2001:470:b:312::/64 getting connection reset attempting to connect to pypi.org

[warthog9]

My Platform

I'm seeing this on 2001:470:b:312::/64 subnet, which happens to be an HE Tunnel Broker network. This specific /64 has been under my control since 2014. Issue is seen regardless of client, browser, curl, etc attempting to connect via the subnet to pypi.org results in a connection reset. Using a different v6 subnet (in my case using one out of AS53758), or via normal IPv4, works fine and as expected.

This has been going on for a couple of weeks now, so this isn't something transient, and given it's affecting my HE Tunnel Broker subnet my suspicion is that it's affecting the entire HE Tunnel Broker IPv6 subnet, and this is not explicitly targeting me.

Fastly Debug

From an affected machine, HOWEVER fastly-debug.com does not provide any IPv6 addresses

# host fastly-debug.com
fastly-debug.com has address 151.101.64.64
fastly-debug.com has address 151.101.128.64
fastly-debug.com has address 151.101.192.64
fastly-debug.com has address 151.101.0.64

So this isn't using the same IP as where I'm having problems at (this seems like a bug on Fastly's part)

curl https://fastly-debug.com/ -v
*   Trying 151.101.192.64:443...
* Connected to fastly-debug.com (151.101.192.64) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.fastly-debug.com
*  start date: Feb 18 20:03:45 2022 GMT
*  expire date: Mar 22 20:03:44 2023 GMT
*  subjectAltName: host "fastly-debug.com" matched cert's "fastly-debug.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA 2022 Q1
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: fastly-debug.com
> User-Agent: curl/7.82.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Connection: close
< Content-Length: 0
< Server: Varnish
< Retry-After: 0
< Content-Type: text/plain
< Location: https://www.fastly-debug.com/
< Accept-Ranges: bytes
< Date: Mon, 18 Jul 2022 20:57:08 GMT
< Via: 1.1 varnish
< X-Served-By: cache-pdx12322-PDX
< X-Cache: HIT
< X-Cache-Hits: 0
< X-Timer: S1658177829.500221,VS0,VE10
< Set-Cookie: fastlyPerf=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block;
< X-Frame-Options: DENY
< 
* Closing connection 0
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, close notify (256):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, close notify (256):

DNS Resolution

$ dig pypi.org A
# dig A pypi.org

; <<>> DiG 9.16.30-RH <<>> A pypi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59744
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pypi.org.                      IN      A

;; ANSWER SECTION:
pypi.org.               2989    IN      A       151.101.128.223
pypi.org.               2989    IN      A       151.101.64.223
pypi.org.               2989    IN      A       151.101.192.223
pypi.org.               2989    IN      A       151.101.0.223

;; AUTHORITY SECTION:
pypi.org.               2989    IN      NS      ns-897.awsdns-48.net.
pypi.org.               2989    IN      NS      ns-1702.awsdns-20.co.uk.
pypi.org.               2989    IN      NS      ns-96.awsdns-12.com.
pypi.org.               2989    IN      NS      ns-1264.awsdns-30.org.

;; ADDITIONAL SECTION:
ns-1264.awsdns-30.org.  2989    IN      A       205.251.196.240

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 18 14:05:09 PDT 2022
;; MSG SIZE  rcvd: 253

$ dig pypi.org AAAA
dig AAAA pypi.org

; <<>> DiG 9.16.30-RH <<>> AAAA pypi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1503
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pypi.org.                      IN      AAAA

;; ANSWER SECTION:
pypi.org.               2697    IN      AAAA    2a04:4e42:600::223
pypi.org.               2697    IN      AAAA    2a04:4e42:400::223
pypi.org.               2697    IN      AAAA    2a04:4e42:200::223
pypi.org.               2697    IN      AAAA    2a04:4e42::223

;; AUTHORITY SECTION:
pypi.org.               2697    IN      NS      ns-1264.awsdns-30.org.
pypi.org.               2697    IN      NS      ns-1702.awsdns-20.co.uk.
pypi.org.               2697    IN      NS      ns-96.awsdns-12.com.
pypi.org.               2697    IN      NS      ns-897.awsdns-48.net.

;; ADDITIONAL SECTION:
ns-1264.awsdns-30.org.  2697    IN      A       205.251.196.240

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 18 14:10:01 PDT 2022
;; MSG SIZE  rcvd: 301

$ dig files.pythonhosted.org A
# dig A files.pythonhosted.org 

; <<>> DiG 9.16.30-RH <<>> A files.pythonhosted.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16417
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;files.pythonhosted.org.                IN      A

;; ANSWER SECTION:
files.pythonhosted.org. 86400   IN      CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 30 IN A      199.232.145.63

;; AUTHORITY SECTION:
fastly.net.             97860   IN      NS      ns1.fastly.net.
fastly.net.             97860   IN      NS      ns2.fastly.net.
fastly.net.             97860   IN      NS      ns3.fastly.net.
fastly.net.             97860   IN      NS      ns4.fastly.net.

;; ADDITIONAL SECTION:
ns1.fastly.net.         97860   IN      A       23.235.32.32
ns2.fastly.net.         97860   IN      A       104.156.80.32
ns3.fastly.net.         97860   IN      A       23.235.36.32
ns4.fastly.net.         97860   IN      A       104.156.84.32

;; Query time: 85 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 18 14:10:35 PDT 2022
;; MSG SIZE  rcvd: 250

$ dig files.pythonhosted.org AAAA
# dig AAAA files.pythonhosted.org 

; <<>> DiG 9.16.30-RH <<>> AAAA files.pythonhosted.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48771
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;files.pythonhosted.org.                IN      AAAA

;; ANSWER SECTION:
files.pythonhosted.org. 25      IN      CNAME   dualstack.r.ssl.global.fastly.net.
dualstack.r.ssl.global.fastly.net. 30 IN AAAA   2a04:4e42:64::319

;; AUTHORITY SECTION:
fastly.net.             97856   IN      NS      ns4.fastly.net.
fastly.net.             97856   IN      NS      ns3.fastly.net.
fastly.net.             97856   IN      NS      ns2.fastly.net.
fastly.net.             97856   IN      NS      ns1.fastly.net.

;; ADDITIONAL SECTION:
dualstack.r.ssl.global.fastly.net. 25 IN A      199.232.145.63
ns2.fastly.net.         97856   IN      A       104.156.80.32
ns3.fastly.net.         97856   IN      A       23.235.36.32
ns4.fastly.net.         97856   IN      A       104.156.84.32
ns1.fastly.net.         97856   IN      A       23.235.32.32

;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Jul 18 14:10:39 PDT 2022
;; MSG SIZE  rcvd: 278

Traceroutes / IPv4

$ traceroute pypi.org
# traceroute pypi.org
traceroute to pypi.org (151.101.128.223), 30 hops max, 60 byte packets
 1  _gateway (172.19.0.1)  0.107 ms  0.111 ms  0.132 ms
 2  fdr01.hlbo.or.nwestnet.net (50.46.181.59)  1.236 ms  1.332 ms  1.315 ms
 3  cr1-hlboorxb-a-be-500.bb.as20055.net (64.52.97.28)  1.723 ms  1.707 ms  1.690 ms
 4  cr1-alohorxx-a-be-11.bb.as20055.net (198.179.52.191)  1.984 ms  2.092 ms  2.012 ms
 5  cr2-bvtnorxb-a-be-18.bb.as20055.net (198.179.52.130)  2.226 ms  2.210 ms  2.290 ms
 6  cr2-hlboorxh-a-be-10.bb.as20055.net (137.83.80.241)  2.390 ms  1.818 ms  1.833 ms
 7  pr1-hlboorxh-a-be-10.bb.as20055.net (137.83.80.245)  1.384 ms  2.247 ms  2.580 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

$ traceroute files.pythonhosted.org
# traceroute files.pythonhosted.org
traceroute to files.pythonhosted.org (199.232.145.63), 30 hops max, 60 byte packets
 1  _gateway (172.19.0.1)  0.138 ms  0.106 ms  0.138 ms
 2  * * *
 3  * * *
 4  * * *
 5  cr2-bvtnorxb-b-be-23.bb.as20055.net (198.179.52.132)  4.286 ms * *
 6  * * *
 7  * cr2-hlboorxh-a-be-10.bb.as20055.net (137.83.80.241)  2.502 ms  2.722 ms
 8  pr1-hlboorxh-a-be-10.bb.as20055.net (137.83.80.245)  2.308 ms  1.951 ms  2.075 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Traceroutes / IPv6 (If available)

$ traceroute6 pypi.org
# traceroute6 pypi.org
traceroute to pypi.org (2a04:4e42::223), 30 hops max, 80 byte packets
 1  not.afront.org (2001:470:b:312::1)  0.191 ms  0.197 ms  0.165 ms
 2  AS53758.ixp.fcix.net (2001:504:91::11)  22.141 ms  20.892 ms  20.869 ms
 3  gigabitethernet1-1-2.switch56.fmt2.he.net (2001:470:1:8dc::1)  20.847 ms  22.051 ms  21.032 ms
 4  100ge14-2.core1.sjc2.he.net (2001:470:0:eb::2)  22.002 ms  20.859 ms  21.952 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

$ traceroute6 files.pythonhosted.org
# traceroute6 files.pythonhosted.org
traceroute to files.pythonhosted.org (2a04:4e42:64::319), 30 hops max, 80 byte packets
 1  not.afront.org (2001:470:b:312::1)  0.180 ms  0.148 ms  0.191 ms
 2  AS53758.ixp.fcix.net (2001:504:91::11)  20.916 ms  20.990 ms  20.961 ms
 3  gigabitethernet1-1-2.switch56.fmt2.he.net (2001:470:1:8dc::1)  25.261 ms  25.456 ms  25.434 ms
 4  * * *
 5  * * *
 6  100ge3-2.core1.pdx1.he.net (2001:470:0:688::1)  20.606 ms  19.642 ms  20.839 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

