No TLS on workers.dev unless VPN is used

I was unable to make requests via curl with SSL_ERROR_SYSCALL for a long time, and I also can only get logs in the dashboard if I turn on my vpn. Deploying via wrangler works, but log streaming and dev environment don't. sslscan workers.dev (same with <worker>.<account>.workers.dev)
Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:

Supported Server Cipher(s):
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Certificate information cannot be retrieved.
Version: 2.1.2-static
OpenSSL 3.0.12 24 Oct 2023

Connected to 104.18.13.15

Testing SSL server workers.dev on port 443 using SNI name workers.dev

SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

TLS Fallback SCSV:
Connection failed - unable to determine TLS Fallback SCSV support

TLS renegotiation:
Session renegotiation not supported

TLS Compression:
Compression disabled

Heartbleed:

Supported Server Cipher(s):
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Unable to parse certificate
Certificate information cannot be retrieved.
I am located in Russia and I use my company's account.
7 Replies
John The Cooling Fan
Also, output of openssl s_client -cipher ALL -servername workers.dev -connect workers.dev:443:
CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
CONNECTED(00000003)
408755D49F7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../openssl-3.0.12/ssl/record/rec_layer_s3.c:303:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 412 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
That's sslscan My curl is 8.5.0 Either way I also get a tls error
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 (GnuTLS/3.8.0) (mbedTLS/2.28.7) OpenSSL/3.0.12 zlib/1.3 c-ares/1.25.0 libpsl/0.21.5 (+libidn2/2.3.7) nghttp2/1.57.0
Release-Date: 2023-12-06
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps tftp
Features: alt-svc AsynchDNS HSTS HTTP2 HTTPS-proxy IPv6 Largefile libz MultiSSL NTLM PSL SSL threadsafe TLS-SRP UnixSockets
That's a big assumption that it' an issue introduced in russian side of the network I didn't encounter any problems of this kind ever. So I feel like it's a problem on cloudflare side. Either something is misconfigured or geoblocking. IP in the sslscan output and workers.dev are not in the registry Protocol is https, so not blocking by this. TLS extension - I don't know. And from my experience blocked sites produce different behavior, usually a redirect of dropped connection without even reaching ssl stage Never seen this be used with my provider Certificate is issued by google for <account>.workers.dev and *.<account>.workers.dev (What I see from VPN) I use US location I would like to get someone else's opinion
Devon
Devon10mo ago
haven't you basically already proven that, as it works over VPN to US?
John The Cooling Fan
I haven't proven that russia is blocking it, as there is still possibility that cloudflare is geoblocking And I would like to find out
Cyb3r-Jak3
Cyb3r-Jak310mo ago
If Cloudflare was blocking then you either wouldn’t get a response or it would be Cloudflare block page. If you want an official answer then your best bet is to open a support ticket
John The Cooling Fan
Thanks for the directions
John The Cooling Fan
Ah, it is blocked by russia
No description
John The Cooling Fan
That's a lot of times the ip 188.114.96.3 has been put into teh registry
Want results from more Discord servers?
Add your server