Closed marijn-naturalis closed 9 months ago
Looks like some TLS protocol version mismatch for some reason.
% openssl s_client -connect api.biodiversitydata.nl:443
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.biodiversitydata.nl
verify return:1
---
Certificate chain
0 s:CN = api.biodiversitydata.nl
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 10 07:28:51 2023 GMT; NotAfter: Jan 8 07:28:50 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+TCCBOGgAwIBAgISBDogVmZFETlK9NzA8AYY07xvMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEwMTAwNzI4NTFaFw0yNDAxMDgwNzI4NTBaMCIxIDAeBgNVBAMT
F2FwaS5iaW9kaXZlcnNpdHlkYXRhLm5sMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAqrkChp6JUoaS00NaGiSlXcQfsVlR/TGo6WZ9MebyrEp2hDeSFtyB
lo1Q3C7IALqijCAiXjQlw26mFm9sg1h6Dbr7CnFkv6xXaNPrMAZvjpahOpc7hGIF
3MXq+bGiPWkccQGDLoQXc+jPQ3sHkUPWC548N3PgS8NK+yQ095MAExZYa5zm0GOE
tMjFIMpHXUCFsznHQ1wEBvnFmeCE+Z2PI4Xa0tsWXmZydcIHJA0bM8UmIurbkPnT
phzyrFmH3XNPxs4vLKoY953m38U8mHRjgCk49qofb1nQ/Lo+fBVGGtGsAnH2EAGP
B+Zl6ei6oKvdaXhT+BjcyGE+5iGGf+THTkvWEbZKYmZo44RDBt5mps9vBx4yiyKh
Y/Ic+I3AItUlf1IgHUsc2nwPMiodRQarPj9OpwH8IYlYi/AaBOYschxBG6WfreL/
WfOz2x472WzBdcONkcYeLsJpqvoUTIvJ+jQ/5OrVfic+y27s3y2j8Zmvg+Oe2aCx
2WaYr42QFx8XCzgutpHPrlH2SCroSFf35HEQXbgMmD5CNo0vwixV01UpEsUP1T5A
gtpaHpDsfuM2czl2l91zXqTNrzrjugCtPlXl1NeMHmLwTmyIZDhPT9CVoE3wl3z4
fY4IokQHbkMyhq+6AXVkyFp6RNfyqcGJg0hHiU5iAn37jmxQkR9xIqUCAwEAAaOC
AhcwggITMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIWkZVh6/YLdCrkC/DdWXMI4y
GHQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEE
STBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUH
MAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIgYDVR0RBBswGYIXYXBpLmJpb2Rp
dmVyc2l0eWRhdGEubmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwggECBgorBgEEAdZ5
AgQCBIHzBIHwAO4AdQDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAA
AYsYs/+bAAAEAwBGMEQCIHjlSINyJhAeIY3u6UjcCrzqgI6JkQuzZwhlGfZozH/s
AiBLC22w6+Lw11XRDTnn25v5p+cCmmhovbKasAPmoLYe0AB1ADtTd3U+LbmATosw
Wwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABixiz/4wAAAQDAEYwRAIgNRy2rAOOLxqn
eATpDuTqY8Yh3lOB8bRS7kcRSJACPPsCIFwwV/5aI/zLfieXa2UZm711B6d0Dkfs
wLieTIe54UM7MA0GCSqGSIb3DQEBCwUAA4IBAQBiI1CbfeZsLHV/9xJHziTsrfd+
pzNFLZtG/a+GnPddBxIk1QV5F4mX0+e6C6Hw9KoybA9rfoyAup8h7eyRCfYU++UY
7pVab4Zxvtx6KaQQbE6EstRM9VkWgWTHGGh/ZRODhjZiZZL4a49v407jIsj+e2uX
fVQOuGDC/SMXkheUxJ15yd/PS61B6dyAJDfVgARiw35WjDX7SCcY1vdbph3at4Jw
6lQFWMIA6QbdTWV6yO0FJh8tVpsTI0+PODBg8S9jiYnn/kOyZoQG37C6wmfPEMsg
qaQG6ZW/+lnThyFjuOInSJrHTaXQxC483bdCorCmshbr2SvRUVGPip+iEuoU
-----END CERTIFICATE-----
subject=CN = api.biodiversitydata.nl
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5025 bytes and written 389 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: EAB5713BD7908CDC2DFCBE4F47178EDACA42EBE0261F8DD3D95B3AFD2E889397
Session-ID-ctx:
Resumption PSK: EFAA09BB37221E0292B28CA87115301CA292B571B0211BD91A8404941999FF20
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
0000 - a0 63 54 01 6d 61 89 09-69 1c e2 73 42 aa a6 8e .cT.ma..i..sB...
0010 - 9e ae 50 7c 2a 8c bd cb-b3 f3 95 b5 37 98 61 ef ..P|*.......7.a.
0020 - da b5 60 39 3f cf 32 c3-ee 0a 8c 97 40 b6 d0 98 ..`9?.2.....@...
0030 - 6a 79 db 1a c8 ed b2 1a-f6 84 ed 96 32 15 6c 3a jy..........2.l:
0040 - 2c 02 cf 23 a5 cc 5f 98-b1 da d0 94 de a6 95 0e ,..#.._.........
0050 - d3 17 b9 58 62 98 f5 0a-8c 3e b3 d7 00 30 d0 88 ...Xb....>...0..
0060 - 04 bd 87 2c 5a b7 ea 0f-31 e4 70 3e e2 0e 33 b6 ...,Z...1.p>..3.
0070 - 46 F
Start Time: 1696928346
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
Looks like TLSv1.3 is expected
I think I found the problem. Dropwizard defaults to TLSv1.2 when you apply some ssl configs like allowing self signed certificates - which we want to do. That default causes v1.3 not to be working. I have removed it in code now, a bit hacky, but impossible to fix with configs only.
It is working on dev now, prod deployment coming soon
imports succeeded on dev: https://www.dev.checklistbank.org/dataset/2014/about
I see that import has now also succeeded on production. Thanks for addressing this issue so quickly!
The dataset page of Dutch Species Register mentions an error:
The error suggests an SSL certificate issue, but the certificate we (at Naturalis Biodiversity Center) use is valid and in order. It can be checked at https://www.ssllabs.com/ssltest/analyze.html?d=api.biodiversitydata.nl.
So we presume this error is caused by a bug in ChecklistBank.