I have a specific ftps site that I cannot connect to with lftp. When I attempt to connect I get the error: Fatal error: gnutls_handshake: An unexpected TLS packet was received When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly. **UPDATE:** What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used: || HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1 Unlike when being called from lftp is does not: GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 Below are my configurations and debug outputs from lftp and gnutls-cli: ## lftp Configuration ## lftp set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2 set ftps:initial-prot P set ftp:ssl-allow yes set ftp:ssl-force yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no debug 999999999 open ftps://XXX.XXX.XXX.XXX:990 quote USER ## gnutls-cli Configuration ## gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5 ---------- ***Some aspects have been anonomized, but nothing about the protocols *** ## lftp debug output ## lftp lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2 lftp :~> set ftps:initial-prot P lftp :~> set ftp:ssl-allow yes lftp :~> set ftp:ssl-force yes lftp :~> set ftp:ssl-protect-list yes lftp :~> set ftp:ssl-protect-data yes lftp :~> set ftp:ssl-protect-fxp yes lftp :~> set ssl:verify-certificate no lftp :~> debug 999999999 lftp :~> open ftps://XXX.XXX.XXX.XXX:990 ---- Resolving host address... buffer: EOF on FD 5 ---- 1 address found: XXX.XXX.XXX.XXX lftp XXX.XXX.XXX.XXX:~> quote USER FileCopy(0x1475a50) enters state INITIAL FileCopy(0x1475a50) enters state DO_COPY ---- dns cache hit ---- attempt number 1 (max_retries=1000) ---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990 GNUTLS: ASSERT: common.c:1110 .............. GNUTLS: REC[0x1918cd0]: Allocating epoch #0 GNUTLS: ASSERT: gnutls_constate.c:596 GNUTLS: REC[0x1918cd0]: Allocating epoch #1 GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256 GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256 GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384 GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384 GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512 GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512 GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224 GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224 GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1 GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1 GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes) GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes] GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0 GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GNUTLS: REC[0x1918cd0]: Sent Packet Handshake(22) in epoch 0 and length: 253 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603 GNUTLS: ASSERT: gnutls_record.c:572 GNUTLS: Received record packet of unknown type 50 GNUTLS: ASSERT: gnutls_record.c:1076 GNUTLS: ASSERT: gnutls_record.c:1158 GNUTLS: ASSERT: gnutls_buffers.c:1409 GNUTLS: ASSERT: gnutls_handshake.c:1446 GNUTLS: ASSERT: gnutls_handshake.c:2762 **** gnutls_handshake: An unexpected TLS packet was received. GNUTLS: REC[0x1918cd0]: Start of epoch cleanup GNUTLS: REC[0x1918cd0]: End of epoch cleanup GNUTLS: REC[0x1918cd0]: Epoch #0 freed GNUTLS: REC[0x1918cd0]: Epoch #1 freed ---- Closing control socket quote: USER : Fatal error: gnutls_handshake: An unexpected TLS packet was received. ## gnutls-cli debug output ## gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5 || ASSERT: common.c:1110... Processed 173 CA certificate(s). Resolving 'XXX.XXX.XXX.XXX'... Connecting to 'XXX.XXX.XXX.XXX:990'... || REC[0x24073f0]: Allocating epoch #0 || ASSERT: gnutls_constate.c:596 || REC[0x24073f0]: Allocating epoch #1 || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) || EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes) || EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes) || EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes) || EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes) || EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes) || EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes) || EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) || EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256 || EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256 || EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384 || EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384 || EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512 || EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512 || EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224 || EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224 || EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1 || EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1 || EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes) || HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes] || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 0 and length: 232 || ASSERT: gnutls_buffers.c:1154 || REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950 || REC[0x24073f0]: Expected Packet Handshake(22) || REC[0x24073f0]: Received Packet Handshake(22) with length: 950 || REC[0x24073f0]: Decrypted Packet Handshake(22) with length: 950 || HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77, frag offset 0, frag length: 77, sequence: 0 || HSK[0x24073f0]: Server's version: 3.1 || HSK[0x24073f0]: SessionID length: 32 || HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001 || HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1 || HSK[0x24073f0]: Selected compression method: NULL (0) || EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) || HSK[0x24073f0]: Safe renegotiation succeeded || ASSERT: gnutls_buffers.c:1154 || HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861, frag offset 0, frag length: 861, sequence: 0 || ASSERT: gnutls_buffers.c:1392 || ASSERT: extensions.c:65 - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate info: || ASSERT: dn.c:250 || ASSERT: dn.c:250 || ASSERT: extensions.c:65 - subject ', RSA key 1024 bits, signed using RSA-SHA1, activated 2009-09-10 00:00:00 UTC', expires 2021-04-24 23:59:59 UTC', SHA-1 fingerprint 555555555555555555555555555555555555555' Public Key ID: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Public key's random art: +--[ RSA 1024]----+ | o.o | | .= E.| | .B.o| | .= | | S = .| | . o . .= | | . . . oo.| | . o+| | .o.| +-----------------+ || ASSERT: gnutls_buffers.c:1154 || HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0, frag offset 0, frag length: 1, sequence: 0 || ASSERT: gnutls_buffers.c:1145 || ASSERT: gnutls_buffers.c:1392 || ASSERT: gnutls_buffers.c:1374 || ASSERT: extensions.c:65 || HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes] || REC[0x24073f0]: Sent ChangeCipherSpec || REC[0x24073f0]: Initializing epoch #1 || REC[0x24073f0]: Epoch #1 ready || HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1 || HSK[0x24073f0]: Initializing internal [write] cipher sessions || HSK[0x24073f0]: recording tls-unique CB (send) || HSK[0x24073f0]: FINISHED was queued [16 bytes] || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 0 and length: 139 || REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 || REC[0x24073f0]: Sent Packet ChangeCipherSpec(20) in epoch 0 and length: 6 || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 1 and length: 45 || REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1 || REC[0x24073f0]: Expected Packet ChangeCipherSpec(20) || REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1 || REC[0x24073f0]: Decrypted Packet ChangeCipherSpec(20) with length: 1 || HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1 || ASSERT: gnutls_buffers.c:1154 || REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40 || REC[0x24073f0]: Expected Packet Handshake(22) || REC[0x24073f0]: Received Packet Handshake(22) with length: 40 || REC[0x24073f0]: Decrypted Packet Handshake(22) with length: 16 || HSK[0x24073f0]: FINISHED (20) was received. Length 12, frag offset 0, frag length: 12, sequence: 0 || REC[0x24073f0]: Start of epoch cleanup || REC[0x24073f0]: Epoch #0 freed || REC[0x24073f0]: End of epoch cleanup - Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1) - Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01 || ASSERT: server_name.c:298 - Version: TLS1.0 - Key Exchange: RSA - Cipher: 3DES-CBC - MAC: SHA1 - Compression: NULL || ASSERT: status_request.c:350 || ASSERT: gnutls_ui.c:797 - Options: safe renegotiation, || ASSERT: srtp.c:317 || ASSERT: alpn.c:227 - Handshake was completed || ASSERT: status_request.c:350 - Simple Client Mode:

