In a google compute node, when I run this command curl -v https://www1.nseindia.com/, the command gets stuck immediately after the TLS handshake.
* Expire in 50 ms for 1 (transfer 0x562c94210f50)
* Trying 23.199.139.58...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x562c94210f50)
* Connected to www1.nseindia.com (23.199.139.58) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IN; ST=Maharashtra; L=Mumbai; O=National Stock Exchange of India Ltd.; CN=www.nseindia.com
* start date: Sep 2 00:00:00 2020 GMT
* expire date: Dec 12 12:00:00 2020 GMT
* subjectAltName: host "www1.nseindia.com" matched cert's "www1.nseindia.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www1.nseindia.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
The tshark clearly indicates that the TLS handshake had completed, and the curl client did send the HTTP GET request, after which there is no response from the server.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens4'
1 0.000000000 10.148.0.2 → 23.199.139.58 TCP 74 51830 → 443 [SYN] Seq=0 Win=65320 Len=0 MSS=1420 SACK_PERM=1 TSval=2896975156 TSecr=0 WS=128
2 0.014462698 23.199.139.58 → 10.148.0.2 TCP 74 443 → 51830 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=979210844 TSecr=2896975156 WS=12
8
3 0.014506462 10.148.0.2 → 23.199.139.58 TCP 66 51830 → 443 [ACK] Seq=1 Ack=1 Win=65408 Len=0 TSval=2896975170 TSecr=979210844
4 0.015855789 10.148.0.2 → 23.199.139.58 TLSv1 583 Client Hello
5 0.029133295 23.199.139.58 → 10.148.0.2 TCP 66 443 → 51830 [ACK] Seq=1 Ack=518 Win=30080 Len=0 TSval=979210859 TSecr=2896975171
6 0.029490908 23.199.139.58 → 10.148.0.2 TLSv1.3 4162 Server Hello, Change Cipher Spec, Application Data
7 0.029515497 10.148.0.2 → 23.199.139.58 TCP 66 51830 → 443 [ACK] Seq=518 Ack=4097 Win=62848 Len=0 TSval=2896975185 TSecr=979210859
8 0.031222072 23.199.139.58 → 10.148.0.2 TCP 1474 443 → 51830 [ACK] Seq=4097 Ack=518 Win=30080 Len=1408 TSval=979210861 TSecr=2896975171 [TCP segment of a rea
ssembled PDU]
9 0.031238234 10.148.0.2 → 23.199.139.58 TCP 66 51830 → 443 [ACK] Seq=518 Ack=5505 Win=64128 Len=0 TSval=2896975187 TSecr=979210861
10 0.042769026 23.199.139.58 → 10.148.0.2 TLSv1.3 858 Application Data, Application Data, Application Data
11 0.042797990 10.148.0.2 → 23.199.139.58 TCP 66 51830 → 443 [ACK] Seq=518 Ack=6297 Win=64128 Len=0 TSval=2896975198 TSecr=979210872
12 0.043898975 10.148.0.2 → 23.199.139.58 TLSv1.3 146 Change Cipher Spec, Application Data
13 0.044187939 10.148.0.2 → 23.199.139.58 TLSv1.3 169 Application Data
14 0.057149099 23.199.139.58 → 10.148.0.2 TLSv1.3 353 Application Data
15 0.057313736 23.199.139.58 → 10.148.0.2 TLSv1.3 353 Application Data
16 0.057462731 10.148.0.2 → 23.199.139.58 TCP 66 51830 → 443 [ACK] Seq=701 Ack=6871 Win=64128 Len=0 TSval=2896975213 TSecr=979210887
17 0.274408940 10.148.0.2 → 23.199.139.58 TCP 169 [TCP Retransmission] 51830 → 443 [PSH, ACK] Seq=598 Ack=6871 Win=64128 Len=103 TSval=2896975430 TSecr=9792108
87
18 0.494346208 10.148.0.2 → 23.199.139.58 TCP 169 [TCP Retransmission] 51830 → 443 [PSH, ACK] Seq=598 Ack=6871 Win=64128 Len=103 TSval=2896975650 TSecr=9792108
87
19 0.938332610 10.148.0.2 → 23.199.139.58 TCP 169 [TCP Retransmission] 51830 → 443 [PSH, ACK] Seq=598 Ack=6871 Win=64128 Len=103 TSval=2896976094 TSecr=9792108
87
20 1.834328400 10.148.0.2 → 23.199.139.58 TCP 169 [TCP Retransmission] 51830 → 443 [PSH, ACK] Seq=598 Ack=6871 Win=64128 Len=103 TSval=2896976990 TSecr=9792108
After kill the curl client, I can also see a [FIN, ACK], but while the client is stuck there is no ingress response from the server.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
We can rule out the below logs which come from curl, because I have tried a GET on another site which support only HTTP1.1 with TLS1.2 and it worked and logged the same lines as well. This issue is only happening for this one site, i.e. https://www1.nseindia.com/ and is working fine for all the other sites which I have tried.
