urgent - Google Cloud public subnet blacklisted by gcc.org

urgent - Google Cloud public subnet blacklisted by gcc.org

[Federico Iezzi]

Hey everybody,

Apologies for this request, and perhaps the wrong mailing list.
I hope this gets the right level of attention.

It seems like the GCC frontend/WAF have blacklisted the entire subnet
used by Google Cloud for Internet access.

Follows some traces.

Could you please unblock us? It's really important that this gets
sorted out as quickly as possible. Any Google Cloud customer using GCC
is completely unable to do so.

$ curl ifconfig.me
35.234.162.99

$ curl -v -o /dev/null -L gcc.gnu.org
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:--
--:--:--     0*   Trying 8.43.85.97:80...
* Connected to gcc.gnu.org (8.43.85.97) port 80 (#0)
> GET / HTTP/1.1
> Host: gcc.gnu.org
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden <================== 403 status code
< Date: Tue, 10 Jan 2023 12:47:36 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< Content-Length: 318
< Content-Type: text/html; charset=iso-8859-1
<
{ [318 bytes data]
100   318  100   318    0     0   1628      0 --:--:-- --:--:-- --:--:--  1630
* Connection #0 to host gcc.gnu.org left intact

$ openssl s_client -connect gcc.gnu.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = gcc.gnu.org
verify return:1
---
Certificate chain
 0 s:CN = gcc.gnu.org
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  1 03:06:21 2023 GMT; NotAfter: Apr  1 03:06:20 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgISA0MlBNNOfNOyyCm05C8ADkiKMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAxMDEwMzA2MjFaFw0yMzA0MDEwMzA2MjBaMBYxFDASBgNVBAMT
C2djYy5nbnUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1HG7
XIr/cqKN8VasqxmCUsRjnqtGvqV1X5EFkSK5KYqO5q3qzmTDW+++x0hj3Fjmr+Sz
gul1a7Ws5juz53u/ZE9s0nFFNNNMe8dYoWFnMZGuZtLtjOPcefwpdTSr8jgfgXX/
xtb26/1764Ur8AEYLgKvCWOUwSG76SFeJP8hLeB6vva/IviM74A5iA1rN8oKbnZx
Xh8pPha+a/zTWQFjPIy7jswyBJEVGL4jgtap7tq3gKKzYDcn0KR6vQ2vy02FeLsa
r7hEePflsveSsILaq/yXsVlzg2wQyRqJf80B50UDe6/oJwVbQ1xtB25WYvugCgC1
2EffvxZEFce5z5hANQIDAQABo4ICRjCCAkIwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBT2ZpZq6vJKyza5vHKsu6XMspWaPjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAW
BgNVHREEDzANggtnY2MuZ251Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALc++yTfnE26dfI5xbpY9Gxd
/ELPep81xJ4dCYEl7bSZAAABhWuCUn0AAAQDAEgwRgIhAJGKgClxZHwGOVJZw4BT
xV1qi7/jKA2+DmQgixhtLPNlAiEAnj6QSgMroYH9uF1r46nlkRgd2IdOvtjY68o8
pqH5+0wAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYVrglJ5
AAAEAwBGMEQCIHYVJijDvRCJtRpjtvxLlx6ZPavi3aTZyCY3XnABXqWwAiBXFVsi
hihzouvqoxEjlaEb1zPTyhHlR93ZCnHcuogn+TANBgkqhkiG9w0BAQsFAAOCAQEA
DUhNrKE1HfHekBZDsEEr3xGIFBsUOOCy6Qhb69foSQs9cpx07cZHFyUO0c/kQACv
fbLykdvjjGq3vW4kOleLpCq8RH6BMSNAKvn9GJFVnjQu2vR9G+Wrm7yNiBACtdVv
QLBHnu26WkO6AnL/WUJ5Uu4sJcs6NxIJkq26DQfKefDouC20+LBcz1PwoOEg1W0N
7gR4WY/gpGhFP57OspF607SlyWgS6dRR2WEloguQ6jOt9lqpyf/uRnxGr/es8ige
GxDBZH6TxGC7gihbl53FAnusOeimEesqz1IhRIAorhrLniOFDyEdjUBBcigJMPYt
yjj861MgdK+0FRLEQM2WRA==
-----END CERTIFICATE-----
subject=CN = gcc.gnu.org <================== No Proxy in between
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4681 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F2BFBAFB1D0DDAF2452069AEC037513168A2D4D0DCC1E6FCA16CFB64ACA345F1
    Session-ID-ctx:
    Master-Key:
E75FB7953CA1B56801AD6738BE0771EADB1D7760DA2A5B21B0203CB34731BE9F71F5531118827FCAB00FD121577D052C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 6e 81 31 bf f4 94 ff-cc 41 95 f4 a6 dd 58 ba   gn.1.....A....X.
    0010 - 1c bf 40 99 f6 38 b0 2b-1b 60 c9 ef bf b9 b5 1c   ..@..8.+.`......
    0020 - 28 9e 85 15 d1 82 0c 7e-b3 65 82 d0 2e 6f 77 71   (......~.e...owq
    0030 - 48 b5 2c d3 c9 1a 1c 62-5c 0a c8 3e fd e6 9d bd   H.,....b\..>....
    0040 - 16 ad 90 37 30 24 45 ee-a3 2d 73 b8 30 8b 02 95   ...70$E..-s.0...
    0050 - 0d 55 e2 98 e9 b1 43 db-06 67 a1 4d 9d 83 5c 13   .U....C..g.M..\.
    0060 - 5a 1e 21 0c c2 fc cc de-6b 10 cf 66 3a 68 db 26   Z.!.....k..f:h.&
    0070 - 73 4b 54 7e 90 55 3b 54-a4 1e d0 16 59 65 e3 41   sKT~.U;T....Ye.A
    0080 - 7f 75 27 87 f4 e1 ae 20-b2 11 6a 0f 72 7a 36 30   .u'.... ..j.rz60
    0090 - 4f 64 7b ae dd c9 bb c1-67 1e e4 cd 18 fe 08 ec   Od{.....g.......
    00a0 - 60 fa a2 2c 0b 43 f2 55-af b5 e7 71 62 0c 88 bd   `..,.C.U...qb...
    00b0 - 7c f7 90 25 a5 27 01 c5-5e 32 9b 9a d1 33 b7 54   |..%.'..^2...3.T
    00c0 - 61 2a bf a1 ca 24 13 18-1f aa c1 20 1a fc b9 68   a*...$..... ...h