Running the latest version of pop-os, I am trying to launch gnome-control-center unsuccessfully via GUI or terminal. Via terminal I am getting the errors below:

gnome-control-center: /usr/local/lib/libp11-kit.so.0: no version information available (required by /lib/x86_64-linux-gnu/libgcr-base-3.so.1)
gnome-control-center: /usr/local/lib/libp11-kit.so.0: no version information available (required by /lib/x86_64-linux-gnu/libgck-1.so.0)
gnome-control-center: /usr/local/lib/libgnutls.so.30: version `GNUTLS_3_6_10' not found (required by /usr/lib/x86_64-linux-gnu/samba/libcli-smb-common.so.0)

Another issue is with flatpak upgrade:

/usr/local/lib/libgnutls.so.30: version `GNUTLS_3_6_3' not found (required by /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so)
Failed to load module: /usr/lib/x86_64-linux-gnu/gio/modules/libgiognutls.so
Warning: While pulling runtime/org.freedesktop.Platform.GL32.nvidia-550-67/x86_64/1.4 from remote flathub: TLS support is not available
Warning: While pulling runtime/org.freedesktop.Platform.GL32.nvidia-555-58-02/x86_64/1.4 from remote flathub: TLS support is not available
Warning: While pulling runtime/org.freedesktop.Platform.GL32.nvidia-560-35-03/x86_64/1.4 from remote flathub: TLS support is not available

I tried reinstalling the referenced packages, but so far I haven't made any progress, any suggestions?

I'm running an Exim MTA which only receives emails from a few other systems under my control. All these systems happily negotiate TLSv1.2/TLSv1.3 with my MTA. I would like to disable support for TLSv1.0 and TLSv1.1 but I can't find instructions on how to do so. All software is installed from the official Debian 10 repository (Exim 4.92, GnuTLS 3.6.6).

We have an existing rsyslog set up using TLS 1.2 We want to upgrade to TLS1.3 ONLY. I've read the other questions here, but when I set everything up, I get no logs. The result of "openssl ciphers -v | awk '{print $2}' | sort -u" is: SSLv3 TLSv1 TLSv1.2 TLSv1.3 In /etc/ssh/openssl.cnf I tried added both MinProtocol = TLSv1.3 and MaxProtocol = TLSv1.3. My rsyslogd -v is: rsyslogd 8.1901.0 (aka 2019.01) compiled with: PLATFORM: x86_64-pc-linux-gnu PLATFORM (lsb_release -d): FEATURE_REGEXP: Yes GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes memory allocator: system default Runtime Instrumentation (slow code): No uuid support: Yes systemd support: Yes Number of Bits in RainerScript integers: 64 On the server side, my logserver.conf in /etc/rsyslog.d is: $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/rsyslogServer-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/rsyslogServer-key.pem module(load="imtcp" StreamDriver.mode="1" StreamDriver.authmode="anon" gnutlsprioritystring="SECURE128:-VERS-TLS-ALL:+VERS-TLS1.3" ) Does anyone have any ideas about how I can force TLS 1.3 only on my system?