My questions are:
Why the communication channel is not working after the TLS handshake? If it was an issue with the firewall, my expectation was that the TLS channel would never get establised.
What is the root cause of the curl command to this site not working?
How can I get the curl command to this site working?
Note:
This is working fine on every other non-google compute node which I have tested on.
I really hope this is just a firewall issue. Do ask for more details if that can help anyone answer this.
I have performed some curl test from different environments, but the result is always the same, the curl stuck without response.
I have tried from GCP (windows and linux), ubuntu PC, Windows PC, also ask for a test with a friend of mine far from my end, and the result was the same.
So, according to your first question; it makes me think that there is something on the url host, that after a TLS handshake is completed; "blocks" or "stops" the communication.
I'm not pretty sure if could it be the certificate or the server itself. If is it possible, could you please share a curl when it shows that the test was completed? Also it would be helpful if share the location of the test.
Your second and third question is that should it being working just performing the curl, let me review if I can think in another test or something that could help us to find the answers.
#blueboy1115
Thanks a lot for checking this.
Based on your testing, I guess you're right, and the server is blocking the communication if the IP is not based probably in India. My google cloud instances are not from India, because the google cloud doesn't have any resources to allocate for a new instance in India.
This site is accessible on any browser and python scripts which I run on my laptop in India. But the same python scripts get stuck when I execute on the google VM instance hosted in America, Singapore and Sydney.
In the google instance:
When I change the URL from https://www1.nseindia.com/ to https://www.nseindia.com/, then the request becomes HTTP2, and fails gracefully.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e45a305f50)
> GET / HTTP/2
> Host: www.nseindia.com
> User-Agent: curl/7.64.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 403
< server: AkamaiGHost
< mime-version: 1.0
< content-type: text/html
< content-length: 265
< expires: Thu, 01 Oct 2020 05:10:13 GMT
< date: Thu, 01 Oct 2020 05:10:13 GMT
<
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>
You don't have permission to access "http://www.nseindia.com/" on this server.<P>
Reference #18.5a0a0f17.1601529013.19fc9a7
</BODY>
</HTML>
-In my Windows laptop in India
Interestingly on my Windows laptop on Indian ISP, where the site is working on the browser, and accessible on python scripts with the urllib library, the curl command fails for both www1.nseindia.com and www.nseindia.com after a timeout, and both attempt http1.1 because my Windows curl doesn't support HTTP2.
I have concluded that the server supports only HTTP2 and rejects IP address which are not hosted in India after the TLS handshake. This is the reason why it's working on my local laptop, via browser and via python with urllib.
If anyone has any other conclusions please do share.
From the results/logs posted it looks like the hosting server irrespective of the platform (gcp, etc..) the requests sent are being accepted / rejected basis on the region, generally this is done to prevent data/web scraping & this may be one of the security mechanism implemented at the remote server side(nseindia). That would be the reason curl -v https://www1.nseindia.com is going into the stale session after the TLS Handshake is done.
In my case I had to disable ipv6 on the proxying server, e.g. on Ubuntu:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1
Related
I have an HTTP service running in Cloud Run that I have mapped to Firebase Hosting using a wildcard to send all routes to the service.
// firebase.json
{
"hosting": [
{
"site": "mysite",
"rewrites": [
{
"source": "/**",
"run": {
"serviceId": "myservice",
"region": "europe-west2"
}
}
]
}
]
}
Update: I've also tried "source": "**" and config with or without the default static hosting using "public": "public" and the result is the same. The CDN appears to cache all content from Cloud Run by default.
