From: Federico Iezzi <fiezzi@google.com>
To: gerald@pfeifer.com, gcc@gcc.gnu.org
Subject: Re: urgent - Google Cloud public subnet blacklisted by gcc.org
Date: Tue, 10 Jan 2023 15:29:12 +0100 [thread overview]
Message-ID: <CAJ_7uVygbVJ_Lm_dcRGtaKoH21Ks05Mp7anoYAYGmZeUM30AZg@mail.gmail.com> (raw)
In-Reply-To: <CAJ_7uVxQoH3NNZC6OwkK0aMfPkwMA4TXHP6Ye4U38Yvo_uf-Nw@mail.gmail.com>
Thanks!
$ curl -L -v -o /dev/null gcc.gnu.org
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:--
--:--:-- 0* Trying 8.43.85.97:80...
* Connected to gcc.gnu.org (8.43.85.97) port 80 (#0)
> GET / HTTP/1.1
> Host: gcc.gnu.org
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 10 Jan 2023 14:27:56 GMT
< Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Mon, 14 Nov 2022 13:47:54 GMT
< ETag: "4cd2-5ed6e7c7d6b81"
< Accept-Ranges: bytes
< Content-Length: 19666
< Vary: Accept-Encoding
< Content-Security-Policy: default-src 'self' http: https:
< Content-Type: text/html; charset=utf-8
<
{ [13412 bytes data]
100 19666 100 19666 0 0 51752 0 --:--:-- --:--:-- --:--:-- 51889
* Connection #0 to host gcc.gnu.org left intact
On Tue, Jan 10, 2023 at 2:29 PM Federico Iezzi <fiezzi@google.com> wrote:
>
> Hey pfeifer.com,
>
> I know this is a long shot, but we need some real help here.
>
> Could you please answer this request? All the debug should be in the
> following forwarded email.
>
> Thanks,
> Federico
>
> ---------- Forwarded message ---------
> From: Federico Iezzi <fiezzi@google.com>
> Date: Tue, Jan 10, 2023 at 1:56 PM
> Subject: urgent - Google Cloud public subnet blacklisted by gcc.org
> To: <gcc@gcc.gnu.org>, <abuse@support.gandi.net>
>
>
> Hey everybody,
>
> Apologies for this request, and perhaps the wrong mailing list.
> I hope this gets the right level of attention.
>
> It seems like the GCC frontend/WAF have blacklisted the entire subnet
> used by Google Cloud for Internet access.
>
> Follows some traces.
>
> Could you please unblock us? It's really important that this gets
> sorted out as quickly as possible. Any Google Cloud customer using GCC
> is completely unable to do so.
>
> $ curl ifconfig.me
> 35.234.162.99
>
> $ curl -v -o /dev/null -L gcc.gnu.org
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0* Trying 8.43.85.97:80...
> * Connected to gcc.gnu.org (8.43.85.97) port 80 (#0)
> > GET / HTTP/1.1
> > Host: gcc.gnu.org
> > User-Agent: curl/7.81.0
> > Accept: */*
> >
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 403 Forbidden <================== 403 status code
> < Date: Tue, 10 Jan 2023 12:47:36 GMT
> < Server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
> mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> < Content-Length: 318
> < Content-Type: text/html; charset=iso-8859-1
> <
> { [318 bytes data]
> 100 318 100 318 0 0 1628 0 --:--:-- --:--:-- --:--:-- 1630
> * Connection #0 to host gcc.gnu.org left intact
>
> $ openssl s_client -connect gcc.gnu.org:443
> CONNECTED(00000003)
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3
> verify return:1
> depth=0 CN = gcc.gnu.org
> verify return:1
> ---
> Certificate chain
