1
24.1 Legacy Series / Re: Two web sites won't load -- traceroute doesn't reach them
« on: March 20, 2024, 11:05:46 pm »
I don't have a proxy configured. I do get a different result in the LAN.
I found another web site that won't load in the browser on the LAN: trainerroad.com, but its output on the LAN looks better than the output for BoA.
Code: [Select]
me@my-desktop:~$ openssl s_client -connect www.bankofamerica.com:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
me@my-desktop:~$
I found another web site that won't load in the browser on the LAN: trainerroad.com, but its output on the LAN looks better than the output for BoA.
Code: [Select]
me@my-desktop:~$ openssl s_client -connect trainerroad.com:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
verify return:1
depth=0 CN = trainerroad.com
verify return:1
---
Certificate chain
0 s:CN = trainerroad.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 17 20:13:54 2024 GMT; NotAfter: Jun 15 20:13:53 2024 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdjCCBF6gAwIBAgIRAPGq2a151+tDDndGXuCMC3QwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxUDUwHhcNMjQwMzE3MjAxMzU0WhcNMjQwNjE1
MjAxMzUzWjAaMRgwFgYDVQQDEw90cmFpbmVycm9hZC5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCu1EODQuv6+fxtZGgK8kuyPrmG2+MDJdTGnQ9q
tyOHy83y2O9kJm4ib6C/Sx0PKmK0/d2PbhLPf0eGMuQ0d9FGPVVloScEIdZ7Ygt1
1PKnHW+Bhx3vB5nL51d/A1tLcIV9cOCTiDViBgYGh2+YbTaGSh8C+PEjcm/eSdZE
KCETHvMSRf2ULm76kOPzzrLiplvbONF2+7jpes7ggJIvPFGZ2WPCs0RVxRuuiny2
+fRn7gtiPP+9rzz6Pd/iK65s63BLPXuEkWJ55DHJ6LGt8FvF4qKnK5MaYfNSdQ9D
KPm799FsqFtjBRzZn+6GQAOMSKD8n7Bdk9WJwaJ4R/BoYQXFAgMBAAGjggKJMIIC
hTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUqBy+GY5RsW+UnL4keWsETyX2ftowHwYDVR0jBBgwFoAU
1fyeDd8eyt0Il5duK8VfxSv17LgweAYIKwYBBQUHAQEEbDBqMDUGCCsGAQUFBzAB
hilodHRwOi8vb2NzcC5wa2kuZ29vZy9zL2d0czFwNS9tcmFlaENYb3dJczAxBggr
BgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3JlcG8vY2VydHMvZ3RzMXA1LmRlcjAt
BgNVHREEJjAkgg90cmFpbmVycm9hZC5jb22CESoudHJhaW5lcnJvYWQuY29tMCEG
A1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+g
LYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMXA1LzMzMk5VOU5vZ1d3LmNybDCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHb/iD8KtvuVUcJhzPWHujS0pM27Kdxo
Qgqf5mdMWjp0AAABjk5DkXAAAAQDAEcwRQIhAK7/EMqUJcmD0go3eUgSs1C5s5N9
75W45pA3WJVTfY+ZAiAoqmlriJtGASkYLXHSQDeaNWBuEMLFyueKuJ2AkUczwQB2
ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABjk5DkXMAAAQDAEcw
RQIhAOeyTd1My1HC4Peal+V8wMdGJlcEqDdN4TLlXXuE7gnJAiAB8HeEtqiyKPx3
V8e7l9Y5I43Fmrc00iEjzzR6VnNuWzANBgkqhkiG9w0BAQsFAAOCAQEAiYCxU2Wn
Nw0J5tzZI5mvx4T/PgdplZuL6rttP6cZAPe0ILKAC50u2LkPliyhN2rrNCHft9Zz
6HOcam4S2nQR5czrsBEMyzNLQY69XM93EJ8IyGxGR0DrEU0/d4SINoO7jHy5TxBV
PSiw7UMsFNAXq7q5Da2G6UVM/WPyJJyrGVvpP8GDPyHNAM6TCGHO3tjbpjhJseey
aeLdbJ521af5xnIkPkXT2DWyJu1RMPVkolBJeY8yHmV1i/faEqwtRgH1gn762iak
V0yBLEW6+YOQvpJ4FIyAVRILfNDY05QZE1d2/OhUZYeiMprA+cL6dZKDO6Chllf7
VZ6AKDy978xY1w==
-----END CERTIFICATE-----
subject=CN = trainerroad.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1P5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4712 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 52AFF9D439D4F7258C55C2327D80A3451C909C182DA1B8A4603A82A310D90FDB
Session-ID-ctx:
Resumption PSK: A6B7EA12765DE46DC847325B294C3AD238B67680F7C7704901F2DE5CB95B4ABC1420B7A07C0A8B7521B0EF2E1B7AAE83
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 28 ab 4f e4 37 c4 a5 c1-60 c6 b8 87 3e f8 0f 35 (.O.7...`...>..5
0010 - 7d 78 01 f4 88 c4 e4 21-46 86 2f 57 ca b6 94 be }x.....!F./W....
