Feeling Lucky
?
[#19469] - Cannot connect to downloads.joomla.org (only from server)
- Closed
- 28 Jan 2018
- Medium
- Build: staging
- # 19469
Steps to reproduce the issue
openssl s_client -connect downloads.joomla.org:443
Expected result
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = US, ST = TX, L = Houston, O = "cPanel, Inc.", CN = "cPanel, Inc. Certification Authority"
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = joomla-org.directrouter.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
1 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
2 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIRAJv/yrm3T1x6kxqghdkPpnEwDQYJKoZIhvcNAQELBQAw
cjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRUw
EwYDVQQKEwxjUGFuZWwsIEluYy4xLTArBgNVBAMTJGNQYW5lbCwgSW5jLiBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA0MDIwMDAwMDBaFw0xODA0MDIyMzU5
NTlaMF8xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UE
CxMLUG9zaXRpdmVTU0wxJDAiBgNVBAMTG2pvb21sYS1vcmcuZGlyZWN0cm91dGVy
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJWDHFBLXf6F8wUq
amDsYwta1OdHykgQr9s238Q/nIuoet22msUGD+DnwkSEPK9baXqWcp7/FWSvsqDD
RvlFcbx/9zMnAr7qZiGlyL9U938UtgC2yVTF/EWOG6ihTGRfIvKUB01ttHM/uUn/
6S5KH5FfF+4de3WGWjZFwV/RmsCyBW8i7515KB2JD6qcl4WjCZMZhaigLXEN+LLC
nQK4ilfXHUq5oXzRGw3KJoWGb7TK86xXa4C9hSFKwmCgilp2oOagh1yJcx/HBZHg
DZ7cjJBYQdAiHckhv2HsUEY3ol8CEVnrHI5P+WqSdY/7g7/jzlhL/TZEycyyG0mw
GWajwb0CAwEAAaOCAegwggHkMB8GA1UdIwQYMBaAFH4DWmVBa6d+CuG4nQjqHY4d
asdlMB0GA1UdDgQWBBSsATEz8LDJyvxPoC7lVtrL/4y4QjAOBgNVHQ8BAf8EBAMC
BaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
TwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICNDArMCkGCCsGAQUFBwIBFh1odHRwczov
L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwTAYDVR0fBEUwQzBBoD+g
PYY7aHR0cDovL2NybC5jb21vZG9jYS5jb20vY1BhbmVsSW5jQ2VydGlmaWNhdGlv
bkF1dGhvcml0eS5jcmwwfQYIKwYBBQUHAQEEcTBvMEcGCCsGAQUFBzAChjtodHRw
Oi8vY3J0LmNvbW9kb2NhLmNvbS9jUGFuZWxJbmNDZXJ0aWZpY2F0aW9uQXV0aG9y
aXR5LmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMEcG
A1UdEQRAMD6CG2pvb21sYS1vcmcuZGlyZWN0cm91dGVyLmNvbYIfd3d3Lmpvb21s
YS1vcmcuZGlyZWN0cm91dGVyLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAgR8LQ+N+
LvXTf2taGdqRjV0/IIOrWlWj/o7jHc2xxiJFjp+Uw3gJMl650cw+7GGs5e4eYt7k
Bx0rGLqQkD/Ya0qtrIZ/ES5/e8ITNpRaCiloNDjttJWnwyfhf+v66vTRC/15ji9J
3wkI5t+wXCwUi39fqECHhpiGl5IGI2pnD9YlMrhB2SxGSHyOppT9RibUYVTSOFOY
jgipcKtT+I/SefTD2835foXQM4OlQXf96E2K88iopx6JCH8qJxjVq9qC50z+gbEZ
LKLm9eKUld6R2j5uUoFOuPubrtp6lOD7AsTYzADc6zO6xd27670UFa4p+ZJ1gu0H
Ge2dhRG1uMrSvw==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=joomla-org.directrouter.com
issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6298 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 6ECCBA0B435C2F90FA75E27395C809EE57DACEEFB0D168D5B98C117D01E0E36E
Session-ID-ctx:
Master-Key: A155064B8CF1F38E0A85A0D8DD02A9BFED8013FC1DB1BC8DE8BEDDB1D5EECA664EFA521AB0884B0048AFB7B3F46FEA11
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 18 b1 99 5d 17 59 9b 6e-fb e1 e2 2a 21 f9 e4 88 ...].Y.n...*!...
