Cloudflare is **extremely**... how to put this... "SSL-sensitive". That is to say: missing TLS SNI, using an "old" version of OpenSSL, using specific ciphers or missing other TLS-related fields, will all cause ambiguous-looking errors emitted from OpenSSL. There are other providers who behave similarly, but CF happens to be the most sensitive (on a technical level) of the bunch. I am not seeing any issues myself, but Cloudflare has a remarkably complicated network which is also anycasted, so basically "figuring out" where a particular problem lies is horribly, horribly complicated. Here's proof that, at least from my geoloc (see signature), my own site behind CF is working fine: $ echo | openssl s_client -servername jdc.koitsu.org -connect jdc.koitsu.org:443 CONNECTED(00000004) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2 verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni55709.cloudflaressl.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni55709.cloudflaressl.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIILdjCCCxygAwIBAgIQFwqmvi/5k4FqJok9S88aHTAKBggqhkjOPQQDAjCBkjEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxODA2BgNVBAMT L0NPTU9ETyBFQ0MgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQSAy MB4XDTE4MDkyMzAwMDAwMFoXDTE5MDQwMTIzNTk1OVowazEhMB8GA1UECxMYRG9t YWluIENvbnRyb2wgVmFsaWRhdGVkMSEwHwYDVQQLExhQb3NpdGl2ZVNTTCBNdWx0 aS1Eb21haW4xIzAhBgNVBAMTGnNuaTU1NzA5LmNsb3VkZmxhcmVzc2wuY29tMFkw EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpmM7b4kDjwbz/RtqPL7wHxszS/qJ7KAC jnBm4i9o06mF61O8XbuNtDMIyFPBv1lT1pdcfsuXylxb8tBR3k5GQ6OCCXgwggl0 MB8GA1UdIwQYMBaAFEAJYWfwvINxT94SCCxv1NQrdj2WMB0GA1UdDgQWBBQPi4n4 iyuQH53Xn0Q06YuNXB/zJDAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEE AbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29t L0NQUzAIBgZngQwBAgEwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5jb21v ZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJD QTIuY3JsMIGIBggrBgEFBQcBAQR8MHowUQYIKwYBBQUHMAKGRWh0dHA6Ly9jcnQu Y29tb2RvY2E0LmNvbS9DT01PRE9FQ0NEb21haW5WYWxpZGF0aW9uU2VjdXJlU2Vy dmVyQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AuY29tb2RvY2E0LmNv bTCCBrcGA1UdEQSCBq4wggaqghpzbmk1NTcwOS5jbG91ZGZsYXJlc3NsLmNvbYIT Ki40YXNlbmlvcnZpZGVvcy5nYYIQKi5hLXJlYWRpY2FyZC5tbIIRKi5hcmNhbXRh bmtjZW4uY2aCESouYXJjYW10YW5rY2VuLnRrghIqLmF6ZXZpcmlueWdpZ3kudGuC DiouYmJjcmkuY29tLmF1ghEqLmJsb29kZmxvd2Vycy50a4IWKi5ib2R5YnVpbGRp bmdwb3JuLm5ldIIZKi5jYXJhbWVsaXplZHRob3VnaHRzLmNvbYISKi5jb21wbGV0 