On 09/19/18 09:02, Tim Jones wrote:
Hi,
I'm wracking my brains here. I have just replaced <old commercial firewall>
with one based on OpenBSD 6.3 PF. Nothing else has changed on the network, just the
firewall.
Lots of "stuff" that used to work (e.g. various nightly pushes of data to "the
cloud") have suddenly stopped working after the new firewall was put in place.
It seems to be down to some sort of weird handling of SSL by PF ? I can't see
why it should be OpenBSD, and yet I also can't see why it cannot be OpenBSD,
given nothing else has changed.
The reason I say this is because of what I see if I take troubleshooting down
to its most basic level :
This:
wget -O bp_linux.tar.gz
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Fails with:
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish SSL connection.
And yet this (ironically !) :
wget https://cdn.openbsd.org/pub/OpenBSD/6.3/amd64/install63.iso
Works fine.
Similarly, this :
openssl s_client -connect
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername
github-production-release-asset-2e65be.s3.amazonaws.
com
Returns:
no peer certificate available
No client certificate CA names sent
And yet this :
openssl s_client -connect google.com:443 -servername google.com
Shows SSL certs OK !
My PF is simple as follows (there is no NAT here, its fully routable) :
match in all scrub (no-df random-id)
block drop
set block-policy drop
set syncookies always
pass from <my_admin_net> to any flags S/SA modulate state (pflow)
DNS and everything else is working fine.
(Not an expert, just suggesting some things that might provoke
inspiration. Hopefully. But probably stuff already tried/eliminated.)
Are you sure it's pf? If you disable pf (if that's an option here) -
any difference?
If you take the rules out and then introduce them one-by-one - is there
one that seems to break things?
What do the pf logs show?
Are you trying the commands on the firewall or an (OpenBSD?) machine
behind the firewall?
[OpenBSD machine]---[OpenBSD firewall]---[the internet]
(Anything to do with LibreSSL versus OpenSSL?)
If you try those commands on another OpenBSD machine at a different
location, do they work?
They work here (on a snapshot), so that does suggest they should work in
general so yes, maybe the ruleset or pf.
I've not got wget installed, but can achieve the same request with ftp e.g.
$ ftp
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Trying 192.30.255.112...
Requesting
https://github.com/Azure/blobporter/releases/download/v0.6.15/bp_linux.tar.gz
Redirected to
https://github-production-release-asset-2e65be.s3.amazonaws.com/74929278/e5e4422c-58f2-11e8-9582-3447e8bc9081?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180919%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180919T043531Z&X-Amz-Expires=300&X-Amz-Signature=d99e4c16a020810445620a2dc532f53e192ea382bff9785059d2f886981defb7&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dbp_linux.tar.gz&response-content-type=application%2Foctet-stream
Trying 54.231.81.40...
Requesting
https://github-production-release-asset-2e65be.s3.amazonaws.com/74929278/e5e4422c-58f2-11e8-9582-3...
What do you get if you try ftp instead of wget?
$ openssl s_client -connect
github-production-release-asset-2e65be.s3.amazonaws.com:443 -servername
github-production-release-asset-2e65be.s3.amazonaws.com
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore
CyberTrust Root
...
