On 23 Mar 2026, at 10:28, Beni Keller swinog@hb9hnt.ch wrote:
[..]
% wget https://www.sbb.ch/robots.txt --2026-03-23 09:08:10-- https://www.sbb.ch/robots.txt Resolving www.sbb.ch (www.sbb.ch)... 2600:9000:20a5:6600:2:5597:5ac0:93a1, 2600:9000:20a5:8800:2:5597:5ac0:93a1, 2600:9000:20a5:4800:2:5597:5ac0:93a1, ... Connecting to www.sbb.ch (www.sbb.ch)|2600:9000:20a5:6600:2:5597:5ac0:93a1|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2026-03-23 09:08:10 ERROR 403: Forbidden.
This wget is not relevant for our issue as it connects to www.sbb.ch, which works. It's only sbb.ch which does not work.
That is the important distinction SBB vs Amazon.
Somebody forgot to update the apex IP addresses when offloading Swiss State Railways...
And indeed, the SBB network is either filtered or otherwise broken.
SBB's own network:
% dig +short sbb.ch 194.150.245.142 % dig +short sbb.ch aaaa 2a00:4bc0:ffff:9::c296:f58e
Versus Amazon hosted:
% dig +short www.sbb.ch a 143.204.55.72 143.204.55.76 143.204.55.87 143.204.55.102
% dig +short www.sbb.ch aaaa 2600:9000:20a5:ea00:2:5597:5ac0:93a1 2600:9000:20a5:3200:2:5597:5ac0:93a1 2600:9000:20a5:3a00:2:5597:5ac0:93a1 2600:9000:20a5:7c00:2:5597:5ac0:93a1 2600:9000:20a5:7e00:2:5597:5ac0:93a1 2600:9000:20a5:9e00:2:5597:5ac0:93a1 2600:9000:20a5:a400:2:5597:5ac0:93a1 2600:9000:20a5:d000:2:5597:5ac0:93a1
IPv4/SBB is responding, but not doing SSL on 443:
% openssl s_client --connect 194.150.245.142:443 Connecting to 194.150.245.142 CONNECTED(00000003) 0031130402000000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:918:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent Negotiated TLS1.3 group: <NULL> --- SSL handshake has read 7 bytes and written 1522 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Protocol: TLSv1.3 This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- 0031130402000000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in init:ssl/ssl_lib.c:2804:
Thus no real SSL there anymore either...
IPv6 is indeed completely unresponsive.
Regards, Jeroen