Thursday, June 7, 2012

Alice/O2 DSL and SSL

So, recently I wrote about how I had trouble connecting to google.com over HTTPS using my home DSL connection. I have narrowed the problem down and I must say that ppp is inocent.

I have tried to use the crappy router in router mode and even the fancy Fritz!Box7390 from my old VDSL connection both in modem and router mode and the problem persists. I have tried the original phone cable (you never know, right?) and any other thing imaginable: still fails to connect to google. But it's not alone! Trying amazon.com also fails from time to time! It still doesn't happen from my neighbor's connection or from my own connection for other servers (I tried, among others, facebook.com, deutsche-bank.de, visa.com, paypal.com, dkb.de).

 * About to connect() to amazon.de port 443 (#0)
*   Trying 178.236.6.38...
* connected
* Connected to amazon.de (178.236.6.38) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2): * error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connect() to amazon.com port 443 (#0)
*   Trying 72.21.211.176...
* connected
* Connected to amazon.com (72.21.211.176) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connecd() to amazon.com port 443 (#0)
*   Trying 72.21.211.176...
* connected
* Connected to amazon.com (72.21.211.176) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certifhcates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*        subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=www.amazon.com
*        start date: 2010-07-15 00:00:00 GMT
*        expire date: 2013-07-14 23:59:59 GMT
*        common name: www.amazon.com (does not match 'amazon.com')
*        issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)09; CN=VeriSign Class 3 Secure Server CA - G2
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: amazon.com
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection #0


 * About to connect() to google.de port 443 (#0)
*   Trying 173.194.69.94...
* connected
* Connected to google.de (173.194.69.94) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to google.de:443
* Closing connection #0
c5rl: (35) Unknown SSL protocol error in connection to google.de:443

 * About to connect() to google.de port 443 (#0)
*   Trying 173.194.69.94...
* connected
* Connected to google.de (173.194.69.94) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
* Closing connection #0
curl: (35) error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error

 * About to connect() to google.com port 443 (#0)
*   Trying 173.194.69.113...
* connected
* Connected to google.com (173.194.69.113) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Sebver finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
* Closing connection #0
curl: (35) error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record lac

So here is my new theory about who's the bad guy:
- Google, Amazon: nope, work for the rest of the world.
- PPP: no, tried without it and still fails.
- Crappy router: nope, also happens with fancy router.
- Alice ADSL: the only difference between my connection and the neighbor's connection is the access router to Alice's network. That MUST be it!

From my connection:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  alice.box (192.168.1.1)  2.437 ms  2.381 ms  17.397 ms
 2  lo1.br12.muc.de.hansenet.net (213.191.64.41)  26.054 ms gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  22.261 ms  26.177 ms
 3  inxs.google.com (194.59.190.61)  30.079 ms  30.047 ms  28.297 ms
 4  66.249.94.88 (66.249.94.88)  51.782 ms  34.389 ms  31.082 ms
 5  216.239.48.125 (216.239.48.125)  29.833 ms 216.239.48.117 (216.239.48.117)  32.006 ms 216.239.48.125 (216.239.48.125)  29.545 ms
 6  209*85.254.116 (209.85.254.116)  53.968 ms  30.843 ms 209.85.254.112 (209.85.254.112)  32.079 ms
 7  * * *
 8  google-public-dns-a.google.com (8.8.8.8)  32.152 ms  32.125 ms  30.507 ms

 PING 213.191.88.88 (213.191.88.88) 56(124) bytes of data.
64 bytes from 213.191.88.88: icmp_req=2 ttl=253 time=27.9 ms
NOP
RR:     192.168.1.4
        213.191.88.74
        213.191.88.88
        213.191.88.88
        213.191.64.41
        192.168.1.4


From neighbor's connection:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  172.24.128.1 (172.24.128.1)  2.520 ms  2.459 ms  2.429 ms
 2  172.24.0.1 (172.24.0.1)  2.428 ms  2.453 ms  2.414 ms
 3  192.168.1.1 (192.168.1.1)  5.133 ms  5.205 ms  4.880 ms
 4  lo1.br02.muc.de.hansenet.net (213.191.89.9)  28.328 ms  28.179 ms  28.098 ms
 5  gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  27.318 ms  27.837 ms  26.953 ms
 6  inxs.google.com (194.59.190.61)  136.017 ms  39.291 ms  39.645 ms
 7  66.249.94.86 (66.249.94.86)  38.188 ms  39.087 ms  38.489 ms
 8  216.239.48.125 (216.239.48.125   43.581 ms  42.874 ms 216.239.48.117 (216.239.48.117)  46.876 ms
 9  209.85.254.116 (209.85.254.116)  44.041 ms  45.064 ms  44.261 ms
10  * * *
11  google-public-dns-a.google.com (8.8.8.8)  42.816 ms  46.818 ms  46.312 ms

PING 213.191.88.88 (213.191.88.88) 56(124) bytes of data.
64 bytes from 213.191.88.88: icmp_req=1 ttl=251 time=36.1 ms
NOP
RR:     172.24.128.2
        172.24.0.4
        192.168.1.254
        85.181.69.47
        213.191.88.70
        213.191.88.88
        213.191.88.88
        213.191.89.9
        192.168.1.1


The whole thing about 213.191.64.41 disappearing from the 2nd traceroute hop after the first packet is quite weird, BTW. With an ICMP traceroute it does not happen:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 52 byte packets
 1  alice.box (192.168.1.1)  3.759 ms  2.364 ms  2.359 ms
 2  lo1.br12.muc.de.hansenet.net (213.191.64.41)  27.701 ms  157.436 ms  27.542 ms
 3  gi2-0-0.pr02.muc.de.hansenet.net (213.191.88.88)  23.166 ms  23.293 ms  22.792 ms
 4  inxs.google.com (194.59.190.61)  30.130 ms  29.518 ms  29.570 ms
 5  66.249.94.86 (66.249.94.86)  44.804 ms  38.765 ms  30.947 ms
 6  216.239.48.117 (216.239.48.117)  32.570 ms  31.293 ms  30.783 ms
 7  209.85.254.118 (209.85.254.118)  31.931 ms  31.347 ms  31.427 ms
 8  * * *
 9  google-public-dns-a.google.com (8.8.8.8)  32.889 ms  31.240 ms  32.917 ms

All this drives me to the conclusion that:
- 213.191.64.41is buggy as hell and Alice should be ashamed of having it there.
- 213.191.64.41is doing some really creepy targeted SSL tampering / man-in-the-middle / hijacking / manipulation and Alice should be seriously ashamed of having it.


Any ideas about the problem? How to solve it other that with a VPN past 213.191.64.41?

No comments: