Highlighted
Level 1: Cadet

SSL handshake failures using Telstra DNS server

Answered

I'm getting SSL issues connecting to a site I manage... but ONLY when I access it using a Telstra DNS server.

$ openssl s_client -connect covid-19-stories.com:443 -servername covid-19-stories.com                                         


CONNECTED(00000005)
4465892972:error:140043E8Smiley FrustratedSL routines:CONNECT_CR_SRVR_HELLO:reason(1000):/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:1200Smiley FrustratedSL alert number 0
4465892972:error:140040E5Smiley FrustratedSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/ssl/ssl_pkt.c:585:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Start Time: 1591316878
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

via CURL

$ curl -v https://www.covid-19-stories.com                                                                                       
*   Trying 2001:8002:e41:f002::f5ff...
* TCP_NODELAY set
* Connected to www.covid-19-stories.com (2001:8002:e41:f002::f5ff) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, close notify (512):
* error:140043E8Smiley FrustratedSL routines:CONNECT_CR_SRVR_HELLO:reason(1000)
* Closing connection 0
curl: (35) error:140043E8Smiley FrustratedSL routines:CONNECT_CR_SRVR_HELLO:reason(1000)

No cert is being delivered....


However if I change my DNS config to point to 8.8.8.8 (google) - I can pull the certificate and access the website as per usual.


Obviously I cant control whatever is happening on the Telstra server... so it'd be nice to know why the ssl handshake is failing for Telstra only (esp. as it used to resolve without issue - this is a recent issue).

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Level 24: Supreme Being
Level 24: Supreme Being
Accepted Solution

Re: SSL handshake failures using Telstra DNS server

The problem is due to Telstra blocking the site and redirecting to Telstra's malicious content page. There is a link on that site for marking the site as safe.

 

Telstra has blocked website because it has been blacklisted by McAfee.

 

View solution in original post

Was this helpful?

  • Yes it was, thank you
  • No, I still need help
3 REPLIES 3
Highlighted
Level 1: Cadet

Re: SSL handshake failures using Telstra DNS server

Ok - this looks like the issue.

The Telstra DNS server incorrectly resolves the host to IP 61.9.211.50 .... which is a Telstra server.

 

Address: 13.35.149.126
Address: 13.35.149.2
Address: 13.35.149.102
Address: 13.35.149.58


Can anyone from Telstra flush the DNS and fix this?

Highlighted
Level 24: Supreme Being
Level 24: Supreme Being
Accepted Solution

Re: SSL handshake failures using Telstra DNS server

The problem is due to Telstra blocking the site and redirecting to Telstra's malicious content page. There is a link on that site for marking the site as safe.

 

Telstra has blocked website because it has been blacklisted by McAfee.

 

View solution in original post

Highlighted
Level 1: Cadet

Re: SSL handshake failures using Telstra DNS server

Thanks. Following up with McAfee and Trusted Source

Set it & forget it

With direct debit there’s no need to give paying your bill another thought.

Avoid queuing up and never worry about late fees again.

Setup direct debit