ3KPZP6Ifrs3M7WA==
> -----END CERTIFICATE-----
> subject=/CN=trubka.network.cz
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2227 bytes and written 269 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: 48FBE690BAB54A4EF0BCF647D3EC40F771EF070B92B2ADA82BBC78495A0E28A9
>     Session-ID-ctx: 
>     Master-Key: 4BF3560B6E3542C49A2E40534746B31AB97C1751C195C6A453B6B3C5687AAD7B48DA17D20FA8D4765BD627095BB0AF93
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 05 e6 6b 5b d2 a0 81 8d-e0 16 45 6f 44 d8 b0 86   ..k[......EoD...
>     0010 - b6 d9 24 8b 5f e3 e9 24-74 3c 77 55 98 cc 1a cf   ..$._..$t<wU....
>     0020 - 41 6e d3 41 48 c1 dc 8a-c9 b9 5c 67 e4 bb a0 bb   An.AH.....\g....
>     0030 - 1f 64 10 48 14 1c 38 75-18 f7 33 2f 22 9e 3d eb   .d.H..8u..3/".=.
>     0040 - 8d 7d aa e4 1b 7d d4 94-b1 ba d9 6c 1e d9 f5 0d   .}...}.....l....
>     0050 - 5e af de 8f 33 31 b2 b0-fa 62 02 5b 9b c6 a0 a7   ^...31...b.[....
>     0060 - f2 0b 7f d9 2e ae 24 b6-91 e6 62 5d 8d f6 c5 02   ......$...b]....
>     0070 - 38 05 25 75 90 51 0a 0a-47 67 79 08 89 b1 dd 3a   8.%u.Q..Ggy....:
>     0080 - 92 3c d5 9d b9 1a 38 34-12 d0 09 07 30 60 d6 0e   .<....84....0`..
>     0090 - 5f f6 8a 04 10 11 94 29-75 99 94 2d eb 1f 7f 03   _......)u..-....
>     00a0 - a9 fb 77 85 07 43 35 25-a1 de d4 d7 b3 50 b3 bb   ..w..C5%.....P..
>     00b0 - 06 90 9d a0 49 02 64 0a-66 47 88 ac 38 10 a1 ea   ....I.d.fG..8...
> 
>     Start Time: 1533827231
>     Timeout   : 7200 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
>     Extended master secret: yes
> ---
>

More information about the Bird-users mailing list