The documentation for Firebase Hosting says: (bold my emphasis)
Any requested static content is automatically cached on the CDN. If you redeploy your site's content, Firebase Hosting automatically clears all your cached static content across the CDN until the next request.
However, because Cloud Functions and Cloud Run services generate content dynamically, the content for a given URL can vary based on such things as user input or the user's identity. To account for this, requests that are handled by backend code do not cache on the CDN by default.
However, within the browser developer Network tab I see cache hits (screenshot below):
Note the server: Google Frontend with x-cache: Hit indicating that the CDN served the content. I can confirm there are no Cloud Run logs for subsequent HTTP GET requests.
I've seen other articles online (one on medium) that says the opposite, that by default caching is enabled.
Is the Google documentation currently up to date? If so, what have I missed? I should mention that my HTTP service uses __session cookies for some routes. The example above was before any signin took place, so no cookies were sent from the browser.
I've also tested this using curl and I also get the same result:
> GET / HTTP/2
> Host: myhost
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/html; charset=utf-8
< server: Google Frontend
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 13:17:19 GMT
< x-served-by: cache-lhr7335-LHR
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1633353439.260200,VS0,VE1
< vary: x-fh-requested-host, accept-encoding
< content-length: 11949
<
Hello world example
package main
import (
"fmt"
"log"
"net/http"
"os"
"time"
)
func main() {
log.Print("starting server...")
http.HandleFunc("/", handler)
port := os.Getenv("PORT")
if port == "" {
port = "8080"
log.Printf("defaulting to port %s", port)
}
// Start HTTP server.
log.Printf("listening on port %s", port)
if err := http.ListenAndServe(":"+port, nil); err != nil {
log.Fatal(err)
}
}
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "The time now is %s\n", time.Now())
}
FROM golang:1.17.1-alpine as builder
LABEL stage=builder
WORKDIR /app
COPY . .
RUN go build .
FROM alpine:latest
RUN apk --no-cache add tzdata
RUN mkdir -p /app/bin
WORKDIR /app
COPY --from=builder /app/helloworld ./bin
CMD ["/app/bin/helloworld"]
firebase.json
{
"hosting": {
"public": "public",
"ignore": [
"firebase.json",
"**/.*",
"**/node_modules/**"
],
"rewrites": [{
"source": "**",
"run": {
"serviceId": "helloworld"
}
}]
}
}
Curl output
CALLING CLOUD RUN DIRECTLY
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://helloworld-q2ftkxvbva-uc.a.run.app/
* Trying 216.239.36.53:443...
* TCP_NODELAY set
* Connected to helloworld-q2ftkxvbva-uc.a.run.app (216.239.36.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.a.run.app
* start date: Sep 13 01:08:45 2021 GMT
* expire date: Nov 20 01:08:44 2021 GMT
* subjectAltName: host "helloworld-q2ftkxvbva-uc.a.run.app" matched cert's "*.a.run.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55718a90ae10)
> GET / HTTP/2
> Host: helloworld-q2ftkxvbva-uc.a.run.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< x-cloud-trace-context: 4844f53bed45b95ba5c11f3873217904;o=1
< date: Mon, 04 Oct 2021 15:31:40 GMT
< server: Google Frontend
< content-length: 74
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
The time now is 2021-10-04 15:31:40.017735277 +0000 UTC m=+1034.166310273
* Connection #0 to host helloworld-q2ftkxvbva-uc.a.run.app left intact
CALLING CLOUD RUN VIA FIREBASE HOSTING (1st time Cache MISS)
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://test-to-be-removed-c02e2.web.app/helloworld
* Trying 199.36.158.100:443...
* TCP_NODELAY set
* Connected to test-to-be-removed-c02e2.web.app (199.36.158.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=web.app
* start date: Sep 20 20:09:34 2021 GMT
* expire date: Dec 19 20:09:33 2021 GMT
* subjectAltName: host "test-to-be-removed-c02e2.web.app" matched cert's "*.web.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55ca2e032e10)
> GET /helloworld HTTP/2
> Host: test-to-be-removed-c02e2.web.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< server: Google Frontend
< x-cloud-trace-context: b62eb4e97a7e8dbd22b1958616455f27;o=1
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 15:32:12 GMT
< x-served-by: cache-lhr7331-LHR
< x-cache: MISS
< x-cache-hits: 0
< x-timer: S1633361532.898050,VS0,VE234
< vary: x-fh-requested-host, accept-encoding
< content-length: 73
<
The time now is 2021-10-04 15:32:12.06951937 +0000 UTC m=+1066.218094364
* Connection #0 to host test-to-be-removed-c02e2.web.app left intact
CALLING CLOUD RUN VIA FIREBASE HOSTING (2nd time unexpected Cache HIT)
andy#oak:~/projects/test-to-be-removed/public$ curl -v https://test-to-be-removed-c02e2.web.app/helloworld
* Trying 199.36.158.100:443...
* TCP_NODELAY set
* Connected to test-to-be-removed-c02e2.web.app (199.36.158.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=web.app
* start date: Sep 20 20:09:34 2021 GMT
* expire date: Dec 19 20:09:33 2021 GMT
* subjectAltName: host "test-to-be-removed-c02e2.web.app" matched cert's "*.web.app"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1D4
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562f5255ae10)
> GET /helloworld HTTP/2
> Host: test-to-be-removed-c02e2.web.app
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< content-type: text/plain; charset=utf-8
< server: Google Frontend
< x-cloud-trace-context: b62eb4e97a7e8dbd22b1958616455f27;o=1
< x-country-code: GB
< accept-ranges: bytes
< date: Mon, 04 Oct 2021 15:32:14 GMT
< x-served-by: cache-lhr7371-LHR
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1633361534.332609,VS0,VE1
< vary: x-fh-requested-host, accept-encoding
< content-length: 73
<
The time now is 2021-10-04 15:32:12.06951937 +0000 UTC m=+1066.218094364
* Connection #0 to host test-to-be-removed-c02e2.web.app left intact
I am trying to implement mTLS between two services. I am using hashicorp vault to manage certs (CA, clients and servers). After deploying the server using istio gateway with secret generated from respective certs. I am trying to access that server using curl. But I am getting the error:
#pemFiles is chain of root and intermediate CA
curl -vvv -HHost:<some-host> --resolve "<some-host>:443:<istio-gateway-ip>" --cacert pemFiles --cert client.crt --key client.key "https://<istio-gateway-ip>:443/" -Lk
* Added <some-host>:443:<istio-gateway-ip> to DNS cache
* Hostname <some-host> was found in DNS cache
* Trying <istio-gateway>:443...
* Connected to <some-host> (<istio-gateway-ip>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: pemFiles
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=5402476c-df7d-44bc-9c1b-b0a6afb931d7
* start date: Sep 23 21:28:29 2021 GMT
* expire date: Oct 25 21:28:58 2021 GMT
* issuer: CN=<our-domain>
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x293ec1a2fb0)
> GET / HTTP/2
> Host:<some-host>
> user-agent: curl/7.75.0
> accept: */*
>
* OpenSSL SSL_read: Connection was aborted, errno 10053
* Failed receiving HTTP2 data
* OpenSSL SSL_write: Connection was aborted, errno 10053
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: Connection was aborted, errno 10053
When I use the same steps with certs generated manually using OpenSSL, I am not getting any such issue.
When I pass the "--http2" with curl command:
TLSv1.3 (IN), TLS alert, unknown CA (560):
* OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host <some-host> left intact
curl: (56) OpenSSL SSL_read: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca, errno 0
A workaround found by OP, in the comments.
The issue was with OP's cert-manager. As a workaround use root CA cert instead of intermediate CA.
I would like to try HTTP/2 on this site: https://www.alebalweb-blog.com/
I recently updated the server to Ubuntu 18.04 with PHP 7.2, Apache/2.4.29, etc,etc
I did: sudo a2enmod http2
Added:
#HTTP/2
Protocols h2 h2c http/1.1
In my VirtualHost SSL.
and restarted Apache.
The SSL certificate is provided by Let's Encrypt.
The result is:
curl -k -v --http2 https://alebalweb-blog.com
* Rebuilt URL to: https://alebalweb-blog.com/
* Trying 45.76.70.142...
