sslhttpshandshakessl-handshake

Below tls handshake, What is the problem?

An app.zeplin.io:443 connection error is occurring in the vpn environment. In the same vpn environment, access to github.com:443 or stackoverflow.com:443 is normal. I'm a little lacking in background knowledge about tls handshake, so I'm asking like this.

question)

issue) vpn environment is abnormal

curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* Recv failure: Connection reset by peer    >>>>>>> issue message print
* LibreSSL SSL_connect: Connection reset by peer in connection to app.zeplin.io:443
* Closing connection 0
curl: (35) Recv failure: Connection reset by peer

check1) vpn environment openssl is abnormal

openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M01
verify return:1
depth=0 CN = zeplin.io
verify return:1
write:errno=54   >>>>> !!!!! issue !!!!!
---
Certificate chain
 0 s:CN = zeplin.io
   i:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 29 00:00:00 2023 GMT; NotAfter: Jun 26 23:59:59 2024 GMT
 1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M01
   i:C = US, O = Amazon, CN = Amazon Root CA 1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 22:21:28 2022 GMT; NotAfter: Aug 23 22:21:28 2030 GMT
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...(skip)....
-----END CERTIFICATE-----
subject=CN = zeplin.io
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M01
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5403 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: ....(skip)....
    Session-ID-ctx:
    Master-Key: ....(skip).....
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1692336863
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

check2) non-vpn environment is normal

curl -iv https://app.zeplin.io
*   Trying 75.2.40.227:443...
* Connected to app.zeplin.io (75.2.40.227) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): >>>>>>>> The segment is not found in the vpn environment
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=zeplin.io
*  start date: May 29 00:00:00 2023 GMT
*  expire date: Jun 26 23:59:59 2024 GMT
*  subjectAltName: host "app.zeplin.io" matched cert's "*.zeplin.io"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: app.zeplin.io]
* h2 [:path: /]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x11f00a800)
> GET / HTTP/2
> Host: app.zeplin.io
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 302
HTTP/2 302
.... response body .....
Solution

  • Connection to vpn environment through openssl command is normal

    No, it's not. openssl and curl show the same problem. It is less obvious with openssl though:

    openssl s_client  app.zeplin.io:443
CONNECTED(00000006)
...
write:errno=54
...
 0 s:CN = zeplin.io

    The write:errno=54 in openssl s_client is the same as Connection reset by peer in curl.

    It shows that this error happens after the TLS handshake was already mostly established. Since it works without VPN the problem might be that the VPN provider is blocking access using deep packet inspection or that the server or some firewall in front of it is blocking access since it detected a VPN. There is nothing you can do about it from your client code.