Am 21.11.21 um 09:17 schrieb Ralf Mardorf via arch-general: > > done: > > [rocketmouse@archlinux curl_search_cpan_01]$ curl -sSvg -L https://search.cpan.org/CPAN/authors/id/Y/YE/YEWENBIN/Goo-Canvas-0.06.tar.gz >foo.tar.gz > * Trying 46.43.35.68:443... Hi Ralf, Somehow you seem get an endpoint that has only an internal certificate. I can duplicate your error with this comand: $ curl --resolve search.cpan.org:443:46.43.35.68 -sSvg -L https://search.cpan.org/CPAN/authors/id/Y/YE/YEWENBIN/Goo-Canvas-0.06.tar.gz >foo.tar.gz I get the same IPs as Ralph and those do work and have Let's Encrypt certificates: curl -4 -sSvg -L https://search.cpan.org/CPAN/authors/id/Y/YE/YEWENBIN/Goo-Canvas-0.06.tar.gz >foo.tar.gz * Trying 151.101.114.132:443... * Connected to search.cpan.org (151.101.114.132) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [19 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [4019 bytes data] * TLSv1.3 (IN), TLS handshake, CERT verify (15): { [264 bytes data] * TLSv1.3 (IN), TLS handshake, Finished (20): { [52 bytes data] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.3 (OUT), TLS handshake, Finished (20): } [52 bytes data] * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=*.cpan.org * start date: Sep 30 05:43:29 2021 GMT * expire date: Dec 29 05:43:28 2021 GMT * subjectAltName: host "search.cpan.org" matched cert's "*.cpan.org" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) Here is the wrong internal certificate: $ openssl s_client --servername search.cpan.org 46.43.35.68:443 CONNECTED(00000003) depth=0 C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx verify error:num=18:self signed certificate verify return:1 depth=0 C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx verify return:1 --- Certificate chain 0 s:C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx i:C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx --- Server certificate -----BEGIN CERTIFICATE----- MIIEpDCCA4ygAwIBAgIJAKx9b4awQ9JxMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYD VQQGEwJQTDESMBAGA1UECBMJUGVybCBMYW5lMRIwEAYDVQQHEwlQZXJsIENpdHkx ETAPBgNVBAoTCE1ldGFDUEFOMQwwCgYDVQQLEwNOT0MxGTAXBgNVBAMTEGFwaS5t ZXRhY3Bhbi5vcmcxHzAdBgkqhkiG9w0BCQEWEG5vY0BtZXRhY3Bhbi5vcmcwHhcN MTYxMTE5MTgyODU4WhcNMzMwNDI0MTgyODU4WjCBkjELMAkGA1UEBhMCUEwxEjAQ BgNVBAgTCVBlcmwgTGFuZTESMBAGA1UEBxMJUGVybCBDaXR5MREwDwYDVQQKEwhN ZXRhQ1BBTjEMMAoGA1UECxMDTk9DMRkwFwYDVQQDExBhcGkubWV0YWNwYW4ub3Jn MR8wHQYJKoZIhvcNAQkBFhBub2NAbWV0YWNwYW4ub3JnMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA900TvKRxw8jLouxOGSXksFs1LqOy+kws79dmzUPS 4O6pD1Aj/iY3Sy37IaIR55TAKzGzeaB/r4V0eVgfGq6s8uuRfqsDPVFbtON5JA1V bV9ZkNUlOa74TPuDex5NRbmnom3Nwff/4R8uvT7Z13fcG85OESo3eAtJnGmMeg40 sTgJilqTPPeb9aXEgBZDP1a8WRX+Tp7/0XLZbSkLO4jCdhVyH7ZHpjIX4RbsrGao yTGkR6w/w4SU2E2WcRuXDI1KU3O/uyNW67gDZPkPaW55oqkAAfMgSfF6I8qZpb0W wYu7eSbNBAJbfPJM8wf3uYUtws1gdJzUEsOlDavbcSdVJwIDAQABo4H6MIH3MB0G A1UdDgQWBBS9iUaroj5Ag/Z8EqfHEE8tQD9qPzCBxwYDVR0jBIG/MIG8gBS9iUar oj5Ag/Z8EqfHEE8tQD9qP6GBmKSBlTCBkjELMAkGA1UEBhMCUEwxEjAQBgNVBAgT CVBlcmwgTGFuZTESMBAGA1UEBxMJUGVybCBDaXR5MREwDwYDVQQKEwhNZXRhQ1BB TjEMMAoGA1UECxMDTk9DMRkwFwYDVQQDExBhcGkubWV0YWNwYW4ub3JnMR8wHQYJ KoZIhvcNAQkBFhBub2NAbWV0YWNwYW4ub3JnggkArH1vhrBD0nEwDAYDVR0TBAUw AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAlVmTatV61RdmrM7Uoj8OcPg7w9qbfCJy gAg9OQfj8qA3dloSKSIl+3q7Bkgr1IsmpR5uKQu8HLLbyZMs2G6t40etHaI1o+AJ Q0uY63FksbVwmEIp/4pdrt6VMqASG6OfzO2SJbd6wb7GGoFZmvPA5CQ50Jv8wEkn T6+IT8VynV+ZR2kWBUXANexuIrThwBTGihyej9rvZgYTJ3aKGgCT9Teov1T6A7Ed dUbpdIJG9QdFliBmPO049ej7h3N79EarmUyuN5Z0tQDwrXZLJ1gxrAsSXw/InEao TO2m3xZXEDGRfQSHf1YJt/sgpoYwGPQ1KOWuPIBmp1mD5h7CcMGpIg== -----END CERTIFICATE----- subject=C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx issuer=C = PL, ST = Perl Lane, L = Perl City, O = MetaCPAN, OU = NOC, CN = api.metacpan.org, emailAddress = noc@xxxxxxxxxxxx --- No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1670 bytes and written 410 bytes Verification error: self signed certificate ^C -- Andreas
