I just installed an Arch based distribution Antergos. Then I installed few packages with pacman. Now after a restart I am getting ssl errors while trying to clone git. fatal: unable to access 'https://xxxx@bitbucket.org/xxx/yyyy.git/ ': error:1408F10B:SSL routines:ssl3_get_record:wrong version number also curl to any https doesn't work. curl https://google.com curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number curl looks latest. $ curl --version curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 Release-Date: 2018-01-24 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL $ pacman -Q | egrep 'ssl|curl' curl 7.58.0-1 openssl 1.1.0.g-1 openssl-1.0 1.0.2.n-1 python-pycurl 7.43.0.1-1 $ ldd which curl linux-vdso.so.1 (0x00007ffdccee9000) libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007fe06a5a5000) libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007fe06a387000) libc.so.6 => /usr/lib/libc.so.6 (0x00007fe069fd0000) libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x00007fe069dab000) libidn2.so.0 => /usr/lib/libidn2.so.0 (0x00007fe069b8e000) libpsl.so.5 => /usr/lib/libpsl.so.5 (0x00007fe069980000) libssl.so.1.1 => /usr/lib/libssl.so.1.1 (0x00007fe069716000) libcrypto.so.1.1 => /usr/lib/libcrypto.so.1.1 (0x00007fe069299000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007fe06904b000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007fe068d63000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007fe068b30000) libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007fe06892c000) libz.so.1 => /usr/lib/libz.so.1 (0x00007fe068715000) /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fe06aa4a000) libunistring.so.2 => /usr/lib/libunistring.so.2 (0x00007fe068393000) libdl.so.2 => /usr/lib/libdl.so.2 (0x00007fe06818f000) libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007fe067f82000) libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007fe067d7e000) libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007fe067b67000) I am behind proxy $ proxytunnel -p PROXY_IP:PROXY_PORT -d www.google.com:443 -a 7000 $ openssl s_client -connect localhost:7000 CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgIINC+Y7yLd9OswDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTgwMjA3MjExMzI5WhcNMTgwNTAyMjExMTAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3 Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7lAOc gsUECzoiJfpnAtq9qxAeTWBS8KYCd3ESvd7255YXW8FUiGTj9MYSSJ3OlYQvvU1I NmnIXNU7BnhUBbY1kW4+GXc5RimwiIW5VsWftt1XOVZh5mR08DhYQjdQqI3IhK6r FTS6/6BvFcjWMT/rVQv59XDaQLqWXSomEzOr1vDRXZSbAPr+YAGKUj+K0TjgZNW1 8xo8Lyp8kDjFxrWaThfwFMosbFw5HnnzpT1WSHfmXmF1mvvk4cJ+U2m3+K2pRki8 nNnWafLPdT408XoXrbWLVeEVSIQQH5z93uoj5lESal05pnOY5yYUJ+vmHdY7jOBh sT9HaGzl3kD2J+1BAgMBAAGjggFBMIIBPTATBgNVHSUEDDAKBggrBgEFBQcDATAZ BgNVHREEEjAQgg53d3cuZ29vZ2xlLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYB BQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUH MAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFNGB jzGWH9WkzeHj88QOo3gBTBs+MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0G Fhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeB DAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB RzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBxOxsCFg7RIa0zVDI0N9rTNaPopqX9 yrIlK1u+C2ohrg5iF5XlTEzTuH43D/J0Lz550D9Cft4s6lWaNKpVDhNivEy2nzK5 ekuQKYtoQlIyfUnD5GnGZyr3m2AcMFnAAhlXVbyiJk0VNLDGCMVBaOuL/yT8X5dQ j8MrKSvZRaUt2oixE7fKGNv5nhs0wuHu1TEU/8R5UMxbJs8knMZsRcfsvzjXpEHC guA54xPnLFiU0QTw4GIFi5nDvfR5cF2UAJZNIF4o4sr4DB8+X7DWtBmMNHuR4Cpn HEdlVzOA7BAGx8yO6AddwJo8AlxviCaPol1xPB8uJCGh/U0/7XhtR93S -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: X25519, 253 bits --- SSL handshake has read 3790 bytes and written 261 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: BEE4D8162570B4AB0C8121DEC5756B6DC063DB3E7321BB58FD12D566482AD99A Session-ID-ctx: Master-Key: B050C78AAC1A0DF5063263DDCD3437CD3A4029E7D5431E236936D2D88AAAD2555A18D92318C9E2E31A550E339D4C26A8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 00 41 04 37 20 26 a1 bc-2b d0 86 8c 6b a5 74 ef .A.7 &..+...k.t. 0010 - 5c 82 0e d3 ec f7 97 0f-a9 9c cb e8 69 a8 0d 67 \...........i..g 0020 - 13 10 87 ec 22 da 60 d3-9b 98 f2 a4 ce 93 95 1c ....".`......... 0030 - 8f fa 71 57 b9 d9 9b 9f-14 9e 37 95 e5 70 e8 70 ..qW......7..p.p 0040 - 4b f5 ff c4 79 b6 f8 9c-32 f2 2a 13 81 1c 5b 9c K...y...2.*...[. 0050 - f3 52 26 df e6 8c db bd-23 c9 24 3e 46 8c 99 9a .R&.....#.$>F... 0060 - 13 53 69 5e 5d 2c c1 0f-e4 6d de df a9 33 af d9 .Si^],...m...3.. 0070 - 1f 89 e7 c1 d9 8a d1 05-1a 88 c2 27 e2 0a 56 0f ...........'..V. 0080 - 40 ec 5c ed a3 ca f4 1e-f8 83 85 3b 7e 22 7d f5 @.\........;~"}. 0090 - b4 b7 96 a5 ca 27 4b 40-61 88 9d 58 d3 d6 e9 e7 .....'K@a..X.... 00a0 - 1f 72 7c bf 25 24 f6 ab-83 a1 90 ae 97 92 d8 40 .r|.%$.........@ 00b0 - 14 3b 5d 07 cd 5a 79 bc-eb 6b ae 66 f1 42 0c 11 .;]..Zy..k.f.B.. 00c0 - a5 7e 68 f9 c1 51 6f 3d-7e f9 28 79 2a 32 d5 ea .~h..Qo=~.(y*2.. 00d0 - 90 4f ee 2c 84 ac 66 0b-8d dc .O.,..f... Start Time: 1519286347 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- read:errno=0 What is the solution ? **Update** Confirming this is necessarily a curl issue. I turn off proxy and connect directly curl https works. I set any other proxy server ip and port from https://free-proxy-list.net/ and then try to connect curl through proxy. I get the same error. So either this curl version has a bug or so many proxy servers are wrongly configured. **Update** I think the issue is related to Deepin DE. I switched from Deeping Desktop Environment to Standard Gnome and curl started working fine. Possibly this is a bug related to Deepin's Network Settings. Although it sets the environment variables correctly.

