Hi Michael-- Thanks for your followup! More below… On Wed 2023-01-25 18:30:59 +0100, Michel Stam wrote:
I think this may be because the measurement code doesn’t support TLS 1.3 yet, and vercel.com does. It’s a known issue, we’d like to add TLS 1.3 at some point.
Hm, i don't think that's the full story, because the same probe actually succeeds for sites that also support TLS 1.3 (e.g. https://www.aclu.org/). And, when i try to connect to it from a client that has TLS 1.3 deliberately disabled (e.g. "gnutls-cli -priority NORMAL:-VERS-TLS1.3 vercel.com") i still have no problem connecting. Digging into it a bit further, it looks to me like Vercel servers send an alert if we do not emit the ec_point_format TLS extension. This is probably a bug on Vercel's side, but it shouldn't block the Atlas' ability to harvest certificates from it.
You can find the relevant code here: https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/blob/7c03fba082e93...
Thanks for this pointer! I've provided a (mainly untested) pull request with a pretty simple patch that should hopefully fix the issue: https://github.com/RIPE-NCC/ripe-atlas-probe-measurements/pull/15 If anyone on this list has the ability to test this patch and follow up on that issue, i'd appreciate any review. Regards, --dkg