> 0 s:CN = gcc.gnu.org
> i:C = US, O = Let's Encrypt, CN = R3
> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
> v:NotBefore: Jan 1 03:06:21 2023 GMT; NotAfter: Apr 1 03:06:20 2023 GMT
> 1 s:C = US, O = Let's Encrypt, CN = R3
> i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
> v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
> 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> i:O = Digital Signature Trust Co., CN = DST Root CA X3
> a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
> v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFHDCCBASgAwIBAgISA0MlBNNOfNOyyCm05C8ADkiKMA0GCSqGSIb3DQEBCwUA
> MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
> EwJSMzAeFw0yMzAxMDEwMzA2MjFaFw0yMzA0MDEwMzA2MjBaMBYxFDASBgNVBAMT
> C2djYy5nbnUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1HG7
> XIr/cqKN8VasqxmCUsRjnqtGvqV1X5EFkSK5KYqO5q3qzmTDW+++x0hj3Fjmr+Sz
> gul1a7Ws5juz53u/ZE9s0nFFNNNMe8dYoWFnMZGuZtLtjOPcefwpdTSr8jgfgXX/
> xtb26/1764Ur8AEYLgKvCWOUwSG76SFeJP8hLeB6vva/IviM74A5iA1rN8oKbnZx
> Xh8pPha+a/zTWQFjPIy7jswyBJEVGL4jgtap7tq3gKKzYDcn0KR6vQ2vy02FeLsa
> r7hEePflsveSsILaq/yXsVlzg2wQyRqJf80B50UDe6/oJwVbQ1xtB25WYvugCgC1
> 2EffvxZEFce5z5hANQIDAQABo4ICRjCCAkIwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
> JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
> BBT2ZpZq6vJKyza5vHKsu6XMspWaPjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDm
> H6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5v
> LmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzAW
> BgNVHREEDzANggtnY2MuZ251Lm9yZzBMBgNVHSAERTBDMAgGBmeBDAECATA3Bgsr
> BgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
> Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALc++yTfnE26dfI5xbpY9Gxd
> /ELPep81xJ4dCYEl7bSZAAABhWuCUn0AAAQDAEgwRgIhAJGKgClxZHwGOVJZw4BT
> xV1qi7/jKA2+DmQgixhtLPNlAiEAnj6QSgMroYH9uF1r46nlkRgd2IdOvtjY68o8
> pqH5+0wAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAYVrglJ5
> AAAEAwBGMEQCIHYVJijDvRCJtRpjtvxLlx6ZPavi3aTZyCY3XnABXqWwAiBXFVsi
> hihzouvqoxEjlaEb1zPTyhHlR93ZCnHcuogn+TANBgkqhkiG9w0BAQsFAAOCAQEA
> DUhNrKE1HfHekBZDsEEr3xGIFBsUOOCy6Qhb69foSQs9cpx07cZHFyUO0c/kQACv
> fbLykdvjjGq3vW4kOleLpCq8RH6BMSNAKvn9GJFVnjQu2vR9G+Wrm7yNiBACtdVv
> QLBHnu26WkO6AnL/WUJ5Uu4sJcs6NxIJkq26DQfKefDouC20+LBcz1PwoOEg1W0N
> 7gR4WY/gpGhFP57OspF607SlyWgS6dRR2WEloguQ6jOt9lqpyf/uRnxGr/es8ige
> GxDBZH6TxGC7gihbl53FAnusOeimEesqz1IhRIAorhrLniOFDyEdjUBBcigJMPYt
> yjj861MgdK+0FRLEQM2WRA==
> -----END CERTIFICATE-----
> subject=CN = gcc.gnu.org <================== No Proxy in between
> issuer=C = US, O = Let's Encrypt, CN = R3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 4681 bytes and written 406 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID: F2BFBAFB1D0DDAF2452069AEC037513168A2D4D0DCC1E6FCA16CFB64ACA345F1
> Session-ID-ctx:
> Master-Key:
> E75FB7953CA1B56801AD6738BE0771EADB1D7760DA2A5B21B0203CB34731BE9F71F5531118827FCAB00FD121577D052C
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - 67 6e 81 31 bf f4 94 ff-cc 41 95 f4 a6 dd 58 ba gn.1.....A....X.
> 0010 - 1c bf 40 99 f6 38 b0 2b-1b 60 c9 ef bf b9 b5 1c ..@..8.+.`......