I am trying to configure SSL on an old opensuse server: openSUSE 11.4 (x86_64) VERSION = 11.4 CODENAME = Celadon I enabled the apache SSL module: apache2ctl -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_host_module (shared) authz_groupfile_module (shared) authz_default_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dir_module (shared) env_module (shared) expires_module (shared) include_module (shared) log_config_module (shared) mime_module (shared) negotiation_module (shared) setenvif_module (shared) ssl_module (shared) userdir_module (shared) php5_module (shared) reqtimeout_module (shared) deflate_module (shared) headers_module (shared) rewrite_module (shared) Syntax OK And configured the virtual host providing the SSL certificates (by copying and editing the vhost-ssl.template and renaming it https.xxxxxxxx.conf) and restarted apache. When I try to connect I get this error: openssl s_client -connect localhost:443 connect: Connection refused connect:errno=111 This is the openssl version installed: OpenSSL 1.0.1p 9 Jul 2015 (Library: OpenSSL 1.0.0c 2 Dec 2010) If it can help this is my iptables config: iptables -L -vn Chain INPUT (policy ACCEPT 4641 packets, 815K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1691 packets, 4745K bytes) pkts bytes target prot opt in out source destination Can you help me understand why I am not able to connect in localhost to the 443 port? EDIT: I believe it is a problem with apache and the additional https.xxxxxxx.conf file: httpd2 -S VirtualHost configuration: wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server xxxxxxxx.it (/etc/apache2/vhosts.d/xxxxxxxx.conf:3) port 80 namevhost xxxxxxxx.it (/etc/apache2/vhosts.d/xxxxxxxx.it.conf:3) port 80 namevhost XXX.XXX.XXX.XXX (/etc/apache2/vhosts.d/xxxxxxxx.it.conf:9) In my listen.conf it seems that if the SSL module is enabled it should Listen 443: Listen 80 Listen 443 This is the output of netstat: netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 8105/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1847/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2179/master tcp 0 0 :::80 :::* LISTEN 13330/httpd2-prefor tcp 0 0 :::21 :::* LISTEN 1930/vsftpd tcp 0 0 :::22 :::* LISTEN 1847/sshd tcp 0 0 ::1:25 :::* LISTEN 2179/master I have modified the /etc/sysconfig/apache2 file to turn on the SSL module APACHE_SERVER_FLAGS="SSL" Now it seems to respond correctly bot locally and remotely: openssl s_client -connect localhost:443 CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 I still have problems since I get from the browser: This site can’t be reached xxxxxxxx.it unexpectedly closed the connection. Try: Checking the connection Checking the proxy and the firewall Running Network Diagnostics ERR_CONNECTION_CLOSED However I believe the problem is not related