HTTPS Requests / IPv4

$ curl -vvv -I --ipv4 https://pypi.org/pypi/pip/json
# curl -vvv -l --ipv4 https://pypi.org/pypi/pip/json
*   Trying 151.101.64.223:443...
* Connected to pypi.org (151.101.64.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pypi.org
*  start date: Oct 22 18:55:44 2021 GMT
*  expire date: Nov 23 18:55:43 2022 GMT
*  subjectAltName: host "pypi.org" matched cert's "pypi.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /pypi/pip/json]
* h2h3 [:scheme: https]
* h2h3 [:authority: pypi.org]
* h2h3 [user-agent: curl/7.82.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55b26b0a43f0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /pypi/pip/json HTTP/2
> Host: pypi.org
> user-agent: curl/7.82.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< access-control-allow-headers: Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since
< access-control-allow-methods: GET
< access-control-allow-origin: *
< access-control-expose-headers: X-PyPI-Last-Serial
< access-control-max-age: 86400
< cache-control: max-age=900, public
< content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self' https://api.github.com/repos/ fastly-insights.com *.fastly-insights.com *.ethicalads.io https://api.pwnedpasswords.com https://2p66nmmycsj3.statuspage.io; default-src 'none'; font-src 'self' fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self' https://warehouse-camo.ingress.cmh1.psfhosted.org/ www.google-analytics.com *.fastly-insights.com *.ethicalads.io; script-src 'self' www.googletagmanager.com www.google-analytics.com *.fastly-insights.com *.ethicalads.io 'sha256-U3hKDidudIaxBDEzwGJApJgPEf2mWk6cfMWghrAa6i0='; style-src 'self' fonts.googleapis.com *.ethicalads.io 'sha256-2YHqZokjiizkHi1Zt+6ar0XJ0OeEy/egBnlm+MDMtrM=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='; worker-src *.fastly-insights.com
< content-type: application/json
< etag: "t3WTUgGijQE9z1bJM3ZiQg"
< referrer-policy: origin-when-cross-origin
< server: nginx/1.13.9
< x-pypi-last-serial: 13987178
< accept-ranges: bytes
< date: Mon, 18 Jul 2022 21:15:33 GMT
< x-served-by: cache-iad-kiad7000125-IAD, cache-pdx12323-PDX
< x-cache: HIT, HIT
< x-cache-hits: 264772, 1
< x-timer: S1658178934.670452,VS0,VE1
< vary: Accept-Encoding, Accept-Encoding
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
< content-length: 142434
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{"info":{"author":"The pip developers","author_email":"distutils-sig@python.org","bugtrack_url":null,"classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","License :: OSI Approved :: MIT License","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3 :: Only","Programming [...]
22.1.2.tar.gz","has_sig":false,"md5_digest":"6ec06d38c3aed5d22bcbbbfbf7114d6a","packagetype":"sdist","python_version":"source","requires_python":">=3.7","size":2112549,"upload_time":"2022-05-31T11:20:04","upload_time_iso_8601":"2022-05-31T11:20:04.241597Z","url":"https://files.pythonhosted.org/packages/4b/b6/0fa7aa968a9fa4ef63a51b3ff0644e59f49dcd7235b3fd6cceb23f202e08/pip-22.1.2.tar.gz","yanked":false,"yanked_reason":null}],"vulnerabilities":[]}
* Connection #0 to host pypi.org left intact

$ curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
# curl -vvv -I --ipv4 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
*   Trying 199.232.145.63:443...
* Connected to files.pythonhosted.org (199.232.145.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.pythonhosted.org
*  start date: Dec 24 19:42:31 2021 GMT
*  expire date: Jan 25 19:42:30 2023 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: HEAD]
* h2h3 [:path: /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz]
* h2h3 [:scheme: https]
* h2h3 [:authority: files.pythonhosted.org]
* h2h3 [user-agent: curl/7.82.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x559c9d3543f0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz HTTP/2
> Host: files.pythonhosted.org
> user-agent: curl/7.82.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
HTTP/2 200 
< last-modified: Wed, 26 Feb 2020 17:47:37 GMT
last-modified: Wed, 26 Feb 2020 17:47:37 GMT
< etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
< x-goog-generation: 1582739257438329
x-goog-generation: 1582739257438329
< x-goog-metageneration: 1
x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 1246072
x-goog-stored-content-length: 1246072
< content-type: binary/octet-stream
content-type: binary/octet-stream
< x-goog-hash: crc32c=Om2N1A==
x-goog-hash: crc32c=Om2N1A==
< x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
< server: UploadServer
server: UploadServer
< cache-control: max-age=365000000, immutable, public
cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
accept-ranges: bytes
< date: Mon, 18 Jul 2022 21:17:51 GMT
date: Mon, 18 Jul 2022 21:17:51 GMT
< age: 1676809
age: 1676809
< x-served-by: cache-bfi-krnt7300071-BFI, cache-pdx12329-PDX
x-served-by: cache-bfi-krnt7300071-BFI, cache-pdx12329-PDX
< x-cache: HIT, MISS
x-cache: HIT, MISS
< x-cache-hits: 1, 0
x-cache-hits: 1, 0
< x-timer: S1658179072.787160,VS0,VE12
x-timer: S1658179072.787160,VS0,VE12
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< x-robots-header: noindex
x-robots-header: noindex
< content-length: 1246072
content-length: 1246072