ZWNhcmdvLnJvggwqLmNvcmRhYW4udGuCDiouZWdndGFzdGljLnRrgg8qLmZhaWhp bXV0dWEubWyCCyouZmFuYXFqLmdhghYqLmZsYXRlYXJ0aHRoZWF0cmUub3JnghAq LmZ1YmFycmVkLnRvZGF5ggkqLmctc2QudGuCECouZ3ZpZGVvcHJpbnQuY2aCFCou aW5jcmlzaXNyZWxpZWYub3JnggwqLml0ZmFuYXMubHSCGCoua2luZXRpY3JlbGF4 bWFzc2FnZS5yb4IMKi5rb2l0c3Uub3JnghQqLmx1bHpnYW1laGFja2luZy5jZoIS Ki5sdW1lYWJhc21lbG9yLmV1ghQqLm1vbmljYWlhY292ZW5jby5yb4IPKi5tcGF5 cmV2aWV3LmNmghYqLm1zbWVkaWNhbHN5c3RlbXMuY29tgg4qLm15d2VibGl2ZS5y dYIPKi5uLXBzdmJvb2tzLmdhgg8qLm5yZXZpZXdodGMuZ3GCESoucGhnaC1yZXZp ZXdzLmNmgg8qLnBsaWN5bXVuYXMuY2aCESoucHJvZ3JhbWEyMDE1Lmx0gg4qLnJl dmlld3JxZi5tbIIYKi5zYWxham9jdXJpYnVjdXJlc3RpLnJvgg8qLnNhcHNpbmsu Y28udGiCEyouc2tpc2lsdmVyc3Rhci5jb22CEyouc2tpc2lsdmVyc3Rhci5za2mC DyoudC1mdWNvYm9vay5jZoIRKi50ZXB6Y2Fjb25zbWUuZ3GCCSoudHlyby5yb4IN Ki51bGtpcmVzZS50a4IYKi51bHRyYWZpbG1lc29ubGluZWhkLmdhghgqLnVsdHJh ZmlsbWVzb25saW5laGQubWyCEyoudXFpY3VmZWt5amFjeWwudGuCESoud3VtaWdv cWVjb3R5LnRrggkqLnlyZGYuY2aCETRhc2VuaW9ydmlkZW9zLmdhgg5hLXJlYWRp Y2FyZC5tbIIPYXJjYW10YW5rY2VuLmNmgg9hcmNhbXRhbmtjZW4udGuCEGF6ZXZp cmlueWdpZ3kudGuCDGJiY3JpLmNvbS5hdYIPYmxvb2RmbG93ZXJzLnRrghRib2R5 YnVpbGRpbmdwb3JuLm5ldIIXY2FyYW1lbGl6ZWR0aG91Z2h0cy5jb22CEGNvbXBs ZXRlY2FyZ28ucm+CCmNvcmRhYW4udGuCDGVnZ3Rhc3RpYy50a4INZmFpaGltdXR1 YS5tbIIJZmFuYXFqLmdhghRmbGF0ZWFydGh0aGVhdHJlLm9yZ4IOZnViYXJyZWQu dG9kYXmCB2ctc2QudGuCDmd2aWRlb3ByaW50LmNmghJpbmNyaXNpc3JlbGllZi5v cmeCCml0ZmFuYXMubHSCFmtpbmV0aWNyZWxheG1hc3NhZ2Uucm+CCmtvaXRzdS5v cmeCEmx1bHpnYW1laGFja2luZy5jZoIQbHVtZWFiYXNtZWxvci5ldYISbW9uaWNh aWFjb3ZlbmNvLnJvgg1tcGF5cmV2aWV3LmNmghRtc21lZGljYWxzeXN0ZW1zLmNv bYIMbXl3ZWJsaXZlLnJ1gg1uLXBzdmJvb2tzLmdhgg1ucmV2aWV3aHRjLmdxgg9w aGdoLXJldmlld3MuY2aCDXBsaWN5bXVuYXMuY2aCD3Byb2dyYW1hMjAxNS5sdIIM cmV2aWV3cnFmLm1sghZzYWxham9jdXJpYnVjdXJlc3RpLnJvgg1zYXBzaW5rLmNv LnRoghFza2lzaWx2ZXJzdGFyLmNvbYIRc2tpc2lsdmVyc3Rhci5za2mCDXQtZnVj b2Jvb2suY2aCD3RlcHpjYWNvbnNtZS5ncYIHdHlyby5yb4ILdWxraXJlc2UudGuC FnVsdHJhZmlsbWVzb25saW5laGQuZ2GCFnVsdHJhZmlsbWVzb25saW5laGQubWyC EXVxaWN1ZmVreWphY3lsLnRrgg93dW1pZ29xZWNvdHkudGuCB3lyZGYuY2YwggEE BgorBgEEAdZ5AgQCBIH1BIHyAPAAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMA xHuJeqj9ywAAAWYFgG8dAAAEAwBGMEQCIAZDFkCREYFzcI7H/sxnyNou2WyBIyiu KAqrp5s/FD8sAiARzq/SbXXv6Go31/v5zyy3MrlnQurwGr8Ccb+nM8mAiwB3AHR+ 2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZgWAb1oAAAQDAEgwRgIh ANdkJOyQYY+QfRAyhHnFR0HNgMllEFXHajPvVMcGjx3EAiEAtBp9jQerK50pMQv0 fvZXU2qrniVQfhN41LpEDL4XxA4wCgYIKoZIzj0EAwIDSAAwRQIgbcKkuwmnGNNf N6/OtzIdcQ65qQvuW7eGjj8RgBchfOoCIQDmK3sSAO+DAvR8EY5atA8stKDNjFbl kCBKydj56tZ+IA== -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni55709.cloudflaressl.