working I installed and setup Bind9 official package to test DNS forward zones based on source IP/subnets which unbound doesn't support I properly set NAT forwards, changed listening ports on Bind9 and configured it for DNS over TLS (see below) All works properly and DNS requests are properly forwarded and use TLS until I uncomment remote-hostname and/or ca-file options. Without them, as per Bind9 doc, encryption is granted but not TLS authentication If I enable those options to ensure strict TLS authentication, clients cannot resolve DNS entries and I get the below errors in logs:

Jul 29 00:50:29	named	92197	query-errors: debug 4: fetch completed for readaloud.googleapis.com.intranet/A in 0.056869: TLS peer certificate verification failed/success [domain:.,referral:0,restart:1,qrysent:0,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
Jul 29 00:50:29	named	92197	query-errors: info: client @0x1414c4b10800 10.0.31.62#9512 (readaloud.googleapis.com.intranet): query failed (TLS peer certificate verification failed) for readaloud.googleapis.com.intranet/IN/A at query.c:7836

I tried with different ca-file values, but no success **My working Bind9 config (with remote-hostname commented):**

tls cloudflare-tls {
//    ca-file "/usr/local/share/certs/ca-root-nss.crt";
//    ca-file "/usr/local/etc/ssl/cert.pem";
//    ca-file "/usr/share/certs/trusted/IdenTrust_Commercial_Root_CA_1.pem";
//    remote-hostname "one.one.one.one";
    prefer-server-ciphers yes;
};

options {
    forwarders {
        1.1.1.1 port 853 tls cloudflare-tls;
        1.0.0.1 port 853 tls cloudflare-tls;
        2606:4700:4700::1111 port 853 tls "cloudflare-tls";
        2606:4700:4700::1001 port 853 tls "cloudflare-tls";
    };
};

* **Bind9 Docs:** [https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers](https://bind9.readthedocs.io/en/v9.18.14/reference.html#namedconf-statement-prefer-server-ciphers) > Strict TLS provides server authentication via a pre-configured > hostname for outgoing connections. This mechanism offers both channel > confidentiality and channel authentication (of the server). In order > to achieve Strict TLS, one needs to use remote-hostname and, > optionally, ca-file options in the tls statements used for > establishing outgoing connections (e.g. the ones used to download zone > from primaries via TLS). Providing any of the mentioned options will > enable server authentication. If remote-hostname is provided but > ca-file is missed, then the platform-specific certificate authority > certificates are used for authentication. The set roughly corresponds > to the one used by WEB-browsers to authenticate HTTPS hosts. On the > other hand, if ca-file is provided but remote-hostname is missing, > then the remote side’s IP address is used instead. Any help why enabling tls auth fails?