< 
* Connection #0 to host files.pythonhosted.org left intact

HTTPS Requests / IPv6 (If available)

$ curl -vvv -I --ipv6 https://pypi.org/pypi/pip/json
# curl -vvv -I --ipv6 https://pypi.org/pypi/pip/json
*   Trying 2a04:4e42:600::223:443...
* Connected to pypi.org (2a04:4e42:600::223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to pypi.org:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to pypi.org:443

$ curl -vvv -I --ipv6 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
# curl -vvv -I --ipv6 https://files.pythonhosted.org/packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz
*   Trying 2a04:4e42:64::319:443...
* Connected to files.pythonhosted.org (2a04:4e42:64::319) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.pythonhosted.org
*  start date: Dec 24 19:42:31 2021 GMT
*  expire date: Jan 25 19:42:30 2023 GMT
*  subjectAltName: host "files.pythonhosted.org" matched cert's "*.pythonhosted.org"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: HEAD]
* h2h3 [:path: /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz]
* h2h3 [:scheme: https]
* h2h3 [:authority: files.pythonhosted.org]
* h2h3 [user-agent: curl/7.82.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a9a7f4b3f0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD /packages/ae/e8/2340d46ecadb1692a1e455f13f75e596d4eab3d11a57446f08259dee8f02/pip-10.0.1.tar.gz HTTP/2
> Host: files.pythonhosted.org
> user-agent: curl/7.82.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
HTTP/2 200 
< last-modified: Wed, 26 Feb 2020 17:47:37 GMT
last-modified: Wed, 26 Feb 2020 17:47:37 GMT
< etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
etag: "83a177756e2c801d0b3a6f7b0d4f3f7e"
< x-goog-generation: 1582739257438329
x-goog-generation: 1582739257438329
< x-goog-metageneration: 1
x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 1246072
x-goog-stored-content-length: 1246072
< content-type: binary/octet-stream
content-type: binary/octet-stream
< x-goog-hash: crc32c=Om2N1A==
x-goog-hash: crc32c=Om2N1A==
< x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
x-goog-hash: md5=g6F3dW4sgB0LOm97DU8/fg==
< server: UploadServer
server: UploadServer
< cache-control: max-age=365000000, immutable, public
cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
accept-ranges: bytes
< date: Mon, 18 Jul 2022 21:19:22 GMT
date: Mon, 18 Jul 2022 21:19:22 GMT
< age: 1676900
age: 1676900
< x-served-by: cache-bfi-krnt7300071-BFI, cache-pdx12329-PDX
x-served-by: cache-bfi-krnt7300071-BFI, cache-pdx12329-PDX
< x-cache: HIT, HIT
x-cache: HIT, HIT
< x-cache-hits: 1, 1
x-cache-hits: 1, 1
< x-timer: S1658179163.909895,VS0,VE2
x-timer: S1658179163.909895,VS0,VE2
< strict-transport-security: max-age=31536000; includeSubDomains; preload
strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
x-frame-options: deny
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-permitted-cross-domain-policies: none
x-permitted-cross-domain-policies: none
< x-robots-header: noindex
x-robots-header: noindex
< content-length: 1246072
content-length: 1246072

