On Sun, Jun 30, 2019 at 3:42 PM Ulrike Uhlig wrote: > Do you know why this is happening and what to do about it? > It seems to me that the machine on which DMD runs is hosted at a US > university [2]. Do you think it might be due to that? And if so, how can > this be mitigated? Can this service run on a non-filtered network?
I did some experimentation on ullman (you have access too btw). I used tcptraceroute, wget, curl --resolve and openssl s_client -servername. The keyringer.pw issue is "No route to host" and occurs in every network I tried it from. The 0xacab.org site works from ullman, other UBC hosts and other networks, perhaps that was a temporary issue. The torproject.org issue happens over IPv4 and IPv6. The issue happens on other hosts at UBC too (buxtehude for eg). The issue occurs with https but not with http. The issue doesn't occur if I connect to torproject.org servers but fake TLS SNI as google.com, microsoft.com, apple.com or nytimes.com, but does if I use debian.org or torproject.org or slashdot.org or random domains. The issue doesn't occur if I connect to the Debian website servers, but does if I use a TLS SNI of torproject.org and doesn't with slashdot.org or random domains. The issue doesn't occur if I connect to the Google website servers, even if I use a TLS SNI of torproject.org. So it seems there is some sort of list of IPs and SNIs that are allowed and blocked. I'd suggest you confirm this diagnosis and file a ticket with DSA about this issue containing the details and we will forward the issue to our contacts at UBC. https://wiki.debian.org/rt.debian.org -- bye, pabs https://wiki.debian.org/PaulWise