    Start Time: 1673354833
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

$ curl -o /dev/null -v -L https://gcc.gnu.org
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:--
--:--:--     0*   Trying 8.43.85.97:443...
* Connected to gcc.gnu.org (8.43.85.97) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4014 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=gcc.gnu.org
*  start date: Jan  1 03:06:21 2023 GMT
*  expire date: Apr  1 03:06:20 2023 GMT
*  subjectAltName: host "gcc.gnu.org" matched cert's "gcc.gnu.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x56456e26e550)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET / HTTP/2
> Host: gcc.gnu.org
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/2 403 <================== Still 403 status code
< date: Tue, 10 Jan 2023 12:43:12 GMT
< server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< content-length: 318
< content-type: text/html; charset=iso-8859-1
<
{ [318 bytes data]
100   318  100   318    0     0    546      0 --:--:-- --:--:-- --:--:--   547
* Connection #0 to host gcc.gnu.org left intact

$ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://gcc.gnu.org/git/gcc.git
12:54:29.918761 git.c:455               trace: built-in: git clone
http://gcc.gnu.org/git/gcc.git
Cloning into 'gcc'...
12:54:29.921626 run-command.c:668       trace: run_command: git
remote-http origin http://gcc.gnu.org/git/gcc.git
12:54:29.923332 git.c:742               trace: exec: git-remote-http
origin http://gcc.gnu.org/git/gcc.git
12:54:29.924367 run-command.c:668       trace: run_command:
git-remote-http origin http://gcc.gnu.org/git/gcc.git
12:54:29.929928 http.c:664              == Info: Couldn't find host
gcc.gnu.org in the (nil) file; using defaults
12:54:29.930846 http.c:664              == Info:   Trying 8.43.85.97:80...
12:54:30.032316 http.c:664              == Info: Connected to
gcc.gnu.org (8.43.85.97) port 80 (#0)
12:54:30.032385 http.c:611              => Send header, 0000000233
bytes (0x000000e9)
12:54:30.032397 http.c:623              => Send header: GET
/git/gcc.git/info/refs?service=git-upload-pack HTTP/1.1
12:54:30.032400 http.c:623              => Send header: Host: gcc.gnu.org
12:54:30.032403 http.c:623              => Send header: User-Agent: git/2.34.1
12:54:30.032406 http.c:623              => Send header: Accept: */*
12:54:30.032417 http.c:623              => Send header:
Accept-Encoding: deflate, gzip, br, zstd
12:54:30.032427 http.c:623              => Send header:
Accept-Language: C, *;q=0.9
12:54:30.032432 http.c:623              => Send header: Pragma: no-cache
12:54:30.032435 http.c:623              => Send header: Git-Protocol: version=2
12:54:30.032439 http.c:623              => Send header:
12:54:30.124540 http.c:664              == Info: Mark bundle as not
supporting multiuse
12:54:30.124573 http.c:611              <= Recv header, 0000000024
bytes (0x00000018)
12:54:30.124579 http.c:623              <= Recv header: HTTP/1.1 403 Forbidden
12:54:30.124590 http.c:611              <= Recv header, 0000000037
bytes (0x00000025)
12:54:30.124601 http.c:623              <= Recv header: Date: Tue, 10
Jan 2023 12:54:30 GMT
12:54:30.124608 http.c:611              <= Recv header, 0000000134
bytes (0x00000086)
12:54:30.124623 http.c:623              <= Recv header: Server:
Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.70
mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
12:54:30.124635 http.c:611              <= Recv header, 0000000021
bytes (0x00000015)
12:54:30.124641 http.c:623              <= Recv header: Content-Length: 199
12:54:30.124647 http.c:611              <= Recv header, 0000000045
bytes (0x0000002d)
12:54:30.124662 http.c:623              <= Recv header: Content-Type:
text/html; charset=iso-8859-1
12:54:30.124672 http.c:611              <= Recv header, 0000000002
bytes (0x00000002)
12:54:30.124681 http.c:623              <= Recv header:
12:54:30.124697 http.c:664              == Info: Connection #0 to host
gcc.gnu.org left intact
fatal: unable to access 'http://gcc.gnu.org/git/gcc.git/': The
requested URL returned error: 403

Re: urgent - Google Cloud public subnet blacklisted by gcc.org

[Federico Iezzi]

Thanks!

$ curl -L -v -o /dev/null gcc.gnu.org
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:--
--:--:--     0*   Trying 8.43.85.97:80...
* Connected to gcc.gnu.org (8.43.85.97) port 80 (#0)
> GET / HTTP/1.1
> Host: gcc.gnu.org
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 10 Jan 2023 14:27:56 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Mon, 14 Nov 2022 13:47:54 GMT
< ETag: "4cd2-5ed6e7c7d6b81"
< Accept-Ranges: bytes
< Content-Length: 19666
< Vary: Accept-Encoding
< Content-Security-Policy: default-src 'self' http: https:
< Content-Type: text/html; charset=utf-8
<
{ [13412 bytes data]
100 19666  100 19666    0     0  51752      0 --:--:-- --:--:-- --:--:-- 51889
* Connection #0 to host gcc.gnu.org left intact