I have built an LFS 11.0 system and installed wget from the BLFS book. I also have openssl and gnutls installed, but whenever do wget for a site with ssl, it says it can't verify the cert. It does work if I add the --no-check-certificate option, though. I also have installed lynx with ssl support and it says This client does not support https urls. I think it is missing SSL root CA certs, but I do not know where to get then, or where to put them when I get them. EDIT: Internet connectivity does work, and I can ping sites and wget/lynx with http:// urls.

When I am using this command to generate a certificate on CentOS 7.6: acme.sh --issue --dns dns_cf -d poemhub.top -d *.poemhub.top -k ec-256 shows this error: [Sun Jul 11 23:09:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90 [Sun Jul 11 23:09:29 CST 2021] Multi domain='DNS:poemhub.top,DNS:*.poemhub.top' [Sun Jul 11 23:09:29 CST 2021] Getting domain auth token for each domain [Sun Jul 11 23:09:30 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:31 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:31 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:31 CST 2021] Could not get nonce, let's try again. [Sun Jul 11 23:09:34 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:35 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:35 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:35 CST 2021] Could not get nonce, let's try again. [Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:39 CST 2021] Could not get nonce, let's try again. [Sun Jul 11 23:09:44 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:44 CST 2021] Create new order error. Le_OrderFinalize not found. [Sun Jul 11 23:09:44 CST 2021] Please add '--debug' or '--log' to check more details. [Sun Jul 11 23:09:44 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh where is going wrong and what should I do to fix it? what I have tried to upgrade the newest version of acme.sh: [root@izbp19pke6x0v6ruecuy1yz poemhub.top_ecc]# acme.sh --upgrade [Sun Jul 11 23:09:19 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35 [Sun Jul 11 23:09:21 CST 2021] Already uptodate! [Sun Jul 11 23:09:21 CST 2021] Upgrade success!

I keep on getting an error as indicated by the title sending email in neomutt, This is what I put in my muttrc: set from = "myemail@domain.ca" set realname = "my name" set smtp_url = "smtps://myemail@domain.ca@smtp-mail.outlook.com:587" set smtp_pass = "pass" set imap_pass = "pass" set ssl_starttls = "yes" set folder = "imaps://myemail@domain@outlook.office365.com:993" set header_cache = "~/.mutt/cache/headers" set message_chachedir = "~/.mutt/cache/bodies" set certificate_file = "~/.mutt/certificates" set editor = "vim" So far I've tried changing my smtp url from smtps to smtp, but this only gave me the error "SASL authentication failed".

Debian: 10.10 rsyslog-gnutls: 8.1901.0-1 libgnutls: 30.6.7 I search in where **path and name file** insert this var "gnutlsPriorityString". What is her path? And her Name file? to put this var "gnutlsPriorityString"? My goal is the TLS only work with "TLS1.3" and I test with rsyslog client. References links: - https://serverfault.com/questions/962207/option-to-configure-tls-version-in-rsyslog - https://www.gnutls.org/manual/html_node/Application_002dspecific-priority-strings.html#:~:text=The%20priority%20strings%20can%20be,%2DPRIORITY%3A%2BSRP%20%27) . - https://www.gnutls.org/manual/html_node/Overriding-the-default-priority-string.html - https://gnutls.org/manual/html_node/Priority-Strings.html - https://serverfault.com/questions/986490/rsyslog-with-custom-tls-connection - https://github.com/mozilla/server-side-tls/issues/30

I have configured vsftpd on RHEL7 and i am trying to transfer data to it using lftp from RHEL6. lftp seems to fail after sending the PASS command for anonymous login. ---> USER anonymous PASS xxxxxx **** gnutls_record_recv: An unexpected TLS packet was received. ---- Closing control socket cd: Fatal error: gnutls_record_recv: An unexpected TLS packet was received. The corresponding vsftpd log message: Wed Mar 18 08:20:41 2020 [pid 37007] FTP command: Client "XX.XXX.XX.XX", "USER anonymous" Wed Mar 18 08:20:41 2020 [pid 37007] [anonymous] FTP response: Client "XX.XXX.XX.XX", "331 Please specify the password." Wed Mar 18 08:20:41 2020 [pid 37007] [anonymous] FTP command: Client "XX.XXX.XX.XX", "PASS " Wed Mar 18 08:20:41 2020 [pid 37006] [cfgdb] OK LOGIN: Client "XX.XXX.XX.XX", anon password "xxxxxx" But the same lftp works when connecting to a vsftpd configured on RHEL6. vsftpd logs from RHEL6 on successful connection: Wed Mar 18 06:16:26 2020 [pid 706] FTP command: Client "XX.XXX.XX.XX", "USER anonymous" Wed Mar 18 06:16:26 2020 [pid 706] [anonymous] FTP response: Client "XX.XXX.XX.XX", "331 Please specify the password." Wed Mar 18 06:16:26 2020 [pid 706] [anonymous] FTP command: Client "XX.XXX.XX.XX", "PASS " Wed Mar 18 06:16:26 2020 [pid 703] [cfgdb] OK LOGIN: Client "XX.XXX.XX.XX", anon password "xxxxxx" Wed Mar 18 06:16:26 2020 [pid 709] [cfgdb] FTP response: Client "XX.XXX.XX.XX", "230 Login successful." lftp version on RHEL6: # lftp -v LFTP | Version 4.0.9 | Copyright (c) 1996-2010 Alexander V. Lukyanov vsftpd on RHEL7: # vsftpd -v vsftpd: version 3.0.2

