Apparent TLS irregularity on official instance API

raxod502 commented 2 years ago

Official Instance

[X] The bug is reproducable on the official hosted instance or is API related.

Describe the bug

When I attempt to register an account on the official Piped instance at https://piped.kavin.rocks/register, I get an ERR_SSL_PROTOCOL_ERROR in Chrome:

Presumably same issue though a different error (TLS protocol error breaks CORS) in Firefox:

To Reproduce

With curl:

% curl https://pipedapi.kavin.rocks
curl: (35) error:0A00010B:SSL routines::wrong version number

And with httpie, same result:

% http --version                                                                                                                             
2.6.0
% http https://pipedapi.kavin.rocks

http: error: SSLError: HTTPSConnectionPool(host='pipedapi.kavin.rocks', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)'))) while doing a GET request to URL: https://pipedapi.kavin.rocks/

Expected behavior

I would expect the curl and httpie commands to succeed, and Chrome and/or Firefox to be able to successfully make requests.

Logs/Errors

% curl --version                           
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.12
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
% curl -vvv https://pipedapi.kavin.rocks
*   Trying 2606:4700:3038::6815:eb9d:443...
* Connected to pipedapi.kavin.rocks (2606:4700:3038::6815:eb9d) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* (ffff) (IN), , Unknown (-1):
* error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) error:0A00010B:SSL routines::wrong version number

Browser, and OS with Version.

Chrome 105.0.5195.125 or Firefox 103.0 on Pop!_OS 22.04

Additional context

I do recognize that https://www.ssllabs.com/ssltest/analyze.html?d=pipedapi.kavin.rocks shows nothing out of the ordinary (albeit SNI requirement, which should be satisfied by curl / my browsers), so I'm totally prepared to hear that this is an issue with my system configuration. However, I do observe the same behavior on both macOS and Linux, as well as curl, wget, httpie, chrome, and firefox, all latest versions, which makes me think it may be an issue on the server side.

FireMasterK commented 2 years ago

It sounds like you've got an active MITM, which might be intercepting connections. Can you try curl -v pipedapi.kavin.rocks (uses http)

raxod502 commented 2 years ago

Holy shit, you're right. That never even occurred to me. Looks like I need to add "test from a VPS" to my network troubleshooting list. Sorry for bothering you here.

To other people who may be facing the same issue with getting MITM'd to www.safebrowse.io by their crappy Xfinity router, the solution is to go into settings and disable "Advanced Security" (yeah right, as if MITM improves security). Unfortunately, in an effort to make this as difficult as possible, Xfinity no longer lets you do this in the router, or even on the website. You have to download their mobile app and navigate through a gigantic cascade of popups and sub-menus to find the option, and they don't even tell you what it is you're disabling. Also, it "takes up to 10 minutes to take effect".

Further discussion here: https://forum.adguard.com/index.php?threads/comcast-xfinity-safebrowse-io-blocking-adguard.47297/

TeamPiped / Piped