* TCP_NODELAY set
* Connected to alebalweb-blog.com (45.76.70.142) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=alebalweb-blog.com
* start date: Jul 7 02:02:06 2018 GMT
* expire date: Oct 5 02:02:06 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: alebalweb-blog.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 13 Jul 2018 21:51:22 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Upgrade: h2,h2c
< Connection: Upgrade
< Cache-Control: max-age=300
< Expires: Fri, 13 Jul 2018 21:56:22 GMT
< Vary: Accept-Encoding,User-Agent
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
Really strange I think is this:
Upgrade: h2,h2c
Connection: Upgrade
What does it mean?
HTTP/2 Test says:
HTTP/2 Test Result www.alebalweb-blog.com
Negative! www.alebalweb-blog.com does not support HTTP/2.0.
ALPN is not supported.
I feel like I missed something big... can you help me understand what?
I think I solved by switching to PHP-FPM
I used these codes:
apachectl stop
apt-get install php7.1-fpm # Install the php-fpm from your PHP repository. This package name depends on the vendor.
a2enmod proxy_fcgi setenvif
a2enconf php7.1-fpm # Again, this depends on your PHP vendor.
a2dismod php7.1 # This disables mod_php.
a2dismod mpm_prefork # This disables the prefork MPM. Only one MPM can run at a time.
a2enmod mpm_event # Enable event MPM. You could also enable mpm_worker.
apachectl start
from this guide: https://http2.pro/doc/Apache
and this guide: https://techwombat.com/enable-http2-apache-ubuntu-16-04/
and added "Protocols h2 h2c http/1.1" at the end of /etc/apache2/apache2.conf
Now the command curl -k -v --http2 https://alebalweb-blog.com reports this:
curl -k -v --http2 https://alebalweb-blog.com
* Rebuilt URL to: https://alebalweb-blog.com/
* Trying 45.76.70.142...
* TCP_NODELAY set
* Connected to alebalweb-blog.com (45.76.70.142) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=alebalweb-blog.com
* start date: Jul 7 02:02:06 2018 GMT
* expire date: Oct 5 02:02:06 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x556ec5957940)
> GET / HTTP/2
> Host: alebalweb-blog.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Thu, 19 Jul 2018 20:21:38 GMT
< server: Apache/2.4.34 (Ubuntu)
< cache-control: max-age=300
< expires: Thu, 19 Jul 2018 20:26:38 GMT
< vary: Accept-Encoding,User-Agent
< content-type: text/html; charset=UTF-8
Above all you notice this changes: ALPN, server accepted to use h2, and HTTP/2 200
The site https://tools.keycdn.com/http2-test, says:
Yeah! www.alebalweb-blog.com supports HTTP/2.0.
ALPN supported.
And the development tools of opera and chrome indicate: h2
I only have one last doubt, in Google Webmaster tools, fetching the page as Google, I see this:
HTTP/1.1 200 OK
Date: Thu, 19 Jul 2018 20:35:35 GMT
Server: Apache/2.4.34 (Ubuntu)
Upgrade: h2,h2c
Connection: Upgrade, Keep-Alive
Cache-Control: max-age=300
Expires: Thu, 19 Jul 2018 20:40:35 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=UTF-8
Content-Length: 41422
Keep-Alive: timeout=5, max=100
I missing something? Or maybe need time?
I am integrating PayPal Express Checkout in the Sandbox using SOAP XML. SetExpressCheckout was working properly using a signature for credentials on 9/18/2013. I made no changes to my code or to the web server. I did begin work on Callback using NVP, since no SOAP version of Callback is available. The next day, SetExpressCheckout stopped working. I now get the following error: "80072f0c A certificate is required to complete client authentication" when trying to post to https://api-3t.sandbox.paypal.com/2.0/
Question 1: Could trying to use NVP Callback have caused PayPal's API server to now require a client certificate rather that a signature?
Question 2: Is there some other explanation for this change in behavior?
Question 3: Should I remove the signature from my sandbox account and request an API certificate instead? (Despite PayPal's recommendation that signatures be used rather than certificates.)
Note: I have tried using my own sandbox signature as well as the generic, "always works", sandbox signature. I have also tried posting to both api-3t.sandbox.paypal.com/2.0/ and api.sandbox.paypal.com/2.0/ (without -3t). None of these efforts eliminated the error.
Thanks, Chris H
are you still seeing this issue?
I am unable to reproduce it even using the IP you got back from nslookup.