I want to set up OpenVPN version 2.4 or 2.6 on AlmaLinux 8 on a VPS and connect using the OpenVPN v2.4 GUI application. I tried some scripts to set up, all of them installed properly, but during communication failed. https://idroot.us/install-openvpn-server-almalinux-8/ https://leomoon.com/downloads/scripts/openvpn-installer-for-linux/ https://www.ionos.com/help/server-cloud-infrastructure/vpn/install-and-configure-openvpn/install-and-configure-openvpn-almalinux-8-and-9-and-rocky-linux-8-and-9/#c267989 I noticed that TLS handshake breaks and gets an error. ***TLS: Initial packet from [AF_INET]74.208.111.231:1194, sid=1cfea13f ba1c9731* I disabled the firewall to test simply. Here is relates config and Log files. Any advice? Server.cfg file - port 1194 proto tcp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "redirect-gateway def1 bypass-dhcp" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key crl-verify crl.pem ca ca.crt cert server_D99XAUoi9FzAwlUr.crt key server_D99XAUoi9FzAwlUr.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log verb 3 client OVPN file - client proto tcp-client remote 74.208.111.231 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_D99XAUoi9FzAwlUr name auth SHA256 auth-nocache cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3 -----BEGIN CERTIFICATE----- MIIB1zCCAX2gAwIBAgIURKfw6FcSJ4xcLb3gUWx/THu02KEwCgYIKoZIzj0EAwIw ... G0T9jlALYAcCIQC+R1s/2x0BRLAg5HzZih8exkfiKbFbt9by31VSKzCY7g== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB1zCCAX6gAwIBAgIQDutVPwLyl5UwKB0LJVUGHTAKBggqhkjOPQQDAjAeMRww ... nAYorn0Lv1FhAiAXcCdEzm4SqieMfT3Hj2TBrrufpruhoKaOoN2OLBX9hw== -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg57wmtsCOWL0GaZ5N ... XOyWk/p2uZuUtP6cogjwdCCsaYeEF8iYqL0MyWF+PhC+Qoc8YKX9T8Le -----END PRIVATE KEY----- -# -# 2048 bit OpenVPN static key -# -----BEGIN OpenVPN Static key V1----- db3d6c752e41143cc06f8c83e48a742e .... c2468e2a3e4c03d6a19efeef980c6c72 -----END OpenVPN Static key V1----- Client Log - Sub Jul 27 22:34:15 2025 OpenVPN 2.4.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Mar 17 2022 Sub Jul 27 22:34:15 2025 Windows version 6.2 (Windows 8 or greater) 64bit Sub Jul 27 22:34:15 2025 library versions: OpenSSL 1.1.1n 15 Mar 2022, LZO 2.10 Enter Management Password: Sub Jul 27 22:34:15 2025 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sub Jul 27 22:34:15 2025 Need hold release from management interface, waiting... Sub Jul 27 22:34:15 2025 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'state on' Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'log all on' Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'echo all on' Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'bytecount 5' Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'hold off' Sub Jul 27 22:34:15 2025 MANAGEMENT: CMD 'hold release' Sub Jul 27 22:34:15 2025 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sub Jul 27 22:34:15 2025 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sub Jul 27 22:34:15 2025 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Sub Jul 27 22:34:15 2025 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Sub Jul 27 22:34:15 2025 TCP/UDP: Preserving recently used remote address: [AF_INET]74.208.111.231:1194 Sub Jul 27 22:34:15 2025 Socket Buffers: R=[65536->65536] S=[65536->65536] Sub Jul 27 22:34:15 2025 Attempting to establish TCP connection with [AF_INET]74.208.111.231:1194 [nonblock] Sub Jul 27 22:34:15 2025 MANAGEMENT: >STATE:1753643055,TCP_CONNECT,,,,,, Sub Jul 27 22:34:16 2025 TCP connection established with [AF_INET]74.208.111.231:1194 Sub Jul 27 22:34:16 2025 TCP_CLIENT link local: (not bound) Sub Jul 27 22:34:16 2025 TCP_CLIENT link remote: [AF_INET]74.208.111.231:1194 Sub Jul 27 22:34:16 2025 MANAGEMENT: >STATE:1753643056,WAIT,,,,,, Sub Jul 27 22:34:17 2025 MANAGEMENT: >STATE:1753643057,AUTH,,,,,, Sub Jul 27 22:34:17 2025 TLS: Initial packet from [AF_INET]74.208.111.231:1194, sid=1cfea13f ba1c9731 Sub Jul 27 22:34:54 2025 read TCP_CLIENT: Unknown error (code=10060) Sub Jul 27 22:34:54 2025 Connection reset, restarting [-1] Sub Jul 27 22:34:54 2025 SIGUSR1[soft,connection-reset] received, process restarting Sub Jul 27 22:34:54 2025 MANAGEMENT: >STATE:1753643094,RECONNECTING,connection-reset,,,,, Sub Jul 27 22:34:54 2025 Restart pause, 5 second(s) Sub Jul 27 22:34:59 2025 SIGTERM[hard,init_instance] received, process exiting Sub Jul 27 22:34:59 2025 MANAGEMENT: >STATE:1753643099,EXITING,init_instance,,,,,