0010 - 38 3a 94 70 ac 30 ca 75-4d 0e bb a8 d6 bd bd 41 8:.p.0.uM......A
0020 - a9 cc a2 35 08 d3 f8 90-7c 51 8e 73 0f 3c 53 48 ...5....|Q.s.<SH
0030 - f2 0c f7 4e b0 cc 30 73-d3 bd 4f 5b b9 cd 0c f6 ...N..0s..O[....
0040 - 7f 72 5e 3d 38 ec 7b ea-66 f9 f7 c4 18 53 11 e9 .r^=8.{.f....S..
0050 - 3e 6d c5 1d 58 1c 04 f0-75 7f e0 5c 92 90 ae 13 >m..X...u..\....
0060 - cb 28 b0 82 be 87 ff 9f-40 47 b3 44 fa a2 5b c4 .(......@G.D..[.
0070 - fc ce fa ea c6 af bc fa-17 68 ed f1 e1 37 72 e0 .........h...7r.
0080 - 38 24 ef bc 5a eb 91 22-bc d2 ff 51 0b 75 49 a9 8$..Z.."...Q.uI.
0090 - 6a 5d 26 33 91 9e de d8-83 ac c0 57 16 06 61 2a j]&3.......W..a*
Start Time: 1517056964
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
closed
Actual result
nothing
System information (as much as possible)
Absolutely no connection to 72.29.124.146 possible (ping)
Connections from other servers to downloads.joomla.org:443 work
Connections to other joomla servers work as well: e.g. update.joomla.org:443
Any idea what the reason could be?
joomla-cms-bot
- | Labels |
Added:
?
|
||
franz-wohlkoenig
- | Status | New | ⇒ | Information Required |
| Category | ⇒ | Administration |
aubreybox
- comment
- 27 Jan 2018
No, even if i'd flush all iptables rules, the result is the same.
Furthermore that would probably block update.joomla.org as well
andrepereiradasilva
- comment
- 28 Jan 2018
The only thing i see in downloads.joomla.org:
- is sending the CA certificate with is not needed since the CA root certificates are in all OS - that's the base of the chain of trust
- not supporting old clients without SNI.
- using a certificate that will be distrusted by Google and Mozilla from March 2018 (Existing Symantec Certificates)
See https://www.ssllabs.com/ssltest/analyze.html?d=downloads.joomla.org&hideResults=on&latest
So to test this with SNI support you should use:
openssl s_client -connect downloads.joomla.org:443 -servername downloads.joomla.org
For update.joomla.org, the only thing is:
- using a certificate that will be distrusted by Google and Mozilla from September 2018 (Existing Symantec Certificates)
And https://www.ssllabs.com/ssltest/analyze.html?d=update.joomla.org&hideResults=on&latest
mbabker
- comment
- 28 Jan 2018
-
downloads.joomla.org and update1.joomla.org (the subdomain which the update server CDN is based on) are on the same physical server. update.joomla.org is on a CDN, so connections to that specific subdomain address would use a different path/resource.
-
Without an IP address if there is a block in place for some reason we can't do anything about it.
aubreybox
- comment
- 28 Jan 2018
@andrepereiradasilva
The SNI/Cert related issues would not affect pinging. So the -servername option had no effect.
@mbabker
update1.joomla.org didn't work either.
I just sent you the ip via email
mbabker
- comment
- 28 Jan 2018
Should be unblocked now.
aubreybox
- comment
- 28 Jan 2018
Indeed it works now. Do you know the reason for blocking?
Thank you very much anyway.
| Status | Information Required | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-01-28 21:56:46 |
| Closed_By | ⇒ | brianteeman |
brianteeman
- comment
- 28 Jan 2018
Closed as issue is resolved
aubreybox
- comment
- 29 Jan 2018
reopen, same problem:(
A firewall on your server?