search

miniflux / v2

Minimalist and opinionated feed reader
https://miniflux.app
Apache License 2.0
6.44k stars 702 forks source link

Miniflux is not able to reach this website due to a network error: Get "https://cdm.link/feed/": remote error: tls: handshake failure. #2671

Closed ericlathrop closed 2 weeks ago

ericlathrop commented 1 month ago

Trying to add https://cdm.link/feed/ to miniflux and I get this "tls: handshake" failure.

curl can fetch the feed fine:

$ curl -v https://cdm.link/feed/
*   Trying 81.169.248.37:443...
* TCP_NODELAY set
* Connected to cdm.link (81.169.248.37) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Next protocol (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=cdm.link
*  start date: Apr  7 14:40:41 2024 GMT
*  expire date: Jul  6 14:40:40 2024 GMT
*  subjectAltName: host "cdm.link" matched cert's "cdm.link"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /feed/ HTTP/1.1
> Host: cdm.link
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.8.0
< Date: Wed, 29 May 2024 17:57:44 GMT
< Content-Type: application/rss+xml; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Last-Modified: Tue, 28 May 2024 22:06:03 GMT
< ETag: "4bf3621e368a5cb7f16bb1842b69e2f1"
< Link: <https://cdm.link/wp-json/>; rel="https://api.w.org/"
< X-UA-Compatible: IE=Edge
<
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
ztec commented 2 weeks ago

I've identified that the missing CipherSuites that allow this website to work is tls.TLS_RSA_WITH_AES_256_CBC_SHA. But it is considered as weak and should not be used by any server.

I've modified https://github.com/miniflux/v2/blob/771f9d2b5fe40a034d206e166db0f040ac24fb22/internal/reader/fetcher/request_builder.go#L130-L132 to test this successfully with the following code : 

TLSClientConfig: &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_RSA_WITH_AES_256_CBC_SHA,
    },
    InsecureSkipVerify: r.ignoreTLSErrors,
},

I've made this PR proposition as a possible fix: https://github.com/miniflux/v2/pull/2693