2014-04-24 11:39:15 |
psl |
description |
This report is for Ubuntu 12.04.4. I observe the problem with wget, git and maybe other utilities. wget helped me to understand this problem. I guess wget is not troublemaker, but there is a problem in somepart related to DNS.
There is some problem (or change) with OpenDNS that I use and that change has impact to SSL related services. Lets, try to download a certificate with wget:
$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address ::ffff:67.215.65.132; I don't have IPv6 connectivity...
Let's try to get DNS details about www.digicert.com, I use OpenDNS server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has no AAAA record
From these examples, I assume that record 0 AAAA returned by OpenDNS server is not valid and should be ignored. For some reason, wget (and git) tries to use AAAA record to download certificate... |
This report is for Ubuntu 12.04.4. I observe the problem with wget, git and maybe other utilities. wget helped me to understand this problem. I guess wget is not troublemaker, but there is a problem in somepart related to DNS.
There is some problem (or change) with OpenDNS that I use and that change has impact to SSL related services. Lets, try to download a certificate with wget:
$ wget -d https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
DEBUG output created by Wget 1.13.4 on linux-gnu.
URI encoding = `UTF-8'
--2014-04-24 13:26:04-- https://www.digicert.com/CACerts/DigiCertSHA2ExtendedValidationServerCA.crt
Resolving www.digicert.com (www.digicert.com)... ::ffff:67.215.65.132, 64.78.193.234
Caching www.digicert.com => ::ffff:67.215.65.132 64.78.193.234
Connecting to www.digicert.com (www.digicert.com)|::ffff:67.215.65.132|:443... connected.
Created socket 3.
Releasing 0x08ca17d8 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x08ca1968
certificate:
subject: /C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer: /C=US/O=DigiCert Inc/CN=DigiCert Secure Server CA
ERROR: no certificate subject alternative name matches
requested host name `www.digicert.com'.
To connect to www.digicert.com insecurely, use `--no-check-certificate'.
Closed 3/SSL 0x08ca1968
Notice, that wget tries to download certificate from IPv6 address ::ffff:67.215.65.132; I don't have IPv6 connectivity...
Let's try to get DNS details about www.digicert.com, I use OpenDNS server:
$ host -a www.digicert.com 208.67.222.222
Trying "www.digicert.com"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17002
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.digicert.com. IN ANY
;; ANSWER SECTION:
www.digicert.com. 95 IN A 64.78.193.234
www.digicert.com. 0 IN AAAA ::ffff:67.215.65.132
Received 78 bytes from 208.67.222.222#53 in 62 ms
$ host -t A www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has address 64.78.193.234
$ host -t AAAA www.digicert.com 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
www.digicert.com has no AAAA record
From these examples, I assume that record 0 IN AAAA returned by OpenDNS server is not valid and should be ignored. For some reason, wget (and git) tries to use AAAA record to download certificate... |
|