UKH

Since about last Thursday, I have been experiencing the following when accessing the www.ukclimbing.com site on an Android phone via Chrome:

1. No problem correctly accessing the site via home wifi.

2. Attempts to access the site over my phone's data network result in the following error:

"Your connection is not private ... [snip] ...

NET:ERR_CERT_COMMON_NAME_INVALID"

3. By contrast, I can access www.ukhillwalking.com correctly by both wifi and the data network

Is anybody else seeing anything similar? The certificates look okay to me (or at least, I can't spot any problem with them) so I'm confused by what's going on.

This could just be a 'me' problem of course. I confirm that I have completely flushed my browser cache.

In reply to Rob Parsons:

Yes, been getting the same occasionally (on Android / Chrome).

Bizarrely, got same message(ish) when accessing 'the other channel' today on computer (Windows / Chrome) - working ok now.

In reply to Rob Parsons:

Are you with O2? Or one of the virtual networks that uses them?

We have had reports of O2 users experiencing this, but unfortunately don’t have a fix as it’s O2s issue.

Using a VPN (or similar, such as iCloud private relay on iOS) should fix the issue.

It should pass, but frustrating while it lasts

In reply to Andy Ovens - UKC and UKH:

Indeed. I use giffgaff.

Okay, thanks. I'll just wait for it to sort itself out then.

In reply to Rob Parsons:

I've been seeing this fairly regularly on O2/iPhone for the last month or so. Refuses to connect to the site for a few hours, then whatever it is resolves itself. It's weird if this is somehow the carrier's fault (and I haven't seen it happen for any other sites)... 

In reply to Andy Ovens - UKC and UKH:

I'm with Tesco Mobile, which uses O2.  Sounds like that's the problem for me - no big deal.  Thanks for the info.

In reply to jonny taylor:

Ok, thanks. A month - wow! I hope this is getting reported to O2 - I'll do my best to log a fault report.

I've seen a similar problem in a commercial network, and the root cause turned out to be a buggy firewall which was mangling certificates. No idea what's going on in the current case - but I hope O2 get it sorted out. Detailed problem reports submitted to them should help.

In reply to Rob Parsons:

1, 2 & 3 exactly the same for me, also Android phone via Chrome and my mobile data is O2

In reply to Rob Parsons:

Why would the certificate be showing as invalid via O2 but valid by other routes on the same device (like a mobile device on mobile data versus home WiFi)

Is O2 "breaking" (TLS intercepting) the SSL/TLS traffic and doing a bad job? I'm used to seeing this done within big corporates, but I wouldn't want an ISP doing that!

In reply to CantClimbTom:

Yeah, it's very weird. The only time I've seen this error is when I was using my PC as an internet proxy and spying on web traffic that apps on my phone were making.

Basically doing a man-in-the-middle attack, but not very well.

Phones that report the issue have no problem connecting via wi-fi or an VPN. It's only on their 4/5G network.

In reply to Paul Phillips - UKC and UKH:

You were using Fiddler proxy? (It's very good, Burp Suite also). It has to be poorly implemented TLS interception. Without  seeing the full details of the error causing cert it's  hard to know for sure. The issue of wholesale TLS interception at ISP was being pushed (allowing that by the "DTI") roughly 10 years ago, but it got pushed back at the time.

When I've seen TLS interception (private sector) done various places, it was done well and users were kept unaware. But O2 must be clowns.

Better get a second layer of tin foil on my hat

In reply to CantClimbTom:

Yeah, it was Fiddler proxy.

In reply to Paul Phillips - UKC and UKH:

It could be a poor implementation of web page cacheing by O2 (or more accurately the supplier of the service they use to implement cacheing). An ISP wants to cache frequently used pages (e.g. UKC forum threads) as "close" to the page user as possible for latency & user experience benefits. Cacheing an encrypted page breaks the SSL/TLS certificate chain so users get the "Your connection is not private" message.

In reply to sandrow:

If that were the case, why would www.ukhillwalking.com/forums continue to work, while www.ukclimbing.com/forums is broken?

In reply to Rob Parsons:

Different cert chains for the two domains?

https://venafi.com/blog/how-do-certificate-chains-work/

Different caching logic triggered by the two domains?

Have you tried browser Incognito/Private mode to access UKC?

If that works - clear browser cache and retry.

In reply to sandrow:

Both just use Let's Encrypt.

I'll try that and report back.

In reply to Rob Parsons:

Just to confirm: Using 'Icognito' mode doesn't affect the result. That is, I get exactly the same results as in the OP.

FROM LAPTOP AND HOME (BT) BROADBAND

Thought I requested http2 but http1 returned, possibly an error of mine.

*   Trying 109.108.136.253:443...
* Connected to www.ukclimbing.com (109.108.136.253) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 03 Oct 2023 18:18:13 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 142457
< Connection: keep-alive
< Vary: Accept-Encoding
< Cache-Control: max-age=17, must-revalidate
< Expires: Tue, 03 Oct 2023 18:18:30 GMT
< Set-Cookie: ukc_test=test; path=/user/; domain=www.ukclimbing.com; secure; HttpOnly
< Last-Modified: Tue, 03 Oct 2023 18:18:00 GMT
< ETag: "a8512e68a2cc26b80b12e858318a5a49"
< Strict-Transport-Security: max-age=63072000; includeSubDomains
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
<
HTML STARTS HERE

