Git gnutls hand shake failed… Error between keyboard and floor?

Athanasius · 2018-11-22T17:08:31.558Z

How old is your gnutls? I ask because even before the point at which yours fails (seems to be during CLIENT HELLO, some negotiation of ciphers?) the output is different from mine (gnutls-cli 3.5.8 & libgnutls 3.5.8 - both from Debian stable).

shabble · 2018-11-22T17:13:35.121Z

$ gnutls-cli -v v
gnutls-cli 3.5.18

Athanasius · 2018-11-22T17:25:55.933Z

FWIW the openssl s_client is failing because you need to specify -servername as well. This works:

openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org

gnutls-cli appears to do SNI by default though.

shabble · 2018-11-22T17:32:03.301Z

Athanasius:

openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org

Bear in mind that I’m not the one with the problem - that’s @Kierun; I was just showing the output on my apparently working system for them to compare to.

Anyway - my box:

openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org

$ openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = CloudFlare Inc ECC CA-2
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = sni.cloudflaressl.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
   i:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
 1 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE4zCCBImgAwIBAgIQBKko16qMp2eXA/xn5mLL6TAKBggqhkjOPQQDAjBvMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkRmxhcmUg
SW5jIEVDQyBDQS0yMB4XDTE4MTExNjAwMDAwMFoXDTE5MTExNjEyMDAwMFowbTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR4wHAYDVQQDExVzbmkuY2xvdWRm
bGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkEO0AuifPZJn5
eReMmficjveNRBneTJbEKuVHm6ZuCdqOg4up12DH/iqytvgrheK/N/5j2C85U5SP
4hi6ux7/o4IDBzCCAwMwHwYDVR0jBBgwFoAUPnQtH89FdQR+P8Cihz5MQ4NRE8Yw
HQYDVR0OBBYEFIFwWnX3YNTJUuJF1BibWBX2+Cg1MDoGA1UdEQQzMDGCCnR0LXJz
cy5vcmeCDCoudHQtcnNzLm9yZ4IVc25pLmNsb3VkZmxhcmVzc2wuY29tMA4GA1Ud
DwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweQYDVR0f
BHIwcDA2oDSgMoYwaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkRmxhcmVJ
bmNFQ0NDQTIuY3JsMDagNKAyhjBodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vQ2xv
dWRGbGFyZUluY0VDQ0NBMi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwB
AgIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9DbG91ZEZsYXJlSW5jRUNDQ0EtMi5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisG
AQQB1nkCBAIEgfYEgfMA8QB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABZx20x3UAAAQDAEgwRgIhAMlI9DOHtkPCL+M4TSqEXEymTsIa8h4gfEmA
d3fU2qhzAiEAspWYZFc7q98ekLTxzS1BwG56u7vfBQSVUmW7tjp3aTAAdgB0ftqD
Ma0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWcdtMdPAAAEAwBHMEUCIQCG
Pc8U3hY+cmqJWTpgzRacMnsZAgA1PzyzoXytUwdG0gIgdOXmVawnUgoLvQS7x+g7
Qo1tLAGIika5WPAZqjtNvccwCgYIKoZIzj0EAwIDSAAwRQIgKLr/HsIiux/YLPWh
DLF+bS6WzJhA198FAPyOAqtnpEcCIQCLeUV4thDF1E8Ls1M8tx4fVK7mv4wiAFtD
rxvmmiJUtg==
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
issuer=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2654 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: 6F4AF663756049C0BFB44D7F31A4A4F980CDAA24EFB12C13D203479DB3B900C6
    Session-ID-ctx: 
    Master-Key: 4671A9361163828485F10B6F4F650BFF06A4CCCA1A51F242DCC689996106DEEA184175D2FB7DAC4F2237AC21CF8DB6B3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - 06 b2 80 4e 7e 28 97 eb-f0 74 7b ed 1c 87 50 b7   ...N~(...t{...P.
    0010 - 9b 7e 8f 29 39 f2 e3 64-e8 06 01 61 6c 8a 59 e0   .~.)9..d...al.Y.
    0020 - dd 5f 9f 1d 94 28 9e 1f-68 5a 44 52 8c 3d f5 3c   ._...(..hZDR.=.<
    0030 - 42 f3 71 07 a8 b4 71 f1-5c 1f 38 12 a0 92 cf ef   B.q...q.\.8.....
    0040 - 6a d8 f0 4e b6 cc fc af-a3 ff 70 e4 f0 47 31 cc   j..N......p..G1.
    0050 - 71 1f 19 3d c8 7f cc 2e-c4 7e a2 29 ae 8b 94 70   q..=.....~.)...p
    0060 - 3d 5a 9f 97 bb c0 3f 35-7e f5 0c d7 7b be df f7   =Z....?5~...{...
    0070 - 1c af ae 2b 06 70 f3 f3-c3 3c c1 37 a9 c5 92 f0   ...+.p...<.7....
    0080 - 3d 85 d5 e6 f1 d3 72 5c-44 13 e3 7e 10 1e 99 49   =.....r\D..~...I
    0090 - 7d 5f cf df ec ea aa 75-4b 07 18 6a f2 b1 01 21   }_.....uK..j...!
    00a0 - 55 38 c5 d1 2a ba 11 0e-65 ea 74 a7 01 67 52 2e   U8..*...e.t..gR.
    00b0 - 0f b4 1f a2 6b 13 3b 91-43 97 47 03 ca a7 7d 25   ....k.;.C.G...}%