0020 - 9b 8b a7 de 37 f8 e9 3f-1f 86 c0 17 e7 30 ec c3 ....7..?.....0..
0030 - 92 36 7f cc a6 8d 86 5e-59 2a ec 37 4b 61 4d 1a .6.....^Y*.7KaM.
0040 - 95 1c 0b 8b 91 f3 5a 6a-a8 f5 41 3d 71 e6 13 23 ......Zj..A=q..#
0050 - 49 22 1d f8 c3 a1 9b d3-33 4d 1f 02 76 6c a6 69 I"......3M..vl.i
0060 - 91 0d 5d ac ba 3c 00 d5-75 5b bd e5 1f 1f 12 70 ..]..<..u[.....p
0070 - 9e 24 db 9e 7e 1f c7 20-37 49 55 01 69 46 7d 5c .$..~.. 7IU.iF}\
0080 - 35 84 2f 38 20 1d ab ed-a4 0b 52 7d 72 66 40 a7 5./8 .....R}rf@.
0090 - 30 2c 1a 0f 6a 3c f7 cc-d0 42 0a 44 6a ac 13 1d 0,..j<...B.Dj...
00a0 - 99 fd 6c 7c 97 7b 3a 8a-4c 78 7d 50 99 72 d0 3b ..l|.{:.Lx}P.r.;
00b0 - 0a 5c b6 fb 28 b4 d6 ba-69 93 52 9f 4d 0f d5 76 .\..(...i.R.M..v
Start Time: 1710971660
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: [redacted hex string]
Session-ID-ctx:
Resumption PSK: [redacted hex string]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 28 ab 4f e4 37 c4 a5 c1-60 c6 b8 87 3e f8 0f 35 (.O.7...`...>..5
0010 - 61 c2 32 fc d3 26 95 73-f4 bc d4 b6 e3 9d fe 6f a.2..&.s.......o
0020 - 5d cd 2d 9a 63 5a f4 fd-29 b5 dc a6 17 d8 20 70 ].-.cZ..)..... p
0030 - bf 73 62 ee 9b 8c 60 54-4a c5 32 71 4e cf ec c6 .sb...`TJ.2qN...
0040 - 50 5f 6f c7 c4 05 f3 9e-76 4e b8 bb 6c 38 bb 65 P_o.....vN..l8.e
0050 - 7d cb f3 b7 20 b7 d7 e5-3f 02 2f 14 01 43 69 8f }... ...?./..Ci.
0060 - d8 c5 2a c9 a3 16 04 8a-a2 96 83 7b 09 98 43 7e ..*........{..C~
0070 - 2a f6 a8 bc 44 49 79 f9-ed cc df bd 5b bf c2 52 *...DIy.....[..R
0080 - 83 06 19 9d d5 1e 1c e2-48 d3 b3 b7 3b 5c 9d a0 ........H...;\..
0090 - 44 8a ad 0c fa a8 b0 78-75 d8 99 0b 8e d0 f4 09 D......xu.......
00a0 - 15 0e 69 f8 70 72 88 72-ae 28 92 40 e6 c5 c0 d3 ..i.pr.r.(.@....
00b0 - 97 5a 28 f0 4a 86 3e 7b-7b 4f 86 7c 87 79 d3 b6 .Z(.J.>{{O.|.y..
Start Time: 1710971660
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
me@my-desktop:~$
Thank you for your help. Should I reinstall OPNsense, reset the configuration for my two switches, and start over?