> 0020 - 28 9e 85 15 d1 82 0c 7e-b3 65 82 d0 2e 6f 77 71 (......~.e...owq
> 0030 - 48 b5 2c d3 c9 1a 1c 62-5c 0a c8 3e fd e6 9d bd H.,....b\..>....
> 0040 - 16 ad 90 37 30 24 45 ee-a3 2d 73 b8 30 8b 02 95 ...70$E..-s.0...
> 0050 - 0d 55 e2 98 e9 b1 43 db-06 67 a1 4d 9d 83 5c 13 .U....C..g.M..\.
> 0060 - 5a 1e 21 0c c2 fc cc de-6b 10 cf 66 3a 68 db 26 Z.!.....k..f:h.&
> 0070 - 73 4b 54 7e 90 55 3b 54-a4 1e d0 16 59 65 e3 41 sKT~.U;T....Ye.A
> 0080 - 7f 75 27 87 f4 e1 ae 20-b2 11 6a 0f 72 7a 36 30 .u'.... ..j.rz60
> 0090 - 4f 64 7b ae dd c9 bb c1-67 1e e4 cd 18 fe 08 ec Od{.....g.......
> 00a0 - 60 fa a2 2c 0b 43 f2 55-af b5 e7 71 62 0c 88 bd `..,.C.U...qb...
> 00b0 - 7c f7 90 25 a5 27 01 c5-5e 32 9b 9a d1 33 b7 54 |..%.'..^2...3.T
> 00c0 - 61 2a bf a1 ca 24 13 18-1f aa c1 20 1a fc b9 68 a*...$..... ...h
>
> Start Time: 1673354833
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: yes
> ---
>
> $ curl -o /dev/null -v -L https://gcc.gnu.org
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:--
> --:--:-- 0* Trying 8.43.85.97:443...
> * Connected to gcc.gnu.org (8.43.85.97) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * CAfile: /etc/ssl/certs/ca-certificates.crt
> * CApath: /etc/ssl/certs
> * TLSv1.0 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> } [512 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> { [106 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> { [4014 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> { [300 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> { [4 bytes data]
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> } [37 bytes data]
> * TLSv1.2 (OUT), TLS header, Finished (20):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
> } [1 bytes data]
> * TLSv1.2 (OUT), TLS header, Certificate Status (22):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> } [16 bytes data]
> * TLSv1.2 (IN), TLS header, Finished (20):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS header, Certificate Status (22):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> { [16 bytes data]
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server accepted to use h2
> * Server certificate:
> * subject: CN=gcc.gnu.org
> * start date: Jan 1 03:06:21 2023 GMT
> * expire date: Apr 1 03:06:20 2023 GMT
> * subjectAltName: host "gcc.gnu.org" matched cert's "gcc.gnu.org"
> * issuer: C=US; O=Let's Encrypt; CN=R3
> * SSL certificate verify ok.
> * Using HTTP2, server supports multiplexing
> * Connection state changed (HTTP/2 confirmed)
> * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * Using Stream ID: 1 (easy handle 0x56456e26e550)
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> > GET / HTTP/2
> > Host: gcc.gnu.org
> > user-agent: curl/7.81.0
> > accept: */*
> >
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> * TLSv1.2 (OUT), TLS header, Supplemental data (23):
> } [5 bytes data]
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> * TLSv1.2 (IN), TLS header, Supplemental data (23):
> { [5 bytes data]
> < HTTP/2 403 <================== Still 403 status code
> < date: Tue, 10 Jan 2023 12:43:12 GMT
> < server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
> mod_qos/11.70 mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> < content-length: 318
> < content-type: text/html; charset=iso-8859-1
> <
> { [318 bytes data]
> 100 318 100 318 0 0 546 0 --:--:-- --:--:-- --:--:-- 547
> * Connection #0 to host gcc.gnu.org left intact
>
> $ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://gcc.gnu.org/git/gcc.git
> 12:54:29.918761 git.c:455 trace: built-in: git clone
> http://gcc.gnu.org/git/gcc.git
> Cloning into 'gcc'...