    Start Time: 1542907768
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
^C

imgx64 · 2018-11-22T17:42:44.132Z

@fox
Did you end up enabling cloudflare?

SSLLabs is showing an ECDSA certificate only. Some clients only support RSA certificates.

fox · 2018-11-22T18:01:51.591Z

imgx64:

Did you end up enabling cloudflare?

yes. i’m sorry guys but you’ll have to use git over https for the time being.
it should work both ways (for pushes) but you’ll have to enter your gogs password.

Kierun:

fatal: unable to access 'https://git.tt-rss.org/git/tt-rss/': gnutls_handshake() failed: Handshake failed

https://git.tt-rss.org/git/tt-rss/

this particular url should work, it does work for me
maybe cloudflare doesn’t like your IP

e: known contributors who want to use git over ssh, PM me for the super-secret™ exposed server IP.

imgx64 · 2018-11-22T18:31:55.436Z

I don’t have a Cloudflare account so I can’t check. But is there an option to enable RSA certificates? That may fix OP’s issue.

fox · 2018-11-22T18:41:50.046Z

I don’t think you can enable older ciphers, for free anyway

unlogy · 2018-11-23T01:07:05.820Z

I’ve got the same error…

[~/public_html/rss]# git pull origin master
error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure while accessing https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed

I have NO idea what to do…could someone explain what to do or the files to change

Thanks,
Stacey

fox · 2018-11-23T05:17:48.124Z

the tldr version is that software on your server is likely too old (what distro are you running?) and doesn’t support necessary ciphers

my ssl setup for tt-rss.org has been somewhat conservative with disabling older stuff, cloudflare has a different approach

e: in all fairness both my debian jessie (released 2015) and centos 6 (released god knows when, updated to 6.10) can check out from cloudflare just fine. if you’re using something even older and unmaintained, maybe it’s time to finally upgrade, if only for all the vulnerabilities this setup is going to have.

unlogy · 2018-11-23T14:51:27.866Z

Hi Fox,

Thanks for the quick response.

I’m trying to get my config from my hosting company, for now, is there a work around?

Stacey

Kierun · 2018-11-23T15:04:14.949Z

shabble:

gnutls-cli -v v

Here goes:

; gnutls-cli -v v
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.8)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Nikos Mavrogiannopoulos.

Hum… Too old?

shabble · 2018-11-23T15:21:37.878Z

Kierun:

gnutls-cli (GnuTLS) 2.12.23

And I got giggled at for running php 5.ancient…

I’ll shut up now…

fox · 2018-11-23T15:26:18.500Z

shabble:

Copyright © 2012 Free Software Foundation, Inc.

oh yikes!

/20charRRrrrrRrRr

Kierun · 2018-11-23T15:48:44.703Z

shabble:

And I got giggled at for running php 5.ancient …

I’ll shut up now…

The joys of running Ubuntu⸮… Such up to date systems.

fox · 2018-11-24T05:47:34.815Z

Kierun:

The joys of running Ubuntu

ii libgnutls30:amd64 3.5.18-1ubuntu1

the trick with ubuntu is not running 12.04, forever

disconn3ct · 2018-12-01T13:20:06.057Z

So, fun times. Trusty has the same version for git.

ii  git                      1:1.9.1-1ubuntu0. amd64             fast, scalable, distributed revision control system

depends on

 ii  libcurl3-gnutls:amd64    7.35.0-1ubuntu2.1 amd64             easy-to-use client-side URL transfer library (GnuTLS

depends on

ii  libgnutls26:amd64        2.12.23-12ubuntu2 amd64             GNU TLS library - runtime library

Kierun · 2018-12-03T09:14:31.951Z

disconn3ct:

Trusty has the same version for git.

Since I was running Trusty (14.something), that’s not a shock.

0orxvt2h3x · 2018-12-30T18:30:28.553Z

Any workarounds? Manually download repository? Hosting company is running Trusty which I don’t have much control over.

fox · 2018-12-30T18:49:55.874Z

can you use ipv6? i thought about making a ipv6 only (AAAA) direct record to git.tt-rss.org since this wouldn’t expose origin ipv4 IP.