SAME REQUEST FROM LAPTOP BUT USING MY PHONE (O2) AS MOBILE HOTSPOT

curl -v --http2 https://www.ukhillwalking.com/forums/
*   Trying 13.107.21.200:443...
* Connected to www.ukclimbing.com (13.107.21.200) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with www.ukclimbing.com port 443
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - The target principal name is incorrect.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

CHECKING REQUEST FROM LAPTOP TO GOOGLE WORKS WHEN USING MY PHONE (O2) AS MOBILE HOTSPOT

curl -v --http2 https://www.google.com/
*   Trying 216.239.38.120:443...
* Connected to www.google.com (216.239.38.120) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1

>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: failed to decrypt data, need more data
* schannel: failed to decrypt data, need more data
< HTTP/1.1 200 OK
< Date: Tue, 03 Oct 2023 18:22:05 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-uIa_9x3fNKjfgnv1u7cgRw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: SOCS=CAAaBgiAs-2oBg; expires=Fri, 01-Nov-2024 18:22:05 GMT; path=/; domain=.google.com; Secure; SameSite=lax
< Set-Cookie: AEC=Ackid1Tu7jwTDQHNUnIqMWaA1y_-xHyY87WrHk_eqGwVH0XORBiGf91C-w; expires=Sun, 31-Mar-2024 18:22:05 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: __Secure-ENID=15.SE=ToZ_JIDiQtr3RgEKjfihdlr53xTCP94RwOJMGEcD3Y4We-5LOJJsHIG0CyoWdBqU39K3P5-D6PrWLX6x1VDjtPPmMGmEnc-fWuVQYagbWz4ZZXK0C3fZNL2iRMX3DVN1dS-AXqzTPlz8bKVETSker5j4VsKlAvODo2boMat7tQI; expires=Sat, 02-Nov-2024 10:40:23 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
< Set-Cookie: CONSENT=PENDING+624; expires=Thu, 02-Oct-2025 18:22:05 GMT; path=/; domain=.google.com; Secure
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
HTML STARTS HERE

In reply to elsewhere:

What if you change the DNS server to not be o2's? 

In reply to elsewhere:

Not quite sure where you're going with the verbose curl other than showing detail of the TLS negotiation, personally due to the cert warning (and having seen TLS interception) I'd be interested in the full details of the cert received which may or may not have been sent by UKClimbing.com's webserver

In reply to elsewhere:

That is consistent with the other fault reports. They were getting a bing.com SSL cert sent.

That IP is Microsoft - https://whois.domaintools.com/13.107.21.200

The correct IP for ukclimbing.com is 109.108.136.253

In reply to smbnji:

I think that should fix it, 1.1.1.1 is a good DNS server.

This is a good solution for

• Android: https://developers.cloudflare.com/1.1.1.1/setup/android/
• iOS: https://developers.cloudflare.com/1.1.1.1/setup/ios/

In reply to Rob Parsons:

Yes same problem using O2 and Chrome.

In reply to Paul Phillips - UKC and UKH and smbnji:

OK....

Phone Wifi off, O2 mobile data on, can't set dns to an IP address, however this works for surfing UKC on phone...

https://developers.google.com/speed/public-dns/docs/using#android_9_pie_or_...

Android 9 supports "Private DNS" which uses DNS-over-TLS to provide security and privacy for your DNS queries. You can configure it with the following steps.

Go to Settings ... Network & Internet ... Advanced ... Private DNS.

Select Private DNS provider hostname.

Enter dns.google as the hostname of the DNS provider.

Click Save.

Doesn't work for laptop when using phone as a mobile hotspot (still getting DNS from O2?) but that's not something I need as I just used phone as hotspot so I could do curl on laptop to test O2 mobile data.

In reply to CantClimbTom:

Not quite full details, but this is the cert a friend of mine received when seeing this same error. Obviously it's for completely the wrong domain thus chrome throwing the error.

In reply to remus:

Yes. As established above, its a DNS error with O2. Very strange - and taking a long time to clear.

In reply to Rob Parsons:

Months? I recall UKC not working on my phone previously, possibly before O2 took over the Virgin contracts. I wonder if it's only broken for former Virgin customers?

Laptop on BT Home Broadband, surfing UKC works

Server:  BThomehub.home
Address:  192.168.1.254

Non-authoritative answer:
Name:    ukclimbing.com
Address:  109.108.136.253

Laptop on phone as wifi hotspot for O2 mobile data, surfing UKC doesn't work

Server:  UnKnown
Address:  192.168.43.6

Name:    ukclimbing.com
Addresses:  2620:1ec:c11::200
          204.79.197.200
          13.107.21.200

Is there a way of tracing which DNS is in use beyond 192.168.1.254 or 192.168.43.6 local network?

Curiously when I try to force use of 1.1.1.1 or 8.8.8.8, I still get the 02 DNS when I'm using mobile hotspot.

Laptop on BT Home Broadband

Server:  one.one.one.one
Address:  1.1.1.1

Non-authoritative answer:
Name:    ukclimbing.com
Address:  109.108.136.253

Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    ukclimbing.com
Address:  109.108.136.253

Laptop on phone as wifi hotspot for O2 mobile data

Server:  one.one.one.one
Address:  1.1.1.1

Name:    ukclimbing.com
Addresses:  2620:1ec:c11::200
          204.79.197.200
          13.107.21.200

Server:  dns.google
Address:  8.8.8.8

Name:    ukclimbing.com
Addresses:  2620:1ec:c11::200
          204.79.197.200
          13.107.21.200

>ipconfig /flushdns - makes no difference to O2 DNS results