整个网络的 ERR_SSL_PROTOCOL_ERROR 问题

Question

We were setting up SSL for the website rskolkata.com. We first set up Cloudflare for the site. Everything was okay in Cloudflare site including DNS server settings. However, something happened which corrupted SSL certificates across the whole network. We tried to access the website in ubuntu 20.10 and windows 10 in all the machines in the network in all the browsers (Chrome, Mozilla, Opera) in both normal mode and incognito mode. We always get the error ERR_SSL_PROTOCOL_ERROR in Chrome and in Mozilla, the error is SSL_ERROR_INTERNAL_ERROR_ALERT . We tried the following command in Ubuntu:

sudo apt-get install --reinstall ca-certificates

This worked on a machine (say machine A) outside the affected network (but the same machine which was initially in the corrupted network). When we tried the same command on the Ubuntu machines on the affected network it did not work. We also tried to clear the SSL state in Chrome on Windows machine which did not work. Then we tried the following:

sudo apt-get -f install
# stop if you saw any errors

sudo dpkg --purge --force-depends ca-certificates
sudo apt-get -f install

We tried the above, which also failed to solve the issue.

The website opens without any issue outside the affected network.

We checked the website up status in the website https://www.websiteplanet.com/webtools/ which shows the site is running. The SSL is working properly.

The 'machine A' when brought to the affected network again, starts to give the error again.

However, as we are the developer for the site we need to access the site from our office network. Please suggest a solution.

UPDATE 1:

Ctrl + Shift + K on firefox gives An error occurred: SSL_ERROR_INTERNAL_ERROR_ALERT

$ curl -vk https://rskolkata.com

Output:

*   Trying 151.106.116.81:443...
* TCP_NODELAY set
* Connected to rskolkata.com (151.106.116.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

'dig rskolkata.com` gives the following output:

 dig rskolkata.com

; <<>> DiG 9.16.6-Ubuntu <<>> rskolkata.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29471
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;rskolkata.com.         IN  A

;; ANSWER SECTION:
rskolkata.com.      6794    IN  A   151.106.116.81

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Jan 22 14:25:50 IST 2021
;; MSG SIZE  rcvd: 58

And and dig +trace rskolkata.com gives following output:

; <<>> DiG 9.16.6-Ubuntu <<>> +trace rskolkata.com
;; global options: +cmd
.           238434  IN  NS  k.root-servers.net.
.           238434  IN  NS  b.root-servers.net.
.           238434  IN  NS  h.root-servers.net.
.           238434  IN  NS  j.root-servers.net.
.           238434  IN  NS  e.root-servers.net.
.           238434  IN  NS  m.root-servers.net.
.           238434  IN  NS  c.root-servers.net.
.           238434  IN  NS  f.root-servers.net.
.           238434  IN  NS  d.root-servers.net.
.           238434  IN  NS  a.root-servers.net.
.           238434  IN  NS  g.root-servers.net.
.           238434  IN  NS  i.root-servers.net.
.           238434  IN  NS  l.root-servers.net.
;; Received 262 bytes from 127.0.0.53#53(127.0.0.53) in 3 ms

rskolkata.com.      12530   IN  A   151.106.116.81
rskolkata.com.      72951   IN  NS  ns1.dns-parking.com.
rskolkata.com.      72951   IN  NS  ns2.dns-parking.com.
;; Received 222 bytes from 199.7.91.13#53(d.root-servers.net) in 0 ms

The DNS name server is dimitris.ns.cloudflare.com and IP 172.67.138.143 as can be seen in https://mxtoolbox.com/

Answer 1

Try to look at developer web console (firefox Ctrl+Shift+K) - anything interesting under Security tab?

Try to run curl -vk https://rskolkata.com - what does it show?

Since it seems you are testing website from office where you are also developing it - maybe "something special" was setup by your network admin, to help with testing? Do dig rskolkata.com and dig +trace rskolkata.com both return expected IPs?

Edit: Try to capture traffic with tcpdump (like tcpdump -nni eth0 host DESTIP -w trace.pcap ), then open trace.pcap in wireshark and compare working vs. not-working case. Maybe there will be some difference.

You said, a small team. Then I guess there is no fancy middlebox between LAN in Internet, that could do something to SSL handshake.

You can move your test client from LAN "closer" to Internet. Does it change, when one GW/FW less is between you and Internet? I guess this could be related to networking equipment in your company, or networking equipment of your ISP.