"curl returned with 35" + anti-replay nonce (seems IPv6-related)

Help
12

Here’s an example of it stalling mid-SSL-handshake (for ~15 seconds);

letsencrypt@web1:~$ time curl -vvvv https://acme-staging.api.letsencrypt.org/acme/new-authz >/dev/null
* Hostname was NOT found in DNS cache
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2a02:26f0:d5:295::3d5...
* Connected to acme-staging.api.letsencrypt.org (2a02:26f0:d5:295::3d5) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
  0     0    0     0    0     0      0      0 --:--:--  0:00:15 --:--:--     0* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* 	 subject: CN=*.api.letsencrypt.org; O=INTERNET SECURITY RESEARCH GROUP; L=Mountain View; ST=California; C=US
* 	 start date: 2015-06-26 17:05:45 GMT
* 	 expire date: 2018-06-25 17:05:45 GMT
* 	 subjectAltName: acme-staging.api.letsencrypt.org matched
* 	 issuer: C=US; O=IdenTrust; OU=TrustID Server; CN=TrustID Server CA A52
* 	 SSL certificate verify ok.
> GET /acme/new-authz HTTP/1.1
> User-Agent: curl/7.38.0
> Host: acme-staging.api.letsencrypt.org
> Accept: */*
> 
< HTTP/1.1 405 Method Not Allowed
* Server nginx is not blacklisted
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 91
< Allow: POST
< Boulder-Request-Id: oiBj67rx1uYslGyXq9H76xbUSxMOBmfgmFWxanHoe8I
< Replay-Nonce: AlZbX3g3BklNuSa1DryWOjiYxs_QfEj1yB9gkElwhfA
< Expires: Thu, 13 Oct 2016 23:32:13 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Thu, 13 Oct 2016 23:32:13 GMT
< Connection: keep-alive
< 
{ [data not shown]
100    91  100    91    0     0      5      0  0:00:18  0:00:15  0:00:03    19
* Connection #0 to host acme-staging.api.letsencrypt.org left intact

real	0m15.948s
user	0m0.012s
sys	0m0.008s
1 Like