search

feedbin / support

83 stars 11 forks source link

Feeds served using SPDY doesn't work in Feedbin #449

Closed florianeckerstorfer closed 10 years ago

florianeckerstorfer commented 10 years ago

My website is served using SPDY (with HTTP over SSL fallback) and you can't subscribe to the feed in Feedbin.

https://florian.ec/atom.xml

I have added an alternative host that doesn't use SPDY (http://feed.florian.ec/atom.xml), but it still would be great if Feedbin could fall back to the HTTP over SSL method. This is what old browsers do.

benubois commented 10 years ago

Hi @florianeckerstorfer,

I don't think this is related to SPDY. I think SPDY is usually implemented in a way that the server advertises the availability of SPDY and then it's up to the client to upgrade the connection. This way it's always backwards compatible with clients that don't support SPDY.

I did see some SSL errors. curl on Ubuntu seems to have a problem with certificates that don't include the full certificate chain. Browsers can complete the certificate chain automatically, but I don't know if curl can.

To fix this I think you need to include the bundle provided by your CA.

You can see that the chain is incomplete on the SSL Labs report under Chain Issues.

You can also verify that the full chain is available using openssl:

$ openssl s_client -connect 146.185.164.249:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = florian.ec
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = florian.ec
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = florian.ec
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=florian.ec
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFRDCCBCygAwIBAgIRAIp1KXY7GZYXcgMvFiPDAlQwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTQwNTA3MDAwMDAwWhcNMTUwNTA3MjM1OTU5WjBOMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRMw
EQYDVQQDEwpmbG9yaWFuLmVjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEApSSTD8t4R9aZ8VSJhzRSN+KBAx0kDq5kkLNts/zAFMwSBFKATfWRpJNVaIPo
9ZTobBH8xL4QTdYNInMMRZb5swbsd5atEDzg8HgkUG4hO6pBQe9/78YnI+33tAwu
ilU0FeaPhnrjnRq/bo/RxmXgrwNzlOPC30Z3HeZJ0FqUKC/jjijB4B7W2wRH1mhE
9YCtdUDfBahacN8KIs5t+r3VEvXpZ1KWqOMuMqeGTUrL5GklgJA+EsRKH9L1QZvP
atyyVPuE6yvylEtYABX/+7gxbrHmQ08HqMno6OPzsSIC2wIm8Iw4cXKbsiflru2/
XX+1eN0ndR6F/3ngL2YiXlvuIQIDAQABo4IB2DCCAdQwHwYDVR0jBBgwFoAUkK9q
OpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFHPH/F3LhRV2Wu7HzC+nShIcrVXw
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkGCCsG
AQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzAIBgZngQwBAgEw
VAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RP
UlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUH
AQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01P
RE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wJQYDVR0RBB4wHIIKZmxvcmlh
bi5lY4IOd3d3LmZsb3JpYW4uZWMwDQYJKoZIhvcNAQELBQADggEBADHND4ofnsj2
rnKM4AjbqI00TNDX7HFkvYHpw/d7bRHMZiov/fLxIXGqFbbX3CfHi3tuLzMwfUoI
dWFWu8U4Sznysvp34XC8xYBYlsUO+JDHDZDg8E5M+1Dckk5o5ITMyPIBCEvDGqt8
4kg7KvOVnUi7zgiOeBYT2noZnVTD7xIeK8qbBRPeEy8XFOBrKL+9JnsUD+CzPW1v
B329+zrJUO04tiIrxoNZr9Fo6lghuNO19pXkztlWvAOs8ZlTVf7vMPTPIAHiSeMm
K8EyVfT/G3YMiDogJRHGfh38Zfu8j+o+UWMyG26a0L8vN/HqR7fDkbq5PY//kkKw
dV+0KqZCrsg=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=florian.ec
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2033 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 45B67312C9A4C52C54F700B1182D9066C6CA9B8D3FE2AAC2615EC701F0CDAEA9
    Session-ID-ctx: 
    Master-Key: 67D74FEBCACC8AE6C49E2A0AF6CD07F1523AFA6323F8D14F73454B38FAC32A9CF6B5926A24EEB7B57DCAB5C6D4639EBD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - a9 3d 69 b0 1f 8f 18 a1-79 e9 61 a3 a6 98 cc cd   .=i.....y.a.....
    0010 - 19 5f a8 c0 ab 5f 65 b4-36 ea da 41 34 f1 5a 1f   ._..._e.6..A4.Z.
    0020 - a7 21 b8 e3 68 93 2b 3f-9a 4f 07 d6 31 56 c5 8b   .!..h.+?.O..1V..
    0030 - 71 e1 e9 51 ae f5 ce ef-d6 3c b8 7b c0 29 27 1b   q..Q.....<.{.)'.
    0040 - 6e 59 42 1e 73 80 95 6b-60 e9 d2 60 dc b9 6a db   nYB.s..k`..`..j.
    0050 - 85 da 3c c0 40 06 28 33-3b 3c 3e 97 25 34 e9 70   ..<.@.(3;<>.%4.p
    0060 - ea 77 ec 2d dd 39 da 8a-36 0c b8 c3 e8 2d 21 be   .w.-.9..6....-!.
    0070 - 3b 32 16 cd 67 16 54 5c-fc df 69 2a e5 af de 4a   ;2..g.T\..i*...J
    0080 - 04 fb c5 ab 7c 6a 94 f4-c5 28 23 a8 2c 9a d6 a6   ....|j...(#.,...
    0090 - f8 cf bd f4 9b c4 f4 57-0d eb dc a3 cd a3 3a 29   .......W......:)

    Start Time: 1402243459
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed