shabble
4
$ gnutls-cli -v v
gnutls-cli 3.5.18
FWIW the openssl s_client is failing because you need to specify -servername as well. This works:
openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org
gnutls-cli appears to do SNI by default though.
shabble
6
Bear in mind that I’m not the one with the problem - that’s @Kierun; I was just showing the output on my apparently working system for them to compare to.
Anyway - my box:
openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org
$ openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = CloudFlare Inc ECC CA-2
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = sni.cloudflaressl.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
i:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
1 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE4zCCBImgAwIBAgIQBKko16qMp2eXA/xn5mLL6TAKBggqhkjOPQQDAjBvMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkRmxhcmUg
SW5jIEVDQyBDQS0yMB4XDTE4MTExNjAwMDAwMFoXDTE5MTExNjEyMDAwMFowbTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR4wHAYDVQQDExVzbmkuY2xvdWRm
bGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkEO0AuifPZJn5
eReMmficjveNRBneTJbEKuVHm6ZuCdqOg4up12DH/iqytvgrheK/N/5j2C85U5SP
4hi6ux7/o4IDBzCCAwMwHwYDVR0jBBgwFoAUPnQtH89FdQR+P8Cihz5MQ4NRE8Yw
HQYDVR0OBBYEFIFwWnX3YNTJUuJF1BibWBX2+Cg1MDoGA1UdEQQzMDGCCnR0LXJz
cy5vcmeCDCoudHQtcnNzLm9yZ4IVc25pLmNsb3VkZmxhcmVzc2wuY29tMA4GA1Ud
DwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweQYDVR0f
BHIwcDA2oDSgMoYwaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkRmxhcmVJ
bmNFQ0NDQTIuY3JsMDagNKAyhjBodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vQ2xv
dWRGbGFyZUluY0VDQ0NBMi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwB
AgIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9DbG91ZEZsYXJlSW5jRUNDQ0EtMi5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisG
AQQB1nkCBAIEgfYEgfMA8QB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABZx20x3UAAAQDAEgwRgIhAMlI9DOHtkPCL+M4TSqEXEymTsIa8h4gfEmA
d3fU2qhzAiEAspWYZFc7q98ekLTxzS1BwG56u7vfBQSVUmW7tjp3aTAAdgB0ftqD
Ma0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWcdtMdPAAAEAwBHMEUCIQCG
Pc8U3hY+cmqJWTpgzRacMnsZAgA1PzyzoXytUwdG0gIgdOXmVawnUgoLvQS7x+g7
Qo1tLAGIika5WPAZqjtNvccwCgYIKoZIzj0EAwIDSAAwRQIgKLr/HsIiux/YLPWh
DLF+bS6WzJhA198FAPyOAqtnpEcCIQCLeUV4thDF1E8Ls1M8tx4fVK7mv4wiAFtD
rxvmmiJUtg==
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
issuer=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2654 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-CHACHA20-POLY1305
Session-ID: 6F4AF663756049C0BFB44D7F31A4A4F980CDAA24EFB12C13D203479DB3B900C6
Session-ID-ctx:
Master-Key: 4671A9361163828485F10B6F4F650BFF06A4CCCA1A51F242DCC689996106DEEA184175D2FB7DAC4F2237AC21CF8DB6B3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 64800 (seconds)
TLS session ticket:
0000 - 06 b2 80 4e 7e 28 97 eb-f0 74 7b ed 1c 87 50 b7 ...N~(...t{...P.
0010 - 9b 7e 8f 29 39 f2 e3 64-e8 06 01 61 6c 8a 59 e0 .~.)9..d...al.Y.
0020 - dd 5f 9f 1d 94 28 9e 1f-68 5a 44 52 8c 3d f5 3c ._...(..hZDR.=.<
0030 - 42 f3 71 07 a8 b4 71 f1-5c 1f 38 12 a0 92 cf ef B.q...q.\.8.....