Here my test with 23.51.43.42. I'm having the same positive result with 23.50.75.42
curl \
-H "Host: api-3t.sandbox.paypal.com" \
-d "USER=guus_1192700083_biz_api1.paypal.com&PWD=XXXXXXXXXX&SIGNATURE=XXXXXXXXXX&VERSION=108&METHOD=SetExpressCheckout&RETURNURL=http://www.paypal.com&CANCELURL=http://www.paypal.com&AMT=0.01&PAYMENTACTION=Authorization" \
https://23.51.43.42/nvp -kv
* About to connect() to 23.51.43.42 port 443 (#0)
* Trying 23.51.43.42...
* 0x8001f188 is at send pipe head!
* STATE: CONNECT => WAITCONNECT handle 0x80057568; line 1032 (connection #0)
* Connected to 23.51.43.42 (23.51.43.42) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* STATE: WAITCONNECT => PROTOCONNECT handle 0x80057568; line 1145 (connection #0)
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* subject: C=US; ST=CALIFORNIA; L=San Jose; O=PayPal, Inc.; OU=Partner Support; CN=api-3t.sandbox.paypal.com
* start date: 2013-08-20 00:00:00 GMT
* expire date: 2015-08-21 23:59:59 GMT
* issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
* SSL certificate verify ok.
* STATE: PROTOCONNECT => DO handle 0x80057568; line 1164 (connection #0)
> POST /nvp HTTP/1.1
> User-Agent: curl/7.29.0
> Accept: */*
> Host: api-3t.sandbox.paypal.com
> Content-Length: 261
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 261 out of 261 bytes
* STATE: DO => DO_DONE handle 0x80057568; line 1236 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x80057568; line 1352 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x80057568; line 1363 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: Apache
< Content-Length: 133
< Content-Type: text/plain; charset=utf-8
< DC: origin2-api-3t.sandbox.paypal.com
< Date: Thu, 03 Oct 2013 20:07:10 GMT
< Connection: keep-alive
< Set-Cookie: DC=origin2-api-3t.sandbox.paypal.com; secure
<
* STATE: PERFORM => DONE handle 0x80057568; line 1533 (connection #0)
* Connection #0 to host 23.51.43.42 left intact
TOKEN=EC%2d03T72513NN7526924&TIMESTAMP=2013%2d10%2d03T20%3a07%3a10Z&CORRELATIONID=4776c1624af4e&ACK=Success&VERSION=108&BUILD=7920936
Two days ago, something broke with our paypal integration. Unfortunately, trying to contact paypal support has proven to be of no help (no reply in 2 days), so I'll try my luck, here.
Requesting the token (curl https://api.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "****:****" -d "grant_type=client_credentials") started ALWAYS returning an empty response and well, a 500 error.
Note that the same works just fine with api.sandbox.paypal.com and sandbox credentials.
I double checked our credentials and they are fine. Note as well, that it doesn't matter what credentials I use, it always returns the same - 500.
Here's the output of curl ... -v; looks like you have an internal server error, as the 500 shows:
* About to connect() to api.paypal.com port 443 (#0)
* Trying 173.0.88.98...
* connected
* Connected to api.paypal.com (173.0.88.98) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api.paypal.com
* start date: 201
* expire date: 201
* subjectAltName: api.paypal.com matched
* issuer: C=U
* SSL certificate verify ok.
* Server auth using Basic with user '****'
> POST /v1/oauth2/token HTTP/1.1
> Authorization: Basic ****
> User-Agent: curl/7.27.0
> Host: api.paypal.com
> Accept: application/json
> Accept-Language: en_US
> Content-Length: 29
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 29 out of 29 bytes
* additional stuff not fine /usr/src/ports/curl/curl-7.27.0-1/src/curl-7.27.0/lib/transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 500 Internal Server Error
< Server: Apache-Coyote/1.1
< Date: Thu, 28 Mar 2013 15:59:53 GMT
< Content-Length: 0
< Connection: close
<
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
Thanks!
This is something that is currently being looked into. If you have not already opened a ticket with PayPal MTS I would advise opening up a ticket with Technical Support, so that your issue can be added to the examples. You will also then be notified once the issue has been resolved.
edit: This is now resolved as of 04:12 AM GMT (31/03/2013).