SSL handshake errors
834 views
Skip to first unread message
Voluum Traffic
Dec 1, 2023, 11:26:35 AM12/1/23
to Outbrain-AmplifyApi
Hi,
since 29.11.2023 ~1AM CET I've started receiving certificate validation errors when trying to send data to https://tr.outbrain.com endpoints (/pixel, /unifiedPixel). The errors suggest an expired certificate. I've checked the certificate for the domain (in browser) and it seems fine. I've run different tests on my side, but wasn't able to find the root cause. When trying to consistently reproduce the issue, it occurred to me that only some of the requests fail, while most of them pass. The certificate for the domain is fairly new, so I wonder - is it possible that not all instances of the service have been updated with the new certificate? And therefore some of them are still serving an outdated one? This would explain why the behavior is inconsistent. Can you please check it on your side?
Best regards,
Andrzej
operi
Dec 3, 2023, 9:07:41 AM12/3/23
to Outbrain-AmplifyApi
Hi,
We checked, but we don’t see anything abnormal on our side.
Does the issue still persist ?
We checked, but we don’t see anything abnormal on our side.
Does the issue still persist ?
What's your programming language and which ssl library and version do you use ?
Regards,
Omer
Voluum Traffic
Dec 4, 2023, 4:13:09 AM12/4/23
to Outbrain-AmplifyApi
Hi,
unfortunately the issue still persists. It occurs for roughly 5% of requests when trying to manually reproduce it. I'm using Java 17 and Apache HttpAsyncClient (https://hc.apache.org/httpcomponents-asyncclient-4.1.x/index.html). I was also able to reproduce the issue using curl:
> curl -v 'https://tr.outbrain.com/pixel'
* Trying 70.42.32.95:443...
* Connected to tr.outbrain.com (70.42.32.95) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
* Trying 70.42.32.95:443...
* Connected to tr.outbrain.com (70.42.32.95) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
tool version:
> curl --version
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
operi
Dec 4, 2023, 9:41:51 AM12/4/23
to Outbrain-AmplifyApi
Hi,
After additional check we found and solved an issue that might explain the error you got.
Can you please re-check and let us know if the issue is resolved ?
thanks,
Omer
Voluum Traffic
Dec 4, 2023, 12:16:11 PM12/4/23
to Outbrain-AmplifyApi
Hi,
since 3:10 PM CET, I see no error logs related to this issue. Many thanks!
Reply all
Reply to author
Forward
0 new messages