< 
* Connection #0 to host files.pythonhosted.org left intact

TLS Debug / IPv4

$ echo -n | openssl s_client -4 -connect pypi.org:443
# echo -n | openssl s_client -4 -connect pypi.org:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
verify return:1
depth=0 CN = pypi.org
verify return:1
---
Certificate chain
 0 s:CN = pypi.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 22 18:55:44 2021 GMT; NotAfter: Nov 23 18:55:43 2022 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 16 12:00:00 2021 GMT; NotAfter: Jun 16 00:00:00 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGfzCCBWegAwIBAgIQAbC7Upv7D5K1Ujk8pYPZgDANBgkqhkiG9w0BAQsFADBY
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgSDIgMjAyMTAeFw0yMTEw
MjIxODU1NDRaFw0yMjExMjMxODU1NDNaMBMxETAPBgNVBAMMCHB5cGkub3JnMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9LggNSqPtkBioKAbeomQ0Kff
15MT/IiUU38vnApHUDB30rY9axYZY+o1faWd8vY/n8TlrmNnUdVv6OvM6JyYjvN6
Ry/lB+DQH5khCaCxbtZAFbl6XnK2IKQU/RndbTWLaAacW/gc6HUfByMdTuQwBnay
4cxOgs3yqQN9bIh9yW0PU9lISiscGUglC+Fg1B72LxppOeWJWxISZujoAG98pm1A
Po1H5j8bOQHKrd4/lmBR/9Q6Q53AGQUDU/624zuVjvAp/Z07DGPcCva/AVIZz3eV
8IKtBwjoPZiQqobl6RgjMTD8CckEwrNS4+wy0OwLvqUNni1VZ+Z6k/3bZtGzgQID
AQABo4IDiDCCA4QwPgYDVR0RBDcwNYIIcHlwaS5vcmeCCioucHlwaS5vcmeCDHd3
dy5weXBpLm9yZ4IPZG9uYXRlLnB5cGkub3JnMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJN26IaF38fykuji
YsJI7xYkx/pkMFcGA1UdIARQME4wCAYGZ4EMAQIBMEIGCisGAQQBoDIKAQMwNDAy
BggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9y
eS8wDAYDVR0TAQH/BAIwADCBngYIKwYBBQUHAQEEgZEwgY4wQAYIKwYBBQUHMAGG
NGh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2NhL2dzYXRsYXNyM2R2dGxzY2Fo
MjIwMjEwSgYIKwYBBQUHMAKGPmh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20v
Y2FjZXJ0L2dzYXRsYXNyM2R2dGxzY2FoMjIwMjEuY3J0MB8GA1UdIwQYMBaAFCo0
uar6vzyI8Ufy0hJ4vsXlqrBpMEgGA1UdHwRBMD8wPaA7oDmGN2h0dHA6Ly9jcmwu
Z2xvYmFsc2lnbi5jb20vY2EvZ3NhdGxhc3IzZHZ0bHNjYWgyMjAyMS5jcmwwggF/
BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2AEalVet1+pEgMLWiiWn0830RLEF0vv1J
uIWr8vxw/m1HAAABfKlb5cAAAAQDAEcwRQIhAKMS+KPq2WMTqn5hnzQCJRTUnNPb
tlZtW35is2h8WAWBAiAbLUPvLdOOBAfIJbx9CtE46kpBJCDPVoCWSY0BTne+rQB3
AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABfKlb5jAAAAQDAEgw
RgIhAN3qwbghgzr/MniZ/l+cxmQTF/1RyxIMb9KBN9Yq40ueAiEArLmOr59ksZah
K+u13ChVx9rPyvf8lDnfuBO55IY9aC4AdgBRo7D1/QF5nFZtuDd4jwykeswbJ8v3
nohCmg3+1IsF5QAAAXypW+Y7AAAEAwBHMEUCIDqqo7ixId+HT1hRZaREwqaM2hdS
F2N5SGwB+eDkjpTMAiEAp1uzy7SurN4ln/LxqhIWCGbAfi2OVLqJGVXtloANvwYw
DQYJKoZIhvcNAQELBQADggEBABmkUSn3ycxOxahxGh7fmACjiCmM7CkNbRr42aDK
BOlnJInSE9kXPRkWu7wQbW4hHLyLNK9SxlgzHQRVBqwABA2sC8nI04wdcG+w9Heo
7IV3d8h0NRC5VgCVqfN5cxWO4W/HzrKrpmBJFvQNrxF/XWA4VBSHi/pO/WERnvFw
YIj41kSRPuyh09lzC5jKgke6G/M1tUMFcRGjqPxKfR+czMv34lfkDUqsnz+mmx3V
UpDJm0qNgnpkTcYmmS+kbs8KZEeZU/OqJTPKluhgaiCEEttMx5ggYoUQ9jhP80OT
9LX1lk+eypP8emyo1KoFCODIsdsqz8rwaJQArnbmma/1f64=
-----END CERTIFICATE-----
subject=CN = pypi.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3457 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CAD3F2CD799BDE1EB98E7D329A29B6F8CC07C01937AB708C60328FB7A80CB692
    Session-ID-ctx: 
    Resumption PSK: 6A75FC3CA092B248DE9F947ECFAA4A520941962A1491F3492264F27F501802ECDBF8B132A9E5AA16811443F75E0E55ED
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 35 b4 57 53 ff df f2 34-67 e1 0a 63 8f 7b eb 46   5.WS...4g..c.{.F
    0010 - df 8e 45 19 cc a7 2b 5f-a9 1e c9 90 b6 06 03 fb   ..E...+_........
    0020 - 54 2b dd 17 ee 82 eb f9-05 f4 95 83 e7 ee 16 f3   T+..............
    0030 - 45 c5 df dc 4c 55 24 7b-f9 a3 6e e5 87 a9 f2 dd   E...LU${..n.....
    0040 - 98 7d cd da 88 79 b6 d7-4c 3d 52 cc 4a 6a 78 45   .}...y..L=R.JjxE
    0050 - 76 41 88 fe 58 aa 04 66-bc e3 7e de 2e 8e aa 07   vA..X..f..~.....
    0060 - fc 43 3f c8 a2 d4 cb 25-a8 32 21 8a d6 cc 88 8d   .C?....%.2!.....
    0070 - 3b dd 47 52 dd b4 9c 54-b9 f0 6c 86 db 49 3e ad   ;.GR...T..l..I>.
    0080 - 5c e3 1f 0f 95 83 d8 e7-3a 34 0f 65 48 1b 4a a2   \.......:4.eH.J.
    0090 - 95 df 8e 31 13 af 2c 00-c3 4a 61 aa 72 7c 35 b4   ...1..,..Ja.r|5.