0040 - 6a d8 f0 4e b6 cc fc af-a3 ff 70 e4 f0 47 31 cc j..N......p..G1.
0050 - 71 1f 19 3d c8 7f cc 2e-c4 7e a2 29 ae 8b 94 70 q..=.....~.)...p
0060 - 3d 5a 9f 97 bb c0 3f 35-7e f5 0c d7 7b be df f7 =Z....?5~...{...
0070 - 1c af ae 2b 06 70 f3 f3-c3 3c c1 37 a9 c5 92 f0 ...+.p...<.7....
0080 - 3d 85 d5 e6 f1 d3 72 5c-44 13 e3 7e 10 1e 99 49 =.....r\D..~...I
0090 - 7d 5f cf df ec ea aa 75-4b 07 18 6a f2 b1 01 21 }_.....uK..j...!
00a0 - 55 38 c5 d1 2a ba 11 0e-65 ea 74 a7 01 67 52 2e U8..*...e.t..gR.
00b0 - 0f b4 1f a2 6b 13 3b 91-43 97 47 03 ca a7 7d 25 ....k.;.C.G...}%
Start Time: 1542907768
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
^C
imgx64
7
@fox
Did you end up enabling cloudflare?
SSLLabs is showing an ECDSA certificate only. Some clients only support RSA certificates.
fox
8
yes. i’m sorry guys but you’ll have to use git over https for the time being.
it should work both ways (for pushes) but you’ll have to enter your gogs password.
https://git.tt-rss.org/git/tt-rss/
this particular url should work, it does work for me
maybe cloudflare doesn’t like your IP 
e: known contributors who want to use git over ssh, PM me for the super-secret™ exposed server IP.
imgx64
9
I don’t have a Cloudflare account so I can’t check. But is there an option to enable RSA certificates? That may fix OP’s issue.
fox
10
I don’t think you can enable older ciphers, for free anyway
unlogy
11
I’ve got the same error…
[~/public_html/rss]# git pull origin master
error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure while accessing https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed
I have NO idea what to do…could someone explain what to do or the files to change
Thanks,
Stacey
fox
12
the tldr version is that software on your server is likely too old (what distro are you running?) and doesn’t support necessary ciphers
my ssl setup for tt-rss.org has been somewhat conservative with disabling older stuff, cloudflare has a different approach
e: in all fairness both my debian jessie (released 2015) and centos 6 (released god knows when, updated to 6.10) can check out from cloudflare just fine. if you’re using something even older and unmaintained, maybe it’s time to finally upgrade, if only for all the vulnerabilities this setup is going to have.
unlogy
13
Hi Fox,
Thanks for the quick response.
I’m trying to get my config from my hosting company, for now, is there a work around?
Stacey
Kierun
14
Here goes:
; gnutls-cli -v v
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.8)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos.
Hum… Too old?
shabble
15
And I got giggled at for running php 5.ancient… 
I’ll shut up now…
Kierun
17
The joys of running Ubuntu⸮… Such up to date systems.
fox
18
ii libgnutls30:amd64 3.5.18-1ubuntu1
the trick with ubuntu is not running 12.04, forever
So, fun times. Trusty has the same version for git.
ii git 1:1.9.1-1ubuntu0. amd64 fast, scalable, distributed revision control system
depends on
ii libcurl3-gnutls:amd64 7.35.0-1ubuntu2.1 amd64 easy-to-use client-side URL transfer library (GnuTLS
depends on
ii libgnutls26:amd64 2.12.23-12ubuntu2 amd64 GNU TLS library - runtime library
Kierun
20
Since I was running Trusty (14.something), that’s not a shock. 
Any workarounds? Manually download repository? Hosting company is running Trusty which I don’t have much control over. 
fox
22
can you use ipv6? i thought about making a ipv6 only (AAAA) direct record to git.tt-rss.org since this wouldn’t expose origin ipv4 IP.
Yes, it looks like ipv6 is enabled on the host.
