Hello everyone,
if anyone from SBB reads the swinog ml: it's very cool that you added an AAAA record to sbb.ch. However it seems that only the HTTP, but not the HTTPS port is open via IPv6. Logs are attached below.
Best regards from Glarus,
Nico
[20:31] diamond:~% curl -6 -I -v https://sbb.ch * Trying 2a00:4bc0:ffff:ffff::c296:f58e:443... * TCP_NODELAY set * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): ^C
[20:33] diamond:~% curl -6 -I -v http://sbb.ch * Trying 2a00:4bc0:ffff:ffff::c296:f58e:80... * TCP_NODELAY set * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 80 (#0)
HEAD / HTTP/1.1 Host: sbb.ch User-Agent: curl/7.66.0 Accept: */*
* Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Date: Sun, 20 Oct 2019 18:32:39 GMT Date: Sun, 20 Oct 2019 18:32:39 GMT < Server: Apache Server: Apache < Location: https://sbb.ch/ Location: https://sbb.ch/ < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1
< * Connection #0 to host sbb.ch left intact
-- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1 --- Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-
SBB is a test case for proper MTU. Check your MTU ;)
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "swinog" swinog@lists.swinog.ch Gesendet: Montag, 21. Oktober 2019 07:40:15 Betreff: Re: [swinog] SBB partially reachable via IPv6
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1 --- Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-
Hello everybody
We are still having issues with the MTU detection. At the moment, we are translating on our Internet-Router and internal Loadbalancers are unaware or unable to talk back to the webserver, if the MTU is smaller than usual. This happens usually with Tunnelbrokers or some (self built) Firewall/Routers.
Hope, we will bring IPv6 deeper into our network until Q2/2020 and fix that nasty issue with that.
If Nico could try to look into his MTU and perhaps share it's hardware specs?
I am connecting with EdgeRouter Pro and through INIT7/Fiber7.
:~$ curl -6 -l -v https://sbb.ch * Rebuilt URL to: https://sbb.ch/ * Trying 2a00:4bc0:ffff:ffff::c296:f58e... * TCP_NODELAY set * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: jurisdictionC=CH; jurisdictionST=Bern; serialNumber=CHE-102.909.703; businessCategory=Private Organization; C=CH; ST=Bern; L=Bern; O=Schweizerische Bundesbahnen SBB; OU=IT; CN=www.sbb.ch * start date: Jul 25 14:52:45 2019 GMT * expire date: Jul 25 14:52:45 2021 GMT * subjectAltName: host "sbb.ch" matched cert's "sbb.ch" * issuer: C=CH; O=SwissSign AG; CN=SwissSign EV Gold CA 2014 - G22 * SSL certificate verify ok.
Regards, Urs
Urs Müller Schweizerische Bundesbahnen SBB Senior Architekt IT Operations Management - Service Design Lindenhofstrasse 1 - Worblaufen, 3000 Bern 65 urs.bf.mueller@sbb.ch / www.sbb.ch
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch Im Auftrag von Silvan M. Gebhardt Gesendet: Montag, 21. Oktober 2019 09:59 An: Benoit Panizzon benoit.panizzon@imp.ch Cc: swinog swinog@lists.swinog.ch Betreff: Re: [swinog] SBB partially reachable via IPv6
SBB is a test case for proper MTU. Check your MTU ;)
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "swinog" swinog@lists.swinog.ch Gesendet: Montag, 21. Oktober 2019 07:40:15 Betreff: Re: [swinog] SBB partially reachable via IPv6
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1 --- Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-
Hi All
What helped me with MTU issuer in general is setting TCPMSS on all traffic... This can be done under linux as follows:
ip6tables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 ip6tables-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ip6tables-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Just my two cents
Matthias
On 21/10/2019 11:21, Müller Urs (IT-OM-SDP-SDN) wrote:
Hello everybody
We are still having issues with the MTU detection. At the moment, we are translating on our Internet-Router and internal Loadbalancers are unaware or unable to talk back to the webserver, if the MTU is smaller than usual. This happens usually with Tunnelbrokers or some (self built) Firewall/Routers.
Hope, we will bring IPv6 deeper into our network until Q2/2020 and fix that nasty issue with that.
If Nico could try to look into his MTU and perhaps share it's hardware specs?
I am connecting with EdgeRouter Pro and through INIT7/Fiber7.
:~$ curl -6 -l -v https://sbb.ch
- Rebuilt URL to: https://sbb.ch/
- Trying 2a00:4bc0:ffff:ffff::c296:f58e...