On Tue, Jan 10, 2023 at 2:29 PM Federico Iezzi <fiezzi@google.com> wrote:
>
> Hey pfeifer.com,
>
> I know this is a long shot, but we need some real help here.
>
> Could you please answer this request? All the debug should be in the
> following forwarded email.
>
> Thanks,
> Federico
>
> ---------- Forwarded message ---------
> From: Federico Iezzi <fiezzi@google.com>
> Date: Tue, Jan 10, 2023 at 1:56 PM
> Subject: urgent - Google Cloud public subnet blacklisted by gcc.org
> To: <gcc@gcc.gnu.org>, <abuse@support.gandi.net>
>
>
> Hey everybody,
>
> Apologies for this request, and perhaps the wrong mailing list.
> I hope this gets the right level of attention.
>
> It seems like the GCC frontend/WAF have blacklisted the entire subnet
> used by Google Cloud for Internet access.
>
> Follows some traces.
>
> Could you please unblock us? It's really important that this gets
> sorted out as quickly as possible. Any Google Cloud customer using GCC
> is completely unable to do so.
>
> $ curl ifconfig.me
> 35.234.162.99
>
> $ curl -v -o /dev/null -L gcc.gnu.org
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:--
> --:--:--     0*   Trying 8.43.85.97:80...
> * Connected to gcc.gnu.org (8.43.85.97) port 80 (#0)
> > GET / HTTP/1.1
> > Host: gcc.gnu.org
> > User-Agent: curl/7.81.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 403 Forbidden <================== 403 status code
> < Date: Tue, 10 Jan 2023 12:47:36 GMT
> < Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
> mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> < Content-Length: 318
> < Content-Type: text/html; charset=iso-8859-1
> <
> { [318 bytes data]
> 100   318  100   318    0     0   1628      0 --:--:-- --:--:-- --:--:--  1630
> * Connection #0 to host gcc.gnu.org left intact
>
> $ openssl s_client -connect gcc.gnu.org:443
> CONNECTED(00000003)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = gcc.gnu.org
> verify return:1
> ---
> Certificate chain
>  0 s:CN = gcc.gnu.org
>    i:C = US, O = Let's Encrypt, CN = R3
>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Jan  1 03:06:21 2023 GMT; NotAfter: Apr  1 03:06:20 2023 GMT
>  1 s:C = US, O = Let's Encrypt, CN = R3
>    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
>  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
>    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
>    v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFHDCCBASgAwIBAgISA0MlBNNOfNOyyCm05C8ADkiKMA0GCSqGSIb3DQEBCwUA
> MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
> EwJSMzAeFw0yMzAxMDEwMzA2MjFaFw0yMzA0MDEwMzA2MjBaMBYxFDASBgNVBAMT
> C2djYy5nbnUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1HG7
> XIr/cqKN8VasqxmCUsRjnqtGvqV1X5EFkSK5KYqO5q3qzmTDW+++x0hj3Fjmr+Sz
> gul1a7Ws5juz53u/ZE9s0nFFNNNMe8dYoWFnMZGuZtLtjOPcefwpdTSr8jgfgXX/
> xtb26/1764Ur8AEYLgKvCWOUwSG76SFeJP8hLeB6vva/IviM74A5iA1rN8oKbnZx
> Xh8pPha+a/zTWQFjPIy7jswyBJEVGL4jgtap7tq3gKKzYDcn0KR6vQ2vy02FeLsa
> r7hEePflsveSsILaq/yXsVlzg2wQyRqJf80B50UDe6/oJwVbQ1xtB25WYvugCgC1
> 2EffvxZEFce5z5hANQIDAQABo4ICRjCCAkIwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
> JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
> BBT2ZpZq6vJKyza5vHKsu6XMspWaPjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
> H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
> LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAW
> BgNVHREEDzANggtnY2MuZ251Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
> BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
> Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALc++yTfnE26dfI5xbpY9Gxd
> /ELPep81xJ4dCYEl7bSZAAABhWuCUn0AAAQDAEgwRgIhAJGKgClxZHwGOVJZw4BT
> xV1qi7/jKA2+DmQgixhtLPNlAiEAnj6QSgMroYH9uF1r46nlkRgd2IdOvtjY68o8
> pqH5+0wAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYVrglJ5
> AAAEAwBGMEQCIHYVJijDvRCJtRpjtvxLlx6ZPavi3aTZyCY3XnABXqWwAiBXFVsi
