Re: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

Mon, 09 May 2022 04:53:33 -0700 

> Hello--sorry it took so long to respond. And I apologize for the length of 
> this email.
> 
> Yes, the curl command returns an xml file.  I included an excerpt from the 
> output:
> 
> "About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
> *   Trying 13.32.153.64...
> * Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * skipping SSL peer certificate verification
> * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> * Server certificate:
> *       subject: CN=download.copr.fedorainfracloud.org
> *       start date: Nov 30 00:00:00 2021 GMT
> *       expire date: May 11 19:03:32 2022 GMT
> *       common name: download.copr.fedorainfracloud.org
> *       issuer: CN=DoD WCF Signing CA 2,OU=WCF PKI,OU=DoD,O=U.S. 
> Government,C=US

This really looks like on-path TLS interception to me - note the
certificate issuer in your output.  This is certainly not the TLS
certificate I see for 13.32.153.64 from my vantage point (also note the
different cipher suite chosen, despite the same, stock RHEL 7 curl
version being used):

    * About to connect() to download.copr.fedorainfracloud.org port 443 (#0)
    *   Trying 13.32.153.64...
    * Connected to download.copr.fedorainfracloud.org (13.32.153.64) port 443 
(#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    * skipping SSL peer certificate verification
    * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    * Server certificate:
    *   subject: CN=download.copr.fedorainfracloud.org
    *   start date: Nov 30 00:00:00 2021 GMT
    *   expire date: Dec 28 23:59:59 2022 GMT
    *   common name: download.copr.fedorainfracloud.org
    *   issuer: CN=Amazon,OU=Server CA 1B,O=Amazon,C=US

Given this, I am pretty certain that whatever transparent proxy
intercepts the HTTPS requests which yum sends from your host does not
like *something* about them and returns HTTP 503 Service Unavailable
errors.  I am afraid you will have to figure out what that "something"
is yourself, though, because it looks like an environment-specific issue
to me at this point and not a problem with Copr itself.

Good luck!

-- 
Best regards,
Michał Kępień
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to