This looks to me like a bug in the transport layer. As mentioned exclusive to Virgin Media. I am not sure if the site is being blocked by Virgin Media for whatever reason? But either way, this is an improper SSL implementation and not resultant from the server's end.
I got a colleague who is on Virgin Media to do an openssl test with output and get the following:
CONNECTED(00000005) 4511018668:error:140043E8:SSL routines:CONNECT_CR_SRVR_HELLO:reason(1000):/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 0 4511018668:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.60.2/libressl-2.8/ssl/ssl_pkt.c:585: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1613990745 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
This looks like the "CONNECT_CR_SRVR_HELLO:SSL" is being sent twice from the client contrary to the TLS specification. My immediate thought is something is trying to intercept the SSL call but failing miserably, and have seen this type of behaviour before with websafe/av's, etc not doing their job properly. This has appeared over the weekend, last week the website had no issues when connecting from Virgin Media. Router restarts do not resolve the issue, but connecting from any other ISP (Have tried, 4com, BT, EE, Vodafone, TalkTalk etc, multiple international isps and data centers etc all work fine - issue is unique to Virgin Media).
The only thing that comes to mind is the websafe system you run, are you able to whitelist the website if it is on the blacklist? Perfectly legit with no viruses or malware to speak of.
Going to have to disagree, given that turning the websafe/site checking feature off in the router resolves the issue and users can then access the website, would suggest otherwise.
I am the hosting provider and developer for the website, the SSL failure message above is sent from the client device. Nginx, the web server in use, is used by millions of servers worldwide without issue, it simply cannot decipher the SSL data sent from the client when websafe is on. Looking over the internet, have this website from a VPN provider for instance, which shows 3 different blocking methods: https://bestvpn.org/virgin-media-blocks-vpns/. We're seeing the second one, not the first, no VPN is in use by those who are suffering the issue just to confirm that.
The chap I asked who uses Virgin and has the issue did the following: "I disabled a Virgin site checker thing on the router, might be virus checker, and it started to work.". I then asked the other person in the business who has the same issue, she did the same thing, and she could then access the website. Obviously, this is not tenable asking everyone who has this issue and actually contacts customer services (the vast majority will not), to turn the feature off on their router, reboot it, etc.
Just asked, and he said just cannot access the website via HTTP or HTTPS with the setting switched on, it also seemingly ignores the following content security policy header too, as no attempt is made to upgrade to SSL:
Hi Evensis, thanks for your post, I am sorry you are having issues accessing this site, I have been able to do this via my virgin media and mobile connection, have you tried a different device or browser?