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 5337 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 Session-ID: D1BC2EDA60A0E06AA7AFFEF76A4FDEC65127A5968F43D4E8666C0B81D2AE36B0 Session-ID-ctx: Master-Key: BA6BADA117F9803CD2C4BCE9915D0D8A1365B959F867F85ABDEE127F038D1795ACE1273DAA3DEE414B3EB716E1833AED Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 64800 (seconds) TLS session ticket: 0000 - 82 39 99 f6 9d cc 98 53-75 ec d7 ea 6e 4f 7f 2c .9.....Su...nO., 0010 - 03 6a e0 e7 ba af dc c7-20 97 6f e1 41 a6 73 55 .j...... .o.A.sU 0020 - 20 1d 4e 81 7d 95 8e 74-50 5b fd 29 ca ed 6e a4 .N.}..tP[.)..n. 0030 - 54 79 2b 9e 72 51 19 00-58 96 9f c6 0b 78 22 6a Ty+.rQ..X....x"j 0040 - df 1e 1a a5 ee 38 17 39-be f4 bd ae 59 7c 0c 8e .....8.9....Y|.. 0050 - b0 c7 41 02 1a af 1c dd-bf a0 b1 09 b5 ff 23 84 ..A...........#. 0060 - f9 2a cf 19 a3 4b ac 82-2d b3 ba 23 a9 e7 25 8c .*...K..-..#..%. 0070 - ba a9 7d f0 8e 6e 81 3a-f3 bc 4c 76 2e 18 b6 69 ..}..n.:..Lv...i 0080 - 09 ec 47 61 c2 71 96 f7-07 ed 06 8e e3 50 41 ea ..Ga.q.......PA. 0090 - d7 10 54 d3 3a 5d 24 6f-d6 5b 16 b4 af d3 e0 48 ..T.:]$o.[.....H 00a0 - cd 47 fa 55 d8 2d ec 52-7c 42 c4 87 0c 9a a5 94 .G.U.-.R|B...... Start Time: 1538393205 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator PGP 0x2A389531 | | Making life hard for others since 1977. | On Mon, Oct 01, 2018 at 06:40:16PM +0800, Chris via Outages wrote:
Hi all,
Not sure if anyone else is experiencing this currently, but I have a report from multiple sites (in different countries) that are having issues accessing various CloudFlare hosted sites (the CloudFlare website itself is working fine though). The issue is only with HTTPS, HTTP seems to be working fine. Issue appears to be happening for both v4 and v6.
Eg.
me@jumpoff1 ~ $ openssl s_client -connect 104.24.114.156:443 CONNECTED(00000003) 140186033568600:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:802: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 258 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1538388672 Timeout : 300 (sec) Verify return code: 0 (ok) ---
I can reproduce the issue on web based proxy services as well, eg. https://hidester.com/proxy/ (US Server), https://www.vpnbook.com/webproxy (US Server).
Not sure how widespread this is as some people can access things, curious to know what others see. _______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages