CD
Cloudflare Developers4mo ago
John The Cooling Fan

No TLS on workers.dev unless VPN is used

I was unable to make requests via curl with SSL_ERROR_SYSCALL for a long time, and I also can only get logs in the dashboard if I turn on my vpn. Deploying via wrangler works, but log streaming and dev environment don't. sslscan workers.dev (same with <worker>.<account>.workers.dev) 
Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.
Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.
I am located in Russia and I use my company's account.
7 Replies
John The Cooling Fan
John The Cooling Fan4mo ago
Also, output of openssl s_client -cipher ALL -servername workers.dev -connect workers.dev:443: 
CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
That's sslscan My curl is 8.5.0 Either way I also get a tls error 
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets
That's a big assumption that it' an issue introduced in russian side of the network I didn't encounter any problems of this kind ever. So I feel like it's a problem on cloudflare side. Either something is misconfigured or geoblocking. IP in the sslscan output and workers.dev are not in the registry Protocol is https, so not blocking by this. TLS extension - I don't know. And from my experience blocked sites produce different behavior, usually a redirect of dropped connection without even reaching ssl stage Never seen this be used with my provider Certificate is issued by google for <account>.workers.dev and *.<account>.workers.dev (What I see from VPN) I use US location I would like to get someone else's opinion
Devon
Devon4mo ago
haven't you basically already proven that, as it works over VPN to US?
John The Cooling Fan
John The Cooling Fan4mo ago
I haven't proven that russia is blocking it, as there is still possibility that cloudflare is geoblocking And I would like to find out
Cyb3r-Jak3
Cyb3r-Jak34mo ago
If Cloudflare was blocking then you either wouldn’t get a response or it would be Cloudflare block page. If you want an official answer then your best bet is to open a support ticket
John The Cooling Fan
John The Cooling Fan4mo ago
Thanks for the directions
John The Cooling Fan
John The Cooling Fan4mo ago
Ah, it is blocked by russia
No description
John The Cooling Fan
John The Cooling Fan4mo ago
That's a lot of times the ip 188.114.96.3 has been put into teh registry
Want results from more Discord servers?
Add your server
More Posts
Redirect Rule for Angular CSR AppCan someone please help me choosing the correct redirect rule for my Angular CSR App? I am getting tCrosspost of question on Pages app with ZeroTrust/Access protectionhttps://discord.com/channels/595317990191398933/1212422297512845383/1212422297512845383I added a Response Headed with the ip.src.city, but i cant read it on the client side javacript?I belive headers are not readable in JS in the browser unless another request is made right? But I cSSL certificate on Cloudflare PagesHello everyone, I've got a question about using my own SSL certificate on Cloudflare Pages without cLive Streaming HLS Playback 500 Internal Server ErrorLive streaming is failing to render a video. 1. I have an input from the API 2. I used the stream kEmail worker, with fetch, sending to APII am trying to set up a catch-all email, and send all incoming emails to a worker. The work is to seHello does anyone know how i can use theHello does anyone know how i can use the zero trsut tunnel to make an ssh.example.com domain to connis worker pro plan has a spending limiti host my site on pro plan. i am not sure it has a spend limit. so i can't avoid paying too much Problems replying to email from workersI'm following https://developers.cloudflare.com/email-routing/email-workers/reply-email-workers/ andscheduled workersJust curious how you all go about testing your scheduled workers after deployment. I've tested loca