> 12:54:29.921626 run-command.c:668 trace: run_command: git
> remote-http origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.923332 git.c:742 trace: exec: git-remote-http
> origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.924367 run-command.c:668 trace: run_command:
> git-remote-http origin http://gcc.gnu.org/git/gcc.git
> 12:54:29.929928 http.c:664 == Info: Couldn't find host
> gcc.gnu.org in the (nil) file; using defaults
> 12:54:29.930846 http.c:664 == Info: Trying 8.43.85.97:80...
> 12:54:30.032316 http.c:664 == Info: Connected to
> gcc.gnu.org (8.43.85.97) port 80 (#0)
> 12:54:30.032385 http.c:611 => Send header, 0000000233
> bytes (0x000000e9)
> 12:54:30.032397 http.c:623 => Send header: GET
> /git/gcc.git/info/refs?service=git-upload-pack HTTP/1.1
> 12:54:30.032400 http.c:623 => Send header: Host: gcc.gnu.org
> 12:54:30.032403 http.c:623 => Send header: User-Agent: git/2.34.1
> 12:54:30.032406 http.c:623 => Send header: Accept: */*
> 12:54:30.032417 http.c:623 => Send header:
> Accept-Encoding: deflate, gzip, br, zstd
> 12:54:30.032427 http.c:623 => Send header:
> Accept-Language: C, *;q=0.9
> 12:54:30.032432 http.c:623 => Send header: Pragma: no-cache
> 12:54:30.032435 http.c:623 => Send header: Git-Protocol: version=2
> 12:54:30.032439 http.c:623 => Send header:
> 12:54:30.124540 http.c:664 == Info: Mark bundle as not
> supporting multiuse
> 12:54:30.124573 http.c:611 <= Recv header, 0000000024
> bytes (0x00000018)
> 12:54:30.124579 http.c:623 <= Recv header: HTTP/1.1 403 Forbidden
> 12:54:30.124590 http.c:611 <= Recv header, 0000000037
> bytes (0x00000025)
> 12:54:30.124601 http.c:623 <= Recv header: Date: Tue, 10
> Jan 2023 12:54:30 GMT
> 12:54:30.124608 http.c:611 <= Recv header, 0000000134
> bytes (0x00000086)
> 12:54:30.124623 http.c:623 <= Recv header: Server:
> Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_qos/11.70
> mod_wsgi/4.6.4 Python/3.6 mod_perl/2.0.12 Perl/v5.26.3
> 12:54:30.124635 http.c:611 <= Recv header, 0000000021
> bytes (0x00000015)
> 12:54:30.124641 http.c:623 <= Recv header: Content-Length: 199
> 12:54:30.124647 http.c:611 <= Recv header, 0000000045
> bytes (0x0000002d)
> 12:54:30.124662 http.c:623 <= Recv header: Content-Type:
> text/html; charset=iso-8859-1
> 12:54:30.124672 http.c:611 <= Recv header, 0000000002
> bytes (0x00000002)
> 12:54:30.124681 http.c:623 <= Recv header:
> 12:54:30.124697 http.c:664 == Info: Connection #0 to host
> gcc.gnu.org left intact
> fatal: unable to access 'http://gcc.gnu.org/git/gcc.git/': The
> requested URL returned error: 403
next prev parent reply other threads:[~2023-01-10 14:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-10 12:56 Federico Iezzi
[not found] ` <CAJ_7uVxQoH3NNZC6OwkK0aMfPkwMA4TXHP6Ye4U38Yvo_uf-Nw@mail.gmail.com>
2023-01-10 14:29 ` Federico Iezzi [this message]
2023-01-10 14:42 ` Frank Ch. Eigler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJ_7uVygbVJ_Lm_dcRGtaKoH21Ks05Mp7anoYAYGmZeUM30AZg@mail.gmail.com \
--to=fiezzi@google.com \
--cc=gcc@gcc.gnu.org \
--cc=gerald@pfeifer.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).