- TCP_NODELAY set
- Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: jurisdictionC=CH; jurisdictionST=Bern; serialNumber=CHE-102.909.703; businessCategory=Private Organization; C=CH; ST=Bern; L=Bern; O=Schweizerische Bundesbahnen SBB; OU=IT; CN=www.sbb.ch
- start date: Jul 25 14:52:45 2019 GMT
- expire date: Jul 25 14:52:45 2021 GMT
- subjectAltName: host "sbb.ch" matched cert's "sbb.ch"
- issuer: C=CH; O=SwissSign AG; CN=SwissSign EV Gold CA 2014 - G22
- SSL certificate verify ok.
Regards, Urs
Urs Müller Schweizerische Bundesbahnen SBB Senior Architekt IT Operations Management - Service Design Lindenhofstrasse 1 - Worblaufen, 3000 Bern 65 urs.bf.mueller@sbb.ch / www.sbb.ch
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch Im Auftrag von Silvan M. Gebhardt Gesendet: Montag, 21. Oktober 2019 09:59 An: Benoit Panizzon benoit.panizzon@imp.ch Cc: swinog swinog@lists.swinog.ch Betreff: Re: [swinog] SBB partially reachable via IPv6
SBB is a test case for proper MTU. Check your MTU ;)
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "swinog" swinog@lists.swinog.ch Gesendet: Montag, 21. Oktober 2019 07:40:15 Betreff: Re: [swinog] SBB partially reachable via IPv6
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1
Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-
Good late morning,
All fixed by now - I was notified that ipv6/https was unreachable due to maintenance at SBB last night.
curl -6 -I -v https://sbb.ch as well as a real browser now work again.
Thanks everyone for the fast response!
Sunny greetings from Glarus,
Nico
p.s.: MTU on my test boxes was 9000 and 1500, both had the same issue yesterday.
Müller Urs (IT-OM-SDP-SDN) urs.bf.mueller@sbb.ch writes:
Hello everybody
We are still having issues with the MTU detection. At the moment, we are translating on our Internet-Router and internal Loadbalancers are unaware or unable to talk back to the webserver, if the MTU is smaller than usual. This happens usually with Tunnelbrokers or some (self built) Firewall/Routers.
Hope, we will bring IPv6 deeper into our network until Q2/2020 and fix that nasty issue with that.
If Nico could try to look into his MTU and perhaps share it's hardware specs?
I am connecting with EdgeRouter Pro and through INIT7/Fiber7.
:~$ curl -6 -l -v https://sbb.ch
- Rebuilt URL to: https://sbb.ch/
- Trying 2a00:4bc0:ffff:ffff::c296:f58e...
- TCP_NODELAY set
- Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN, server accepted to use http/1.1
- Server certificate:
- subject: jurisdictionC=CH; jurisdictionST=Bern; serialNumber=CHE-102.909.703; businessCategory=Private Organization; C=CH; ST=Bern; L=Bern; O=Schweizerische Bundesbahnen SBB; OU=IT; CN=www.sbb.ch
- start date: Jul 25 14:52:45 2019 GMT
- expire date: Jul 25 14:52:45 2021 GMT
- subjectAltName: host "sbb.ch" matched cert's "sbb.ch"
- issuer: C=CH; O=SwissSign AG; CN=SwissSign EV Gold CA 2014 - G22
- SSL certificate verify ok.
Regards, Urs
Urs Müller Schweizerische Bundesbahnen SBB Senior Architekt IT Operations Management - Service Design Lindenhofstrasse 1 - Worblaufen, 3000 Bern 65 urs.bf.mueller@sbb.ch / www.sbb.ch
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch swinog-bounces@lists.swinog.ch Im Auftrag von Silvan M. Gebhardt Gesendet: Montag, 21. Oktober 2019 09:59 An: Benoit Panizzon benoit.panizzon@imp.ch Cc: swinog swinog@lists.swinog.ch Betreff: Re: [swinog] SBB partially reachable via IPv6
SBB is a test case for proper MTU. Check your MTU ;)
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "swinog" swinog@lists.swinog.ch Gesendet: Montag, 21. Oktober 2019 07:40:15 Betreff: Re: [swinog] SBB partially reachable via IPv6
Works for me: $ telnet sbb.ch https Trying 2a00:4bc0:ffff:ffff::c296:f58e... Connected to sbb.ch.
$ openssl s_client -connect sbb.ch:https CONNECTED(00000003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 verify return:1 depth=0 jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch verify return:1
Certificate chain 0 s:jurisdictionC = CH, jurisdictionST = Bern, serialNumber = CHE-102.909.703, businessCategory = Private Organization, C = CH, ST = Bern, L = Bern, O = Schweizerische Bundesbahnen SBB, OU = IT, CN = www.sbb.ch i:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign EV Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
Mit freundlichen Grüssen
-Benoît Panizzon-
-- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
-
Benoit Panizzon -
Matthias Cramer -
Müller Urs (IT-OM-SDP-SDN) -
Nico Schottelius -
Silvan M. Gebhardt