When I run aria2c https://www.example.com I get 02/24 15:33:38 [WARN] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised. Why is this? Note that this isn't specific to www.example.com; it happens on many if not all hosts. For reference, here's the (redacted) log: [INFO] [Context.cc:182] aria2 1.34.0 [INFO] [Context.cc:183] gcc 8.2.1 20181127 built by x86_64-pc-linux-gnu on Feb 8 2019 09:32:06 [INFO] [Context.cc:185] zlib/1.2.11 libxml2/2.9.9 sqlite3/3.26.0 GnuTLS/3.6.6 nettle GMP/6.1.2 c-ares/1.15.0 libssh2/1.8.0 [INFO] [Context.cc:186] Logging started. [DEBUG] [Context.cc:216] Not setting rlimit NO_FILE: 1024 >= 1024 [NOTICE] [Context.cc:311] Downloading 1 item(s) [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_get_raw_field2]:1570 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: x509.c[gnutls_x509_crt_get_subject_unique_id]:3902 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:990 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:990 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:990 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:990 [INFO] [LibgnutlsTLSContext.cc:158] 135 certificate(s) were imported. [DEBUG] [RequestGroupMan.cc:591] 1 RequestGroup(s) added. [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0 [DEBUG] [FeedbackURISelector.cc:162] Selected from normCands [DEBUG] [FeedbackURISelector.cc:84] FeedbackURISelector selected https://www.example.com [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0 [INFO] [AsyncNameResolverMan.cc:83] CUID#7 - Resolving hostname www.example.com [DEBUG] [EpollEventPoll.cc:260] Failed to delete socket event:Bad file descriptor [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0 [INFO] [AbstractCommand.cc:817] CUID#7 - Name resolution complete: www.example.com -> 93.184.216.34 [INFO] [HttpInitiateConnectionCommand.cc:123] CUID#7 - Connecting to 93.184.216.34:443 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:0, hup:0, err:0 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:1, hup:0, err:0 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:0, write:1, hup:0, err:0 [DEBUG] [SocketCore.cc:926] Creating TLS session [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Allocating epoch #0 [DEBUG] [Platform.cc:86] GnuTLS: added 6 protocols, 29 ciphersuites, 17 sig algos and 9 groups into priority list [DEBUG] [SocketCore.cc:946] TLS Handshaking [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Allocating epoch #1 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: Adv. version: 3.3 [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) [DEBUG] [Platform.cc:86] GnuTLS: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Maximum Record Size/1) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (OCSP Status Request/5) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension OCSP Status Request/5 (5 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Client Certificate Type/19) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Server Certificate Type/20) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Supported Groups/10) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group SECP256R1 (0x17) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group SECP384R1 (0x18) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group SECP521R1 (0x19) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group X25519 (0x1d) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group FFDHE2048 (0x100) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group FFDHE3072 (0x101) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group FFDHE4096 (0x102) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group FFDHE6144 (0x103) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sent group FFDHE8192 (0x104) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Supported Groups/10 (20 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Supported EC Point Formats/11) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Supported EC Point Formats/11 (2 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (SRP/12) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Signature Algorithms/13) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (4.1) RSA-SHA256 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.9) RSA-PSS-SHA256 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (4.3) ECDSA-SHA256 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.7) EdDSA-Ed25519 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (5.1) RSA-SHA384 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.10) RSA-PSS-SHA384 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (5.3) ECDSA-SHA384 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (6.1) RSA-SHA512 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.11) RSA-PSS-SHA512 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (6.3) ECDSA-SHA512 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sent signature algo (2.1) RSA-SHA1 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Signature Algorithms/13 (30 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (SRTP/14) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Heartbeat/15) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (ALPN/16) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Encrypt-then-MAC/22) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Encrypt-then-MAC/22 (0 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Extended Master Secret/23) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Extended Master Secret/23 (0 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Session Ticket/35) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Session Ticket/35 (0 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Key Share/51) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sending key share for SECP256R1 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: sending key share for X25519 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Key Share/51 (107 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Supported Versions/43) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: Advertizing version 3.4 [DEBUG] [Platform.cc:86] GnuTLS: Advertizing version 3.3 [DEBUG] [Platform.cc:86] GnuTLS: Advertizing version 3.2 [DEBUG] [Platform.cc:86] GnuTLS: Advertizing version 3.1 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Supported Versions/43 (9 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Post Handshake Auth/49) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Safe Renegotiation/65281) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Safe Renegotiation/65281 (1 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Server Name Indication/0) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: sent server name: 'www.example.com' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Server Name Indication/0 (20 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Cookie/44) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Early Data/42) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension PSK Key Exchange Modes/45 (3 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Record Size Limit/28) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Sending extension Record Size Limit/28 (2 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (ClientHello Padding/21) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Preparing extension (Pre Shared Key/41) for 'client hello' [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: CLIENT HELLO was queued [354 bytes] [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Preparing Packet Handshake(22) with length: 354 and min pad: 0 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Sent Packet Handshake(22) in epoch 0 and length: 359 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[_gnutls_io_read_buffered]:589 [DEBUG] [AbstractCommand.cc:184] CUID#7 - socket: read:1, write:0, hup:0, err:0 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 Handshake packet received. Epoch 0, length: 123 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet Handshake(22) with length: 123 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Decrypted Packet Handshake(22) with length: 123 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: SERVER HELLO (2) was received. Length 119, frag offset 0, frag length: 119, sequence: 0 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1162 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: Server's version: 3.3 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Parsing extension 'Supported Versions/43' (2 bytes) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Negotiated version: 3.4 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384 [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Parsing extension 'Key Share/51' (69 bytes) [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: Selected group SECP256R1 (2) [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: client generated SECP256R1 shared key [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Sent Packet ChangeCipherSpec(20) in epoch 0 and length: 6 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Sent ChangeCipherSpec [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Initializing epoch #1 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Epoch #1 ready [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet ChangeCipherSpec(20) with length: 1 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 Application Data packet received. Epoch 1, length: 27 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet Application Data(23) with length: 27 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Decrypted Packet Handshake(22) with length: 10 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: ENCRYPTED EXTENSIONS (8) was received. Length 6, frag offset 0, frag length: 6, sequence: 0 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: parsing encrypted extensions [DEBUG] [Platform.cc:86] GnuTLS: EXT[0x7fffd8c6c880]: Parsing extension 'Server Name Indication/0' (0 bytes) [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 Application Data packet received. Epoch 1, length: 4502 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet Application Data(23) with length: 4502 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Decrypted Packet Handshake(22) with length: 4485 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: CERTIFICATE (11) was received. Length 4481, frag offset 0, frag length: 4481, sequence: 0 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1162 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1413 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: parsing certificate message [DEBUG] [Platform.cc:86] GnuTLS: Found OCSP response on cert 0 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 Application Data packet received. Epoch 1, length: 281 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet Application Data(23) with length: 281 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Decrypted Packet Handshake(22) with length: 264 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: CERTIFICATE VERIFY (15) was received. Length 260, frag offset 0, frag length: 260, sequence: 0 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: Parsing certificate verify [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: verifying TLS 1.3 handshake data using RSA-PSS-RSAE-SHA256 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: buffers.c[get_last_packet]:1171 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: SSL 3.3 Application Data packet received. Epoch 1, length: 69 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Expected Packet Handshake(22) [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Received Packet Application Data(23) with length: 69 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Decrypted Packet Handshake(22) with length: 52 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: FINISHED (20) was received. Length 48, frag offset 0, frag length: 48, sequence: 0 [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: parsing finished [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: sending finished [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: FINISHED was queued [52 bytes] [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Preparing Packet Handshake(22) with length: 52 and min pad: 0 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Sent Packet Handshake(22) in epoch 1 and length: 74 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: constate.c[_gnutls_epoch_get]:901 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Allocating epoch #2 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Initializing epoch #2 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Epoch #2 ready [DEBUG] [Platform.cc:86] GnuTLS: HSK[0x7fffd8c6c880]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384 [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Start of epoch cleanup [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Epoch #0 freed [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: Epoch #1 freed [DEBUG] [Platform.cc:86] GnuTLS: REC[0x7fffd8c6c880]: End of epoch cleanup [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_get_raw_field2]:1570 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[find_signercert]:1996 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_der_encode]:876 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[find_signercert]:2091 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_get_raw_field2]:1570 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2352 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_get_raw_field2]:1570 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[find_signercert]:1996 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: common.c[_gnutls_x509_der_encode]:876 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[find_signercert]:2091 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: mpi.c[wrap_nettle_mpi_print]:60 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: mpi.c[wrap_nettle_mpi_print]:60 [DEBUG] [Platform.cc:86] GnuTLS: ocsp signer: subject CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', issuer CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x01fda3eb6eca75c888438b724bcfbc91, RSA key 2048 bits, signed using RSA-SHA256, activated 2013-03-08 12:00:00 UTC', expires 2023-03-08 12:00:00 UTC', pin-sha256="5kJvNEMw0KjrCAu7eXY5HZdvyCS13BbA0VJG1RSP91w=" [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1649 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:99 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: ocsp-api.c[gnutls_ocsp_status_request_get2]:99 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110 [DEBUG] [Platform.cc:86] GnuTLS: ASSERT: x509.c[get_alt_name]:1815 [WARN] [SocketCore.cc:979] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised. Peer: www.example.com (93.184.216.34:443) 02/24 15:38:26 [WARN] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised. ...

# The Problem I have been having issues connecting to a Atlassian Stash which requires a certificate issued by my company. When I connect using Firefox (which has the certificate) it will allow me to go onto the website, but when I try to clone the git repository using bash (on Pop_OS! 20.04, which is based upon the same Ubuntu version) then I get the following error:

> git clone https://cmstash.cm.website.com/scm/cded/prototyping.git 
    Cloning into 'prototyping'...
    fatal: unable to access 'https://cmstash.cm.website.com/scm/cded/prototyping.git/ ': gnutls_handshake() failed: Handshake failed

# How I setup the certificates I have 3 files, 4125B9-ca.crt, 4125B9.crt and 4125B9.key. These are placed in /usr/share/ca-certificates/work/. I then ran sudo update-ca-certificates --fresh and selected the .crt files when running sudo dpkg-reconfigure ca-certificates. This gave the warning:

warning: skipping 4125B9-ca.pem,it does not contain exactly one certificate or CRL

# How I debugged the problem I've tried different commands to test the connection, some information has been removed for security reasons. I started with openssl's s_client:

> sudo openssl s_client -connect cmstash.cm.website.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt -tls1_2

    CONNECTED(00000003)
    [depth 1 & 2 removed]
    depth=0 CN = *.website.com, O = [O removed], OU = IT-Department, OU = CM, [C & L removed]
    verify return:1
    140405633332544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/recor /rec_layer_s3.c:1543:SSL alert number 40
    ---
    Certificate chain
    [Certificate chain removed]
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    [Certificate removed]
    -----END CERTIFICATE-----
    [Subject and Issuer removed]
    ---
    Acceptable client certificate CA names
    [acceptable client certificate names removed]

    Client Certificate Types: RSA sign, DSA sign, ECDSA sign
    Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
    Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224
    Peer signing digest: SHA512
    Peer signature type: RSA
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4110 bytes and written 447 bytes
    Verification: OK
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID:
        Session-ID-ctx:
        Master-Key: [Master Key removed]
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1600242853
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
   ---

After seeing the Acceptable client certificate CA names, I checked it against my certificate but the CA name was the same. I then tried to use curl:

curl -iv --ciphers DEFAULT@SECLEVEL=1 https://cmstash.website.com 
    *   Trying 212.203.27.120:443...
    * TCP_NODELAY set
    * Connected to cmstash.cm.website.com ([IP removed]) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: DEFAULT@SECLEVEL=1
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: /etc/ssl/certs
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Request CERT (13):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Certificate (11):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS alert, handshake failure (552):
    * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
    * Closing connection 0
    curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

After this did not give me more information I tried gnutls:

gnutls-cli -d 0 -V cmstash.cm.website.com:443

    - Status: The certificate is trusted.
    - Server's trusted authorities:
       [Authorities removed]
    - Successfully sent 0 certificate(s) to server.
    *** Fatal error: A TLS fatal alert has been received.
    *** Received alert : Handshake failed

It seems to be a TLS issue and not directly related to git. Sadly the error messages only say that the handshake failed, but not why or how. # Other information * The website does not support SSLv3 or TLS1.3, so I used TLS1.2 * The certificate is valid, as it does work when used in Firefox

I edited [/etc/crypto-policies/config](https://man.linuxreviews.org/man7/crypto-policies.7.html) to change the system-wide crypto policy from DEFAULT to FUTURE, ran update-crypto-policies, and afterwards the RSS/ATOM feed aggregator akregator wasn't loading pages. However, if I change the policy to NEXT I have no problems. Does the FUTURE policy force the use of [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) 1.3, which I know some of the sites in question don't support via wget --secure-protocol=TLSv1_3 [URL]?

