On Mon, 23 Mar 2026 at 10:44, Jeroen Massar via swinog swinog@lists.swinog.ch wrote:
IPv4/SBB is responding, but not doing SSL on 443:
% openssl s_client --connect 194.150.245.142:443 Connecting to 194.150.245.142 CONNECTED(00000003) 0031130402000000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:918:SSL alert number 40
No, it just requires SNI, which you did not provide.
$ openssl s_client -servername sbb.ch --connect 194.150.245.142:443 CONNECTED(00000003) depth=3 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=2 C = CH, O = SwissSign AG, CN = SwissSign RSA TLS Root CA 2022 - 1 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign RSA TLS DV ICA 2022 - 1 verify return:1 depth=0 CN = sbb.ch verify return:1 --- Certificate chain 0 s:CN = sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign RSA TLS DV ICA 2022 - 1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jul 21 12:44:08 2025 GMT; NotAfter: Jul 21 12:44:08 2026 GMT 1 s:C = CH, O = SwissSign AG, CN = SwissSign RSA TLS DV ICA 2022 - 1 i:C = CH, O = SwissSign AG, CN = SwissSign RSA TLS Root CA 2022 - 1 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 29 09:27:46 2022 GMT; NotAfter: Jun 29 09:27:46 2036 GMT 2 s:C = CH, O = SwissSign AG, CN = SwissSign RSA TLS Root CA 2022 - 1 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 28 11:27:11 2022 GMT; NotAfter: Sep 22 11:27:11 2036 GMT --- [...]
Lukas