No TLS on workers.dev unless VPN is used

I was unable to make requests via curl with

SSL_ERROR_SYSCALL

SSL_ERROR_SYSCALL

SSL_ERROR_SYSCALL

SSL_ERROR_SYSCALL for a long time, and I also can only get logs in the dashboard if I turn on my vpn. Deploying via wrangler works, but log streaming and dev environment don't.

sslscan workers.dev

sslscan workers.dev

sslscan workers.dev

sslscan workers.dev (same with

<worker>.<account>.workers.dev

<worker>.<account>.workers.dev

<worker>.<account>.workers.dev

<worker>.<account>.workers.dev)

Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.

Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.

Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.

Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   disabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:

  Supported Server Cipher(s):
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
    Unable to parse certificate
Certificate information cannot be retrieved.

I am located in Russia and I use my company's account.

John The Cooling FanOP•2/29/24, 12:16 PM

Also, output of openssl s_client -cipher ALL -servername workers.dev -connect workers.dev:443openssl s_client -cipher ALL -servername workers.dev -connect workers.dev:443:

CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Original message was deleted

John The Cooling FanOP•2/29/24, 12:59 PM

That's sslscan

John The Cooling FanOP•2/29/24, 12:59 PM

My curl is 8.5.08.5.0

Original message was deleted

John The Cooling FanOP•2/29/24, 12:59 PM

Either way I also get a tls error

JJohn The Cooling Fan My curl is `8.5.0`

John The Cooling FanOP•2/29/24, 1:00 PM

curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets

curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets

John The Cooling FanOP•2/29/24, 1:01 PM

That's a big assumption that it' an issue introduced in russian side of the network

Original message was deleted

John The Cooling FanOP•2/29/24, 1:05 PM

I didn't encounter any problems of this kind ever. So I feel like it's a problem on cloudflare side. Either something is misconfigured or geoblocking.

Original message was deleted

John The Cooling FanOP•2/29/24, 1:08 PM

IP in the sslscan output and workers.devworkers.dev are not in the registry
Protocol is https, so not blocking by this.
TLS extension - I don't know.
And from my experience blocked sites produce different behavior, usually a redirect of dropped connection without even reaching ssl stage

Original message was deleted

John The Cooling FanOP•2/29/24, 1:21 PM

Never seen this be used with my provider

John The Cooling FanOP•2/29/24, 1:22 PM

Certificate is issued by google for <account>.workers.dev<account>.workers.dev and *.<account>.workers.dev*.<account>.workers.dev

John The Cooling FanOP•2/29/24, 1:22 PM

(What I see from VPN)

John The Cooling FanOP•2/29/24, 1:22 PM

I use US location

John The Cooling FanOP•2/29/24, 1:23 PM

I would like to get someone else's opinion

Devon•2/29/24, 7:53 PM

haven't you basically already proven that, as it works over VPN to US?

John The Cooling FanOP•3/1/24, 12:58 PM

I haven't proven that russia is blocking it, as there is still possibility that cloudflare is geoblocking

John The Cooling FanOP•3/1/24, 12:58 PM

And I would like to find out

Cyb3r-Jak3•3/1/24, 7:57 PM

If Cloudflare was blocking then you either wouldn’t get a response or it would be Cloudflare block page. If you want an official answer then your best bet is to open a support ticket

CCyb3r-Jak3 If Cloudflare was blocking then you either wouldn’t get a response or it would b...

John The Cooling FanOP•3/1/24, 8:42 PM

Thanks for the directions

John The Cooling FanOP•3/1/24, 9:18 PM

Ah, it is blocked by russia

John The Cooling FanOP•3/1/24, 9:18 PM

That's a lot of times the ip 188.114.96.3188.114.96.3 has been put into teh registry

No TLS on workers.dev unless VPN is used

Similar Threads

Similar Threads

Similar Threads