I set up two new CentOS 7 boxes simultaneously, so the configurations should be identical, just different ip addresses and host names. I installed VSFTPD and configured for passive ports. One box connects fine, no issues, however the second box continuously throws me this error: GnuTLS error -15: An unexpected TLS packet was received. Here is the debug FileZilla trace: Status: Connecting to 192.168.20.68:21... Status: Connection established, waiting for welcome message... Trace: CFtpControlSocket::OnReceive() Response: 220 (vsFTPd 3.0.2) Trace: CFtpControlSocket::SendNextCommand() Command: AUTH TLS Trace: CFtpControlSocket::OnReceive() Response: 234 Proceed with negotiation. Status: Initializing TLS... Trace: CTlsSocket::Handshake() Trace: CTlsSocket::ContinueHandshake() Trace: CTlsSocket::OnSend() Trace: CTlsSocket::OnRead() Trace: CTlsSocket::ContinueHandshake() Trace: CTlsSocket::OnRead() Trace: CTlsSocket::ContinueHandshake() Trace: CTlsSocket::OnRead() Trace: CTlsSocket::ContinueHandshake() Trace: TLS Handshake successful Trace: Protocol: TLS1.2, Key exchange: ECDHE-RSA, Cipher: AES-256-GCM, MAC: AEAD Status: Verifying certificate... Status: TLS connection established. Trace: CFtpControlSocket::SendNextCommand() Command: USER datamover Trace: CTlsSocket::OnRead() Trace: CFtpControlSocket::OnReceive() Response: 331 Please specify the password. Trace: CFtpControlSocket::SendNextCommand() Command: PASS ******* Trace: CTlsSocket::OnRead() Trace: CTlsSocket::Failure(-15) Error: GnuTLS error -15: An unexpected TLS packet was received. Trace: CRealControlSocket::OnClose(106) Trace: CControlSocket::DoClose(64) Trace: CFtpControlSocket::ResetOperation(66) Trace: CControlSocket::ResetOperation(66) Error: Could not connect to server The error is always right after the password check. I know the problem IS NOT SELinux, as I disabled that. The problem is also not the firewall, as I tried disabling the Firewall Daemon (firewalld). Here is the relevant portion of the /etc/vsftpd/vsftpd.conf file. listen=YES listen_ipv6=NO pasv_enable=YES pasv_max_port=10100 pasv_min_port=10090 pasv_address=192.168.20.88 ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=HIGH require_ssl_reuse=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem I did a Google search but did not see any 15 error codes. Thoughts?

I am trying to yield a certificate verification error with openssl s_client like this: $ openssl s_client -crlf -verify 9 \ -CAfile /etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem \ -starttls smtp -host mx-ha03.web.de -port 25 The certificate of the web.de server is certified by the Deutsche Telekom CA, not TURKTRUST, thus the above command should fail, right? But it reports: Verify return code: 0 (ok) Why? I mean an analog gnutls-cli command fails as expected: $ { echo -e 'ehlo example.org\nstarttls' ; sleep 1 } | \ gnutls-cli --starttls --crlf \ --x509cafile /etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem \ --port 25 mx-ha03.web.de [..] *** Verifying server certificate failed... Doing a crosscheck, i.e. using instead --x509cafile /etc/ssl/certs/ca-certificates.crt with gnutls-cli I get: [..] - The hostname in the certificate matches 'mx-ha03.web.de'. - Peer's certificate is trusted (which is also expected) Openssl s_client prints for ca-certificates.crt: Verify return code: 0 (ok) The same result as for TURKTRUST ... First I suspected openssl using a default setting for -CApath (i.e. /etc/ssl/certs) - but when I strace the process I just see just the open syscall for the argument of CAfile. (all tests done on a Ubuntu 10.04 server) **Update:** I've copied the TURKTRUST certificate to a Fedora 20 system and executed the first openssl statement - there I get a different result: Verify return code: 19 (self signed certificate in certificate chain)

I'm trying to use FFMPEG to pipe a HLS stream to TVHEADEND. But I'm unable to make it work as it keeps getting some Host not found, No route to host and TLS handshake errors. To test it out I run this command replacing privateurl.com with my private streaming URL. ffmpeg -user_agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100Safari/537.36" -i "https://privateurl.com:8443/stream/stream.m3u8 " -c copy -f mpegts test.ts This works perfectly on windows (FFMPEG build 3.4.2), but on my Debian Server (Proxmox) I'm unable to have a stable connection with the exact same command. I tested it with FFMPEG version 3.2.12-1~deb9u1 and with ffmpeg version 3.4.4 inside a LXC container with in both cases the same result. As HLS is made out of chunks of smaller ts streams it seems that it randomly is unable to connect to some of the chunks claiming different kind of errors that seem like a bad connection to the server, but why? Both Windows and Linux Server are connected to the same Router, and the Server is even connected directly via ethernet (Tried even changing the cable) but it still is unable to have a stable connection to the stream. Intermitently it is able to connect and stream a chunck, but then it stops randomly on other chunks. The error output of FFMPEG from the Server looks like this: ... [tls @ 0x7f49f08eea40] The specified session has been invalidated for some reason. [tcp @ 0x55efbe455aa0] Connection to tcp://privateurl.com:8443 failed (Host is unreachable), trying next address Last message repeated 1 times [hls,applehttp @ 0x7f49f08ee160] Opening 'https://privateurl.com:8443/stream/stream_982112.ts ' for reading [tcp @ 0x55efbe02fbc0] Connection to tcp://privateurl.com:8443 failed (Host is unreachable), trying next address Last message repeated 1 times [tcp @ 0x55efbe503280] Connection to tcp://privateurl.com:8443 failed (Host is unreachable), trying next address Last message repeated 1 times [tls @ 0x55ba15827580] The TLS connection was non-properly terminated. ... The same goes for VLC. On windows I play the stream and it works perfectly, without any errors. If I run VLC on the Server side, the stream intermitently works for short bursts, and the console gets spammed with TLS and No route to host errors like this: ... [00007fec88000ef0] main tls client error: TLS session handshake error [00007fec88000ef0] main tls client error: connection error: No route to host [00007fec88000ef0] gnutls tls client error: TLS handshake error: Error in the push function. [00007fec88000ef0] main tls client error: TLS session handshake error [00007fec88000ef0] main tls client error: connection error: No route to host [00007fec88000ef0] gnutls tls client error: TLS handshake error: Error in the push function. [00007fec88000ef0] main tls client error: TLS session handshake error [00007fec88000ef0] main tls client error: connection error: No route to host ... I tried using traceroute, tcptraceroute, ping to the privateurl.com and it's port, and as much as I try to get an error using those commands, it always works perfectly. So right now I'm completely out of ideas of how to make this work or what to try out to find out what is causing the issue. To me it looks like the TLS stack in Linux is just broken or it's a FFMPEG error, but I just don't know why it works in Windows but not on my Linux Server. Anybody has an idea?