> hihzouvqoxEjlaEb1zPTyhHlR93ZCnHcuogn+TANBgkqhkiG9w0BAQsFAAOCAQEA
> DUhNrKE1HfHekBZDsEEr3xGIFBsUOOCy6Qhb69foSQs9cpx07cZHFyUO0c/kQACv
> fbLykdvjjGq3vW4kOleLpCq8RH6BMSNAKvn9GJFVnjQu2vR9G+Wrm7yNiBACtdVv
> QLBHnu26WkO6AnL/WUJ5Uu4sJcs6NxIJkq26DQfKefDouC20+LBcz1PwoOEg1W0N
> 7gR4WY/gpGhFP57OspF607SlyWgS6dRR2WEloguQ6jOt9lqpyf/uRnxGr/es8ige
> GxDBZH6TxGC7gihbl53FAnusOeimEesqz1IhRIAorhrLniOFDyEdjUBBcigJMPYt
> yjj861MgdK+0FRLEQM2WRA==
> -----END CERTIFICATE-----
> subject=CN = gcc.gnu.org <================== No Proxy in between
> issuer=C = US, O = Let's Encrypt, CN = R3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 4681 bytes and written 406 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID: F2BFBAFB1D0DDAF2452069AEC037513168A2D4D0DCC1E6FCA16CFB64ACA345F1
>     Session-ID-ctx:
>     Master-Key:
> E75FB7953CA1B56801AD6738BE0771EADB1D7760DA2A5B21B0203CB34731BE9F71F5531118827FCAB00FD121577D052C
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 67 6e 81 31 bf f4 94 ff-cc 41 95 f4 a6 dd 58 ba   gn.1.....A....X.
>     0010 - 1c bf 40 99 f6 38 b0 2b-1b 60 c9 ef bf b9 b5 1c   ..@..8.+.`......
>     0020 - 28 9e 85 15 d1 82 0c 7e-b3 65 82 d0 2e 6f 77 71   (......~.e...owq
>     0030 - 48 b5 2c d3 c9 1a 1c 62-5c 0a c8 3e fd e6 9d bd   H.,....b\..>....
>     0040 - 16 ad 90 37 30 24 45 ee-a3 2d 73 b8 30 8b 02 95   ...70$E..-s.0...
>     0050 - 0d 55 e2 98 e9 b1 43 db-06 67 a1 4d 9d 83 5c 13   .U....C..g.M..\.
>     0060 - 5a 1e 21 0c c2 fc cc de-6b 10 cf 66 3a 68 db 26   Z.!.....k..f:h.&
>     0070 - 73 4b 54 7e 90 55 3b 54-a4 1e d0 16 59 65 e3 41   sKT~.U;T....Ye.A
>     0080 - 7f 75 27 87 f4 e1 ae 20-b2 11 6a 0f 72 7a 36 30   .u'.... ..j.rz60
>     0090 - 4f 64 7b ae dd c9 bb c1-67 1e e4 cd 18 fe 08 ec   Od{.....g.......
>     00a0 - 60 fa a2 2c 0b 43 f2 55-af b5 e7 71 62 0c 88 bd   `..,.C.U...qb...
>     00b0 - 7c f7 90 25 a5 27 01 c5-5e 32 9b 9a d1 33 b7 54   |..%.'..^2...3.T
>     00c0 - 61 2a bf a1 ca 24 13 18-1f aa c1 20 1a fc b9 68   a*...$..... ...h
>
>     Start Time: 1673354833
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: yes
> ---
>
> $ curl -o /dev/null -v -L https://gcc.gnu.org
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
>                                  Dload  Upload   Total   Spent    Left  Speed
>   0     0    0     0    0     0      0      0 --:--:-- --:--:--
> --:--:--     0*   Trying 8.43.85.97:443...
> * Connected to gcc.gnu.org (8.43.85.97) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> *  CAfile: /etc/ssl/certs/ca-certificates.crt
> *  CApath: /etc/ssl/certs
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> { [106 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [4014 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [300 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [37 bytes data]
> * TLSv1.2 (OUT), TLS header, Finished (20):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> * TLSv1.2 (IN), TLS header, Finished (20):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> { [16 bytes data]
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server accepted to use h2
> * Server certificate:
> *  subject: CN=gcc.gnu.org
> *  start date: Jan  1 03:06:21 2023 GMT
> *  expire date: Apr  1 03:06:20 2023 GMT
> *  subjectAltName: host "gcc.gnu.org" matched cert's "gcc.gnu.org"
> *  issuer: C=US; O=Let's Encrypt; CN=R3
> *  SSL certificate verify ok.
> * Using HTTP2, server supports multiplexing
> * Connection state changed (HTTP/2 confirmed)
> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * Using Stream ID: 1 (easy handle 0x56456e26e550)
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> > GET / HTTP/2
> > Host: gcc.gnu.org
> > user-agent: curl/7.81.0
> > accept: */*
> >
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> < HTTP/2 403 <================== Still 403 status code
> < date: Tue, 10 Jan 2023 12:43:12 GMT
> < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
> mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> < content-length: 318
> < content-type: text/html; charset=iso-8859-1
> <
> { [318 bytes data]
> 100   318  100   318    0     0    546      0 --:--:-- --:--:-- --:--:--   547
> * Connection #0 to host gcc.gnu.org left intact
>
> $ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://gcc.gnu.org/git/gcc.git
> 12:54:29.918761 git.c:455               trace: built-in: git clone
> http://gcc.gnu.org/git/gcc.git
> Cloning into 'gcc'...
> 12:54:29.921626 run-command.c:668       trace: run_command: git
> remote-http origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.923332 git.c:742               trace: exec: git-remote-http
> origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.924367 run-command.c:668       trace: run_command:
> git-remote-http origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.929928 http.c:664              == Info: Couldn't find host
> gcc.gnu.org in the (nil) file; using defaults
> 12:54:29.930846 http.c:664              == Info:   Trying 8.43.85.97:80...
> 12:54:30.032316 http.c:664              == Info: Connected to
> gcc.gnu.org (8.43.85.97) port 80 (#0)
> 12:54:30.032385 http.c:611              => Send header, 0000000233
> bytes (0x000000e9)
> 12:54:30.032397 http.c:623              => Send header: GET
> /git/gcc.git/info/refs?service=git-upload-pack HTTP/1.1
> 12:54:30.032400 http.c:623              => Send header: Host: gcc.gnu.org
> 12:54:30.032403 http.c:623              => Send header: User-Agent: git/2.34.1
> 12:54:30.032406 http.c:623              => Send header: Accept: */*
> 12:54:30.032417 http.c:623              => Send header:
> Accept-Encoding: deflate, gzip, br, zstd
> 12:54:30.032427 http.c:623              => Send header:
> Accept-Language: C, *;q=0.9
> 12:54:30.032432 http.c:623              => Send header: Pragma: no-cache
> 12:54:30.032435 http.c:623              => Send header: Git-Protocol: version=2
> 12:54:30.032439 http.c:623              => Send header:
> 12:54:30.124540 http.c:664              == Info: Mark bundle as not
> supporting multiuse
> 12:54:30.124573 http.c:611              <= Recv header, 0000000024
> bytes (0x00000018)
> 12:54:30.124579 http.c:623              <= Recv header: HTTP/1.1 403 Forbidden
> 12:54:30.124590 http.c:611              <= Recv header, 0000000037
> bytes (0x00000025)
> 12:54:30.124601 http.c:623              <= Recv header: Date: Tue, 10
> Jan 2023 12:54:30 GMT
> 12:54:30.124608 http.c:611              <= Recv header, 0000000134
> bytes (0x00000086)
> 12:54:30.124623 http.c:623              <= Recv header: Server:
> Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.70
> mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> 12:54:30.124635 http.c:611              <= Recv header, 0000000021
> bytes (0x00000015)
> 12:54:30.124641 http.c:623              <= Recv header: Content-Length: 199
> 12:54:30.124647 http.c:611              <= Recv header, 0000000045
> bytes (0x0000002d)
> 12:54:30.124662 http.c:623              <= Recv header: Content-Type:
> text/html; charset=iso-8859-1
> 12:54:30.124672 http.c:611              <= Recv header, 0000000002
> bytes (0x00000002)
> 12:54:30.124681 http.c:623              <= Recv header:
> 12:54:30.124697 http.c:664              == Info: Connection #0 to host
> gcc.gnu.org left intact
> fatal: unable to access 'http://gcc.gnu.org/git/gcc.git/': The
> requested URL returned error: 403

Re: urgent - Google Cloud public subnet blacklisted by gcc.org

[Frank Ch. Eigler]

Federico Iezzi via Gcc <gcc@gcc.gnu.org> writes:

> [...]
> It seems like the GCC frontend/WAF have blacklisted the entire subnet
> used by Google Cloud for Internet access.
> [...]
> $ curl ifconfig.me
> 35.234.162.99

This has been unblocked.  We sometimes must block large subnets when
abusive traffic comes from there.

- FChE