[Pkg-privacy-maintainers] DMD: TLS connection issues result in wrong information
Paul Wise
pabs at debian.org
Sun Jun 30 09:27:35 BST 2019
On Sun, Jun 30, 2019 at 3:42 PM Ulrike Uhlig wrote:
> Do you know why this is happening and what to do about it?
> It seems to me that the machine on which DMD runs is hosted at a US
> university [2]. Do you think it might be due to that? And if so, how can
> this be mitigated? Can this service run on a non-filtered network?
I did some experimentation on ullman (you have access too btw). I used
tcptraceroute, wget, curl --resolve and openssl s_client -servername.
The keyringer.pw issue is "No route to host" and occurs in every
network I tried it from.
The 0xacab.org site works from ullman, other UBC hosts and other
networks, perhaps that was a temporary issue.
The torproject.org issue happens over IPv4 and IPv6. The issue happens
on other hosts at UBC too (buxtehude for eg). The issue occurs with
https but not with http. The issue doesn't occur if I connect to
torproject.org servers but fake TLS SNI as google.com, microsoft.com,
apple.com or nytimes.com, but does if I use debian.org or
torproject.org or slashdot.org or random domains. The issue doesn't
occur if I connect to the Debian website servers, but does if I use a
TLS SNI of torproject.org and doesn't with slashdot.org or random
domains. The issue doesn't occur if I connect to the Google website
servers, even if I use a TLS SNI of torproject.org. So it seems there
is some sort of list of IPs and SNIs that are allowed and blocked.
I'd suggest you confirm this diagnosis and file a ticket with DSA
about this issue containing the details and we will forward the issue
to our contacts at UBC.
https://wiki.debian.org/rt.debian.org
--
bye,
pabs
https://wiki.debian.org/PaulWise
More information about the Pkg-privacy-maintainers
mailing list