Menu
Reply
evensis
  • 5
  • 0
  • 0
Joining in
623 Views
Message 1 of 9
Flag for a moderator

SSL_PROTOCOL_ERROR

Hi,

Having issues accessing: https://www.yesiwantit.com

The issue is exclusive to virgin media customers.

The interesting thing about this error, is I have access to the server and it throws the following:

2021/02/22 09:09:22 [crit] 1666877#1666877: *20239288 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: xxx.xx.xx.xxx, server: 0.0.0.0:443

This looks to me like a bug in the transport layer. As mentioned exclusive to Virgin Media. I am not sure if the site is being blocked by Virgin Media for whatever reason? But either way, this is an improper SSL implementation and not resultant from the server's end.

I got a colleague who is on Virgin Media to do an openssl test with output and get the following:

CONNECTED(00000005)
4511018668:error:140043E8:SSL routines:CONNECT_CR_SRVR_HELLO:reason(1000):/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 0
4511018668:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
  Protocol : TLSv1.2
  Cipher  : 0000
  Session-ID: 
  Session-ID-ctx: 
  Master-Key: 
  Start Time: 1613990745
  Timeout  : 7200 (sec)
  Verify return code: 0 (ok)
---

This looks like the "CONNECT_CR_SRVR_HELLO:SSL" is being sent twice from the client contrary to the TLS specification. My immediate thought is something is trying to intercept the SSL call but failing miserably, and have seen this type of behaviour before with websafe/av's, etc not doing their job properly. This has appeared over the weekend, last week the website had no issues when connecting from Virgin Media. Router restarts do not resolve the issue, but connecting from any other ISP (Have tried, 4com, BT, EE, Vodafone, TalkTalk etc, multiple international isps and data centers etc all work fine - issue is unique to Virgin Media).

The only thing that comes to mind is the websafe system you run, are you able to whitelist the website if it is on the blacklist? Perfectly legit with no viruses or malware to speak of. 

Thanks.

0 Kudos
Reply
evensis
  • 5
  • 0
  • 0
Joining in
590 Views
Message 2 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

TLDR; Think what ive written is swimming over heads.

Can a member of the forum staff check that www.yesiwantit.com is not blacklisted by Virgin's Websafe/AV tool?

0 Kudos
Reply
用心棒
  • 5.83K
  • 655
  • 2.03K
Very Insightful Person
Very Insightful Person
557 Views
Message 3 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Whilst you wait for a forum team member to respond…

If Web Safe was the cause then going to http://www.yesiwantit.com/ would result in: (a) redirection to https://www.yesiwantit.com/ not occurring; (b) Child Safe web page being displayed

Website was not working earlier but appears to be now.

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

0 Kudos
Reply
evensis
  • 5
  • 0
  • 0
Joining in
497 Views
Message 4 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Any movement on this from the forum team? Just a quick check to see if yesiwantit.com is blocked on websafe (and please remove if so)? Many thanks.

0 Kudos
Reply
用心棒
  • 5.83K
  • 655
  • 2.03K
Very Insightful Person
Very Insightful Person
488 Views
Message 5 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Web Safe is not the issue.

FYI: you can validate this yourself:

  • by asking those experiencing the issue to visit http://yesiwantit.com/; if Web Safe is the issue then it will display a warning
  • the command nslookup yesiwantit.com would return 81.99.162.48 if Web Safe was blocking but it is not so the correct IP Address is returned
  • trace route command confirms that network traffic: (a)  egresses Virgin Media's network; (b) is reaching your hosting provider

have you discussed the issue with you hosting provider?

0 Kudos
Reply
evensis
  • 5
  • 0
  • 0
Joining in
484 Views
Message 6 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Hiya,

Going to have to disagree, given that turning the websafe/site checking feature off in the router resolves the issue and users can then access the website, would suggest otherwise.

I am the hosting provider and developer for the website, the SSL failure message above is sent from the client device. Nginx, the web server in use, is used by millions of servers worldwide without issue, it simply cannot decipher the SSL data sent from the client when websafe is on. Looking over the internet, have this website from a VPN provider for instance, which shows 3 different blocking methods: https://bestvpn.org/virgin-media-blocks-vpns/. We're seeing the second one, not the first, no VPN is in use by those who are suffering the issue just to confirm that.

The chap I asked who uses Virgin and has the issue did the following: "I disabled a Virgin site checker thing on the router, might be virus checker, and it started to work.". I then asked the other person in the business who has the same issue, she did the same thing, and she could then access the website. Obviously, this is not tenable asking everyone who has this issue and actually contacts customer services (the vast majority will not), to turn the feature off on their router, reboot it, etc.

Thanks

0 Kudos
Reply
用心棒
  • 5.83K
  • 655
  • 2.03K
Very Insightful Person
Very Insightful Person
478 Views
Message 7 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Issue has been flagged to the forum team however be aware it can take them a few hours / days to respond.

Can I ask what result those unable to access yesiwantit.com saw when going via an HTTP connection?

 

0 Kudos
Reply
evensis
  • 5
  • 0
  • 0
Joining in
472 Views
Message 8 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Hi,

Just asked, and he said just cannot access the website via HTTP or HTTPS with the setting switched on, it also seemingly ignores the following content security policy header too, as no attempt is made to upgrade to SSL:

Content-Security-Policy: upgrade-insecure-requests; default-src https:

Thanks

0 Kudos
Reply
Zoie_P
  • 2.55K
  • 123
  • 207
Forum Team
Forum Team
428 Views
Message 9 of 9
Flag for a moderator

Re: SSL_PROTOCOL_ERROR

Hi Evensis, thanks for your post, I am sorry you are having issues accessing this site, I have been able to do this via my virgin media and mobile connection, have you tried a different device or browser?

Zoie

0 Kudos
Reply