SSL sites inaccessible from Apple terminal and cryptic curl error

0
votes

I have a machine serving sites under docker, reverse proxied through nginx with TLS. Everything went smooth til around April the 15th. Two sites became inaccessible from iPhone (whatever the browser used), Safari on MacBooks... curl, and old Android (Samsung S2) and old Firefox (v25)! :o Everything goes fine from Firefox on Windows, GNU/Linux. One site is a Mattermost instance; the app is working correctly from Android but not from an iPhone.

Safari complains it "can't load the page, the conection has been lost".

curl -v mysite reports :

  • Rebuilt URL to: https://teamtime.me/
  • Hostname was NOT found in DNS cache
  • Trying 212.129.18.187...
  • Connected to teamtime.me (212.129.18.187) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1)
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • Server certificate:
  • subject: CN=teamtime.me
  • start date: 2017-04-02 21:41:00 GMT
  • expire date: 2017-07-01 21:41:00 GMT
  • subjectAltName: teamtime.me matched
  • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3

  • SSL certificate verify ok. GET / HTTP/1.1 User-Agent: curl/7.38.0 Host: teamtime.me Accept: /

  • SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

  • Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

I sniffed the connection to the site with firefox and curl and noted the following differences: With firefox, after the client key exchange, a new session ticket is created by the server and an application data packet of 320 in size is sent back to the server, while with curl, after the client key exchange, the server sends a change cipher spec, the client answers with a packet application data of 170 in size which ends the conection (ACK then RST-ACK from the server).

I'm stuck here. I don't know where to look. I don't have any apple terminal to test with, but I guess the problem with curl has the same root as it occurred in the same time frame.

Any hint would be very appreciated. Thanks in advance.

differences in sniffing firefox and curl

1
iphonesslcurlnginx

1 Answers

0
votes

The server is (was) also serving a #mastodon instance. And it happened that shutting down the mastodon instance solved the problem: curl and apple terminals can reach the other services again.

The problem surely lies in the nginx reverse proxy configuration, but don't know yet what...

I'd also be interested in understanding how a mistaken config of nginx affects only some terminals/browsers...