    Start Time: 1658179169
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE

$ echo -n | openssl s_client -4 -connect files.pythonhosted.org:443
# echo -n | openssl s_client -4 -connect files.pythonhosted.org:443
echo -n | openssl s_client -6 -connect pypi.org:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
verify return:1
depth=0 CN = *.pythonhosted.org
verify return:1
---
Certificate chain
 0 s:CN = *.pythonhosted.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 24 19:42:31 2021 GMT; NotAfter: Jan 25 19:42:30 2023 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 16 12:00:00 2021 GMT; NotAfter: Jun 16 00:00:00 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZzCCBU+gAwIBAgIQAZy/jbK3oUHrwJgbt3evqzANBgkqhkiG9w0BAQsFADBY
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgSDIgMjAyMTAeFw0yMTEy
MjQxOTQyMzFaFw0yMzAxMjUxOTQyMzBaMB0xGzAZBgNVBAMMEioucHl0aG9uaG9z
dGVkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYEn0DEjMe6
V2dUr3EhY+7wNTq5oOtg1z/qg+/2sRQLJc4Ou61l0Y5/pcxvtiP8Aa8BrZfgvUdq
ODy5xDHpK8L2Ts7+DIlVroX47SslVVanuTZIc4DwAoffyyJ6fuNOgEQAjtoe8RLu
I03DjfOVGOGWRQ5CwZaP5KWlH9/A6hh4TB5xA3G3aGZBf1uNaANvf1h9IbK4WMgX
R8aldnnJE+SmjTezgUhQmVSbxv52qkTDTYle6otOqBbc/loCftVGtCiFEYAhnSJ8
Ib6SrVQ/fPjTHLbLsKYsHlYSBRvtRmoyOgPMLTcHxxeulI5iz6p09d1yLRTb370P
CaPY0dria90CAwEAAaOCA2YwggNiMB0GA1UdEQQWMBSCEioucHl0aG9uaG9zdGVk
Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB0GA1UdDgQWBBTFaXZ088SRDpJcpiXtA2lKiKwVADBXBgNVHSAEUDBOMAgG
BmeBDAECATBCBgorBgEEAaAyCgEDMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAwGA1UdEwEB/wQCMAAwgZ4GCCsG
AQUFBwEBBIGRMIGOMEAGCCsGAQUFBzABhjRodHRwOi8vb2NzcC5nbG9iYWxzaWdu
LmNvbS9jYS9nc2F0bGFzcjNkdnRsc2NhaDIyMDIxMEoGCCsGAQUFBzAChj5odHRw
Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2F0bGFzcjNkdnRsc2Nh
aDIyMDIxLmNydDAfBgNVHSMEGDAWgBQqNLmq+r88iPFH8tISeL7F5aqwaTBIBgNV
HR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2NhL2dzYXRs
YXNyM2R2dGxzY2FoMjIwMjEuY3JsMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgA
dwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAX3t+FNlAAAEAwBI
MEYCIQCS9D1/4k4P/1MWuNJeLhEVAQ7djDYdWfFS3tBp9L/KngIhAOfLZmN+Pkur
VNW49XuVi7FIyQpus6LFeK43ZaraFl7DAHYAejKMVNi3LbYg6jjgUh7phBZwMhOF
TTvSK8E6V6NS61IAAAF97fhTsgAABAMARzBFAiEA4pQOmOVrfvvQ65wm7KnKYIXs
1bpHN0wzy7enysgmbS8CIFHXywG3EWkRK4E9DWTFH/z11NEnIBezXU9ODpUVriso
AHUANc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kwAAAF97fhURQAABAMA
RjBEAiArC81zcYBvGkqa1r1uQJ3qI5STYr3DFH1yUxRT3baq7QIgMGgXnGKA6qPz
vl6/Sj99eKLcJuPUxOPTHnIL0xOAxtswDQYJKoZIhvcNAQELBQADggEBAALxNbRH
ldbZ25Uxt6zkfrP1NJzn/INNFffzWBQppXKz7M+GZRDEI4SbDiMxy+PleoxkCw7b
IrymNvpl2+glM4s4GrXw8Pp96uNj9vnI2aJVQboylHEQFrPejcH/pafIf242ccDy
qZsE9wSZT5muP+pQjs0YGG6FPjbRWSKNy3Ie6XiLFiU+CsiLmP0D2cT8QWEY3xlR
VM4vo6xtSYatYfLqoiH6ZUZBST2wvgklDdi0nDTq8+9Ybw78pA84L/pXIEumrzrh
U7WTHmRviTuViWlwPFJb+aNVuAGUnF5ynpZQk1wzw08PfRq8yiQuvDSZjqPiHqNe
b7CxUaV79eBwx2s=
-----END CERTIFICATE-----
subject=CN = *.pythonhosted.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3532 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 29754D303E6D145E02C83ADC0FC646BBC3F8BEF205EBAECDACB55FE2D3D34328
    Session-ID-ctx: 
    Master-Key: 09DCF932C7D42099FDC86C9AE6301B4E2CEBD7615E86FFB9D96C93AD5CE6775252381BD5956C9DD6CDD481F5C4469742
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 35 b4 57 53 ff df f2 34-67 e1 0a 63 8f 7b eb 46   5.WS...4g..c.{.F
    0010 - 06 59 77 66 8d ff e7 03-7e bf c8 60 b0 13 76 f2   .Ywf....~..`..v.
    0020 - a3 77 80 9e 2e 32 16 ba-06 7e 99 2c 02 c2 9f d0   .w...2...~.,....
    0030 - 91 fc 71 52 1d f4 b9 3e-6e d0 b1 92 95 d6 a7 68   ..qR...>n......h
    0040 - bc ce b1 cd 6d 08 00 46-b6 1b ab 67 2b 75 ab cc   ....m..F...g+u..
    0050 - 01 0b fa 4a 42 c7 a0 2c-1c 60 bf 42 8e b2 55 63   ...JB..,.`.B..Uc
    0060 - cb 29 33 1e eb e9 16 59-b4 97 24 76 c9 66 9d 8d   .)3....Y..$v.f..
    0070 - d4 e2 25 9c a4 a3 08 26-e7 4d 96 44 0e 92 88 8d   ..%....&.M.D....
    0080 - 0d c2 08 55 c1 0c b4 58-55 ad 94 f5 d3 ad 8c ec   ...U...XU.......
    0090 - f5 cd 7e a0 e4 ec 58 96-b5 26 a5 1d 97 67 61 41   ..~...X..&...gaA
    00a0 - 9b 7a f7 b3 82 a0 c3 21-75 4f 08 55 6e f2 72 6c   .z.....!uO.Un.rl
    00b0 - 58 31 de 51 dd 28 93 7c-9a cd 75 86 f0 95 fe e0   X1.Q.(.|..u.....