I'm trying to debug an LDAPS connection from Ubuntu 14.04 to some sort of VIP. There are 6 nodes behind the VIP. The connection only succeeds "sometimes". A wireshark log shows the failing connections being issued TLSv1.2 Alerts "Fatal, Illegal Parameter" with a Content Type "Alert (21)" which apparently only means wireshark can't decrypt the alert record. I don't have access to the server's private key so I cannot decrypt the wireshark session. I'm trying to get the server admin to do it. In the meantime, is there any way to find out what cipher is being settled on with the connection *does* work? I've tried ldapsearch -d 255 ... but it doesn't reveal anything about the cipher that I can see, so far. When the connection *does* succeed, The TLS record layer in wireshark says looks like this, if it's of any use:

I am running the following command: curl --tlsv1.2 -v --cacert ./mycert.crt --key ./key.pem --cert ./mycert.crt https://thirdparty.url I received the certificate from the third party I am working with after generating CSR and key files with openssl. My server IP is whitelisted on the third party's firewall and they can see my requests coming in but the handshake always fails. This is the response I receive: * Trying X.X.X.X... * Connected to thirdparty.url (X.X.X.X) port 443 (#0) * found 1 certificates in ./nonprod.crt * found 596 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() failed: Handshake failed * Closing connection 0 curl: (35) gnutls_handshake() failed: Handshake failed How can I debug this issue? Some info: I am running curl 7.47.0 on Ubuntu 16.04.4 I try running this command: openssl s_client -connect server.url:443 -tls1_2 -cert ./mycert.crt -key key.pem BUT I have to exclude the link URI to make it work. The response does include this however: 140593823835800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40 140593823835800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656: But it also says: SSL handshake has read 3378 bytes and written 1702 bytes New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: CE2294E9B415FB8B9850DB28F64FEF17390A46D5A38F12E62E31F614DA4199CF50C0AFA5F62401C4964105AFC4F1B095 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1528299660 Timeout : 7200 (sec) Verify return code: 0 (ok)

A few months ago I was able to snipe actions on ebay with esniper. Today I get the following when I use it: > Auction 12345678901234: Cannot connect to URL https://signin.ebay.com/ws/eBayISAPI.dll?SignIn : SSL connect error: gnutls_handshake() failed: Illegal parameter Retrying... I already have the latest version installed. How can I solve this? (Ubuntu Linux 14.04)

I am trying to compile GTK+ from source and have installed JHBuild for this purpose. I've already managed to build PyGObject using JHBuild and the sanitycheck runs without output. For building GTK+ it seems that JHBuild needs GnuTLS >= version 3.0 as it states in the terminal: checking for GNUTLS... no configure: error: in `/home/xiaolong/jhbuild/releases/gnome-apps-3.17.90/glib-networking-2.45.1': configure: error: "Requested 'gnutls >= 3.0' but version of GnuTLS is 2.12.23 You may find new versions of GnuTLS at http://www.gnu.org/software/gnutls/ " See `config.log' for more details *** Error during phase configure of glib-networking: ########## Error running ./configure --prefix /home/xiaolong/jhbuild/releases/gnome-apps-3.17.90/install --enable-installed-tests --disable-static --disable-gtk-doc --disable-Werror *** [13/29] So I searched and found the following instructions on how to build GnuTLS in a more recent version than installed on my system: http://www.bauer-power.net/2014/06/how-to-install-gnutls-3123-from-source.html I needed to install some libraries to complete the instructions without errors, but that's done. Now I thought JHBuild would surely run fine until the next error in the build process of GTK+, but that wasn't the case. Instead I still see the same error message about requiring a version >= 3.0 of GnuTLS. It seems JHBuild has a problem locating the GnuTLS build from source and still finds the one installed from the package management system instead. How do I fix this behavior?