colinodell
commented
2 years ago Thanks for the report! I've just switched Cloudflare over to strict SSL - would you mind re-trying when you get a chance and seeing if that fixes things?
Closed captn3m0 closed 2 years ago
colinodell
commented
2 years ago Thanks for the report! I've just switched Cloudflare over to strict SSL - would you mind re-trying when you get a chance and seeing if that fixes things?
captn3m0
commented
2 years ago Seems to be resolved. Thanks!
First reported on Reddit
CloudFlare servers in India get MITMd by the network provider (Airtel) if the upstream is GitHub Pages and configured without end-to-end TLS.
Here is a curl log as proof that this happens even over HTTPS.
curl log
curl https://thephpleague.com/ -vvv * Trying 172.67.133.242... * TCP_NODELAY set * Connected to thephpleague.com (172.67.133.242) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Unknown (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Client hello (1): * TLSv1.3 (OUT), TLS Unknown, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Jul 15 00:00:00 2021 GMT * expire date: Jul 14 23:59:59 2022 GMT * subjectAltName: host "thephpleague.com" matched cert's "thephpleague.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * Using Stream ID: 1 (easy handle 0x558b837f6600) * TLSv1.3 (OUT), TLS Unknown, Unknown (23): > GET / HTTP/2 > Host: thephpleague.com > User-Agent: curl/7.58.0 > Accept: */* > * TLSv1.3 (IN), TLS Unknown, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS Unknown, Unknown (23): * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * TLSv1.3 (OUT), TLS Unknown, Unknown (23): * TLSv1.3 (IN), TLS Unknown, Unknown (23): * TLSv1.3 (IN), TLS Unknown, Unknown (23): < HTTP/2 200 < date: Fri, 07 Jan 2022 13:59:13 GMT < content-type: text/html < pragma: no-cache < cache-control: no-cache < cf-cache-status: DYNAMIC < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sgjmItztwQSurTLUlfJzsdqJUB7pHr6oU%2BeMmLl0wNJfGVw1smhr91ZpqKQ%2BoNWCXn1mN4EK4YA4kXm7Aa9ZKWN0PGkjHokj%2Fe2mLRKNodMd2os8aoCpbPTg2ckcnRx30uEF"}],"group":"cf-nel","max_age":604800} < nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} < server: cloudflare < cf-ray: 6c9db492cad61d9d-BLR < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 < * TLSv1.3 (IN), TLS Unknown, Unknown (23): * Connection #0 to host thephpleague.com left intactCloudFlare has known about this issue for years (actively hostile ISPs) and they don't seem to be doing anything about it. The two fixes here are:
You can see this thread on twitter for more details
Same thing also reported here: https://github.com/thephpleague/plates/issues/288