    Start Time: 1658179174
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

TLS Debug / IPv6 (If available)

$ echo -n | openssl s_client -6 -connect pypi.org:443
# echo -n | openssl s_client -6 -connect pypi.org:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

$ echo -n | openssl s_client -6 -connect files.pythonhosted.org:443
# echo -n | openssl s_client -6 -connect files.pythonhosted.org:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
verify return:1
depth=0 CN = *.pythonhosted.org
verify return:1
---
Certificate chain
 0 s:CN = *.pythonhosted.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 24 19:42:31 2021 GMT; NotAfter: Jan 25 19:42:30 2023 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 16 12:00:00 2021 GMT; NotAfter: Jun 16 00:00:00 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGZzCCBU+gAwIBAgIQAZy/jbK3oUHrwJgbt3evqzANBgkqhkiG9w0BAQsFADBY
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEuMCwGA1UE
AxMlR2xvYmFsU2lnbiBBdGxhcyBSMyBEViBUTFMgQ0EgSDIgMjAyMTAeFw0yMTEy
MjQxOTQyMzFaFw0yMzAxMjUxOTQyMzBaMB0xGzAZBgNVBAMMEioucHl0aG9uaG9z
dGVkLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYEn0DEjMe6
V2dUr3EhY+7wNTq5oOtg1z/qg+/2sRQLJc4Ou61l0Y5/pcxvtiP8Aa8BrZfgvUdq
ODy5xDHpK8L2Ts7+DIlVroX47SslVVanuTZIc4DwAoffyyJ6fuNOgEQAjtoe8RLu
I03DjfOVGOGWRQ5CwZaP5KWlH9/A6hh4TB5xA3G3aGZBf1uNaANvf1h9IbK4WMgX
R8aldnnJE+SmjTezgUhQmVSbxv52qkTDTYle6otOqBbc/loCftVGtCiFEYAhnSJ8
Ib6SrVQ/fPjTHLbLsKYsHlYSBRvtRmoyOgPMLTcHxxeulI5iz6p09d1yLRTb370P
CaPY0dria90CAwEAAaOCA2YwggNiMB0GA1UdEQQWMBSCEioucHl0aG9uaG9zdGVk
Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMB0GA1UdDgQWBBTFaXZ088SRDpJcpiXtA2lKiKwVADBXBgNVHSAEUDBOMAgG
BmeBDAECATBCBgorBgEEAaAyCgEDMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAwGA1UdEwEB/wQCMAAwgZ4GCCsG
AQUFBwEBBIGRMIGOMEAGCCsGAQUFBzABhjRodHRwOi8vb2NzcC5nbG9iYWxzaWdu
LmNvbS9jYS9nc2F0bGFzcjNkdnRsc2NhaDIyMDIxMEoGCCsGAQUFBzAChj5odHRw
Oi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc2F0bGFzcjNkdnRsc2Nh
aDIyMDIxLmNydDAfBgNVHSMEGDAWgBQqNLmq+r88iPFH8tISeL7F5aqwaTBIBgNV
HR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2NhL2dzYXRs
YXNyM2R2dGxzY2FoMjIwMjEuY3JsMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgA
dwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAX3t+FNlAAAEAwBI
MEYCIQCS9D1/4k4P/1MWuNJeLhEVAQ7djDYdWfFS3tBp9L/KngIhAOfLZmN+Pkur
VNW49XuVi7FIyQpus6LFeK43ZaraFl7DAHYAejKMVNi3LbYg6jjgUh7phBZwMhOF
TTvSK8E6V6NS61IAAAF97fhTsgAABAMARzBFAiEA4pQOmOVrfvvQ65wm7KnKYIXs
1bpHN0wzy7enysgmbS8CIFHXywG3EWkRK4E9DWTFH/z11NEnIBezXU9ODpUVriso
AHUANc8ZG7+xbFe/D61MbULLu7YnICZR6j/hKu+oA8M71kwAAAF97fhURQAABAMA
RjBEAiArC81zcYBvGkqa1r1uQJ3qI5STYr3DFH1yUxRT3baq7QIgMGgXnGKA6qPz
vl6/Sj99eKLcJuPUxOPTHnIL0xOAxtswDQYJKoZIhvcNAQELBQADggEBAALxNbRH
ldbZ25Uxt6zkfrP1NJzn/INNFffzWBQppXKz7M+GZRDEI4SbDiMxy+PleoxkCw7b
IrymNvpl2+glM4s4GrXw8Pp96uNj9vnI2aJVQboylHEQFrPejcH/pafIf242ccDy
qZsE9wSZT5muP+pQjs0YGG6FPjbRWSKNy3Ie6XiLFiU+CsiLmP0D2cT8QWEY3xlR
VM4vo6xtSYatYfLqoiH6ZUZBST2wvgklDdi0nDTq8+9Ybw78pA84L/pXIEumrzrh
U7WTHmRviTuViWlwPFJb+aNVuAGUnF5ynpZQk1wzw08PfRq8yiQuvDSZjqPiHqNe
b7CxUaV79eBwx2s=
-----END CERTIFICATE-----
subject=CN = *.pythonhosted.org
issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA H2 2021
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3532 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 110A92E7C53E97D53592173D89E3C2760E0826D501E2B2B3845233C51F5E2807
    Session-ID-ctx: 
    Master-Key: 106EA577488E4D2108DC0283F762F51EE0C73D5079EA35A65B33B0A819CC086DDE49184B5C2AE716D0B3F60B10EDBEE3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 35 b4 57 53 ff df f2 34-67 e1 0a 63 8f 7b eb 46   5.WS...4g..c.{.F
    0010 - d9 ec fa 00 04 dc 8e 70-03 ab fb 22 4f 67 5a a7   .......p..."OgZ.
    0020 - 63 90 48 32 b8 fa 9d fc-41 80 c5 1f 52 84 f9 bd   c.H2....A...R...
    0030 - 86 32 b6 c0 d9 02 15 82-6b 38 ad 9b 15 80 fb 68   .2......k8.....h
    0040 - cc b8 51 cb 72 7c ec 13-1d c5 2c 3c 49 85 9a 6a   ..Q.r|....,<I..j
    0050 - 72 89 83 80 4b 1b cc 4a-95 65 24 7b 9c 20 65 0f   r...K..J.e${. e.
    0060 - f8 9d 4f 34 bc 91 80 3e-39 8e 8b 47 d9 78 b6 8a   ..O4...>9..G.x..
    0070 - 54 96 95 ab 7b 5d 76 d2-73 1a db e9 a1 be 6e 18   T...{]v.s.....n.
    0080 - c5 2c 0e 54 3b 12 f2 c6-95 ef 35 f8 24 2a 28 7e   .,.T;.....5.$*(~
    0090 - 7b 33 8a f1 5d 4b 0f ae-3e 7b c2 fb a9 e3 f5 97   {3..]K..>{......
    00a0 - fa c1 34 ae 2b 14 9c 39-05 c6 a0 71 57 17 58 bb   ..4.+..9...qW.X.
    00b0 - 29 25 7b 79 7e 17 d1 a7-50 fa ac ff 06 85 1e 20   )%{y~...P...... 

    Start Time: 1658179187
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

Code of Conduct

• [X] I agree to follow the PSF Code of Conduct

[ewdurbin]

Thank you @warthog9, I've submitted this information to Fastly Support.

[warthog9]

Just noting I'm still seeing the issue, don't know if you've heard anything from Fastly Support on it

[warthog9]

@ewdurbin just as a note this is still ongoing, is there any additional data I can get to pypi or for Fastly that would help?