I have a specific ftps site that I cannot connect to with lftp. When I attempt to connect I get the error: Fatal error: gnutls_handshake: An unexpected TLS packet was received When I use gnutls-cli to connect I have found the correct settings to negotiate and actually issue a USER command. What I am asking for is any pointers to the correct lftp configuration for the gnutls part so that it can authenticate correctly. **UPDATE:** What I see happening is that when using gnutls-cli it selects the right MAC and cipher to be used: || HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1 Unlike when being called from lftp is does not: GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 Below are my configurations and debug outputs from lftp and gnutls-cli: ## lftp Configuration ## lftp set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2 set ftps:initial-prot P set ftp:ssl-allow yes set ftp:ssl-force yes set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no debug 999999999 open ftps://XXX.XXX.XXX.XXX:990 quote USER ## gnutls-cli Configuration ## gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5 ---------- ***Some aspects have been anonomized, but nothing about the protocols *** ## lftp debug output ## lftp lftp :~> set ssl:priority NORMAL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2 lftp :~> set ftps:initial-prot P lftp :~> set ftp:ssl-allow yes lftp :~> set ftp:ssl-force yes lftp :~> set ftp:ssl-protect-list yes lftp :~> set ftp:ssl-protect-data yes lftp :~> set ftp:ssl-protect-fxp yes lftp :~> set ssl:verify-certificate no lftp :~> debug 999999999 lftp :~> open ftps://XXX.XXX.XXX.XXX:990 ---- Resolving host address... buffer: EOF on FD 5 ---- 1 address found: XXX.XXX.XXX.XXX lftp XXX.XXX.XXX.XXX:~> quote USER FileCopy(0x1475a50) enters state INITIAL FileCopy(0x1475a50) enters state DO_COPY ---- dns cache hit ---- attempt number 1 (max_retries=1000) ---- Connecting to XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) port 990 GNUTLS: ASSERT: common.c:1110 .............. GNUTLS: REC[0x1918cd0]: Allocating epoch #0 GNUTLS: ASSERT: gnutls_constate.c:596 GNUTLS: REC[0x1918cd0]: Allocating epoch #1 GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) GNUTLS: HSK[0x1918cd0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) GNUTLS: EXT[0x1918cd0]: Sending extension EXT MASTER SECRET (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension ENCRYPT THEN MAC (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension STATUS REQUEST (5 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SERVER NAME (17 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SAFE RENEGOTIATION (1 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SESSION TICKET (0 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC (12 bytes) GNUTLS: EXT[0x1918cd0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) GNUTLS: EXT[0x1918cd0]: sent signature algo (4.1) RSA-SHA256 GNUTLS: EXT[0x1918cd0]: sent signature algo (4.3) ECDSA-SHA256 GNUTLS: EXT[0x1918cd0]: sent signature algo (5.1) RSA-SHA384 GNUTLS: EXT[0x1918cd0]: sent signature algo (5.3) ECDSA-SHA384 GNUTLS: EXT[0x1918cd0]: sent signature algo (6.1) RSA-SHA512 GNUTLS: EXT[0x1918cd0]: sent signature algo (6.3) ECDSA-SHA512 GNUTLS: EXT[0x1918cd0]: sent signature algo (3.1) RSA-SHA224 GNUTLS: EXT[0x1918cd0]: sent signature algo (3.3) ECDSA-SHA224 GNUTLS: EXT[0x1918cd0]: sent signature algo (2.1) RSA-SHA1 GNUTLS: EXT[0x1918cd0]: sent signature algo (2.3) ECDSA-SHA1 GNUTLS: EXT[0x1918cd0]: Sending extension SIGNATURE ALGORITHMS (22 bytes) GNUTLS: HSK[0x1918cd0]: CLIENT HELLO was queued [248 bytes] GNUTLS: REC[0x1918cd0]: Preparing Packet Handshake(22) with length: 248 and min pad: 0 GNUTLS: ENC[0x1918cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 GNUTLS: REC[0x1918cd0]: Sent Packet Handshake(22) in epoch 0 and length: 253 GNUTLS: ASSERT: gnutls_buffers.c:1154 GNUTLS: REC[0x1918cd0]: SSL 50.48 Unknown Packet packet received. Epoch 0, length: 11603 GNUTLS: ASSERT: gnutls_record.c:572 GNUTLS: Received record packet of unknown type 50 GNUTLS: ASSERT: gnutls_record.c:1076 GNUTLS: ASSERT: gnutls_record.c:1158 GNUTLS: ASSERT: gnutls_buffers.c:1409 GNUTLS: ASSERT: gnutls_handshake.c:1446 GNUTLS: ASSERT: gnutls_handshake.c:2762 **** gnutls_handshake: An unexpected TLS packet was received. GNUTLS: REC[0x1918cd0]: Start of epoch cleanup GNUTLS: REC[0x1918cd0]: End of epoch cleanup GNUTLS: REC[0x1918cd0]: Epoch #0 freed GNUTLS: REC[0x1918cd0]: Epoch #1 freed ---- Closing control socket quote: USER : Fatal error: gnutls_handshake: An unexpected TLS packet was received. ## gnutls-cli debug output ## gnutls-cli --starttls-proto=ftp XXX.XXX.XXX.XXX -p 990 --no-ca-verification -d 5 || ASSERT: common.c:1110... Processed 173 CA certificate(s). Resolving 'XXX.XXX.XXX.XXX'... Connecting to 'XXX.XXX.XXX.XXX:990'... || REC[0x24073f0]: Allocating epoch #0 || ASSERT: gnutls_constate.c:596 || REC[0x24073f0]: Allocating epoch #1 || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F) || HSK[0x24073f0]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) || EXT[0x24073f0]: Sending extension EXT MASTER SECRET (0 bytes) || EXT[0x24073f0]: Sending extension ENCRYPT THEN MAC (0 bytes) || EXT[0x24073f0]: Sending extension STATUS REQUEST (5 bytes) || EXT[0x24073f0]: Sending extension SAFE RENEGOTIATION (1 bytes) || EXT[0x24073f0]: Sending extension SESSION TICKET (0 bytes) || EXT[0x24073f0]: Sending extension SUPPORTED ECC (12 bytes) || EXT[0x24073f0]: Sending extension SUPPORTED ECC POINT FORMATS (2 bytes) || EXT[0x24073f0]: sent signature algo (4.1) RSA-SHA256 || EXT[0x24073f0]: sent signature algo (4.3) ECDSA-SHA256 || EXT[0x24073f0]: sent signature algo (5.1) RSA-SHA384 || EXT[0x24073f0]: sent signature algo (5.3) ECDSA-SHA384 || EXT[0x24073f0]: sent signature algo (6.1) RSA-SHA512 || EXT[0x24073f0]: sent signature algo (6.3) ECDSA-SHA512 || EXT[0x24073f0]: sent signature algo (3.1) RSA-SHA224 || EXT[0x24073f0]: sent signature algo (3.3) ECDSA-SHA224 || EXT[0x24073f0]: sent signature algo (2.1) RSA-SHA1 || EXT[0x24073f0]: sent signature algo (2.3) ECDSA-SHA1 || EXT[0x24073f0]: Sending extension SIGNATURE ALGORITHMS (22 bytes) || HSK[0x24073f0]: CLIENT HELLO was queued [227 bytes] || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 227 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 0 and length: 232 || ASSERT: gnutls_buffers.c:1154 || REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 950 || REC[0x24073f0]: Expected Packet Handshake(22) || REC[0x24073f0]: Received Packet Handshake(22) with length: 950 || REC[0x24073f0]: Decrypted Packet Handshake(22) with length: 950 || HSK[0x24073f0]: SERVER HELLO (2) was received. Length 77, frag offset 0, frag length: 77, sequence: 0 || HSK[0x24073f0]: Server's version: 3.1 || HSK[0x24073f0]: SessionID length: 32 || HSK[0x24073f0]: SessionID: 000003031e05c5fea2ec00000000000000000000000000005b69ab4d00000001 || HSK[0x24073f0]: Selected cipher suite: RSA_3DES_EDE_CBC_SHA1 || HSK[0x24073f0]: Selected compression method: NULL (0) || EXT[0x24073f0]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) || HSK[0x24073f0]: Safe renegotiation succeeded || ASSERT: gnutls_buffers.c:1154 || HSK[0x24073f0]: CERTIFICATE (11) was received. Length 861, frag offset 0, frag length: 861, sequence: 0 || ASSERT: gnutls_buffers.c:1392 || ASSERT: extensions.c:65 - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate info: || ASSERT: dn.c:250 || ASSERT: dn.c:250 || ASSERT: extensions.c:65 - subject ', RSA key 1024 bits, signed using RSA-SHA1, activated 2009-09-10 00:00:00 UTC', expires 2021-04-24 23:59:59 UTC', SHA-1 fingerprint 555555555555555555555555555555555555555' Public Key ID: PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP Public key's random art: +--[ RSA 1024]----+ | o.o | | .= E.| | .B.o| | .= | | S = .| | . o . .= | | . . . oo.| | . o+| | .o.| +-----------------+ || ASSERT: gnutls_buffers.c:1154 || HSK[0x24073f0]: SERVER HELLO DONE (14) was received. Length 0, frag offset 0, frag length: 1, sequence: 0 || ASSERT: gnutls_buffers.c:1145 || ASSERT: gnutls_buffers.c:1392 || ASSERT: gnutls_buffers.c:1374 || ASSERT: extensions.c:65 || HSK[0x24073f0]: CLIENT KEY EXCHANGE was queued [134 bytes] || REC[0x24073f0]: Sent ChangeCipherSpec || REC[0x24073f0]: Initializing epoch #1 || REC[0x24073f0]: Epoch #1 ready || HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1 || HSK[0x24073f0]: Initializing internal [write] cipher sessions || HSK[0x24073f0]: recording tls-unique CB (send) || HSK[0x24073f0]: FINISHED was queued [16 bytes] || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 134 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 0 and length: 139 || REC[0x24073f0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0 || REC[0x24073f0]: Sent Packet ChangeCipherSpec(20) in epoch 0 and length: 6 || REC[0x24073f0]: Preparing Packet Handshake(22) with length: 16 and min pad: 0 || REC[0x24073f0]: Sent Packet Handshake(22) in epoch 1 and length: 45 || REC[0x24073f0]: SSL 3.1 ChangeCipherSpec packet received. Epoch 0, length: 1 || REC[0x24073f0]: Expected Packet ChangeCipherSpec(20) || REC[0x24073f0]: Received Packet ChangeCipherSpec(20) with length: 1 || REC[0x24073f0]: Decrypted Packet ChangeCipherSpec(20) with length: 1 || HSK[0x24073f0]: Cipher Suite: RSA_3DES_EDE_CBC_SHA1 || ASSERT: gnutls_buffers.c:1154 || REC[0x24073f0]: SSL 3.1 Handshake packet received. Epoch 0, length: 40 || REC[0x24073f0]: Expected Packet Handshake(22) || REC[0x24073f0]: Received Packet Handshake(22) with length: 40 || REC[0x24073f0]: Decrypted Packet Handshake(22) with length: 16 || HSK[0x24073f0]: FINISHED (20) was received. Length 12, frag offset 0, frag length: 12, sequence: 0 || REC[0x24073f0]: Start of epoch cleanup || REC[0x24073f0]: Epoch #0 freed || REC[0x24073f0]: End of epoch cleanup - Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1) - Session ID: 00:00:03:03:1E:05:C5:FE:A2:EC:00:00:00:00:00:00:00:00:00:00:00:00:00:00:5B:69:AB:4D:00:00:00:01 || ASSERT: server_name.c:298 - Version: TLS1.0 - Key Exchange: RSA - Cipher: 3DES-CBC - MAC: SHA1 - Compression: NULL || ASSERT: status_request.c:350 || ASSERT: gnutls_ui.c:797 - Options: safe renegotiation, || ASSERT: srtp.c:317 || ASSERT: alpn.c:227 - Handshake was completed || ASSERT: status_request.c:350 - Simple Client Mode:

I am trying to check for the offered ciphers with

:

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org  ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

It's working fine but for a single case: * Fedora 35 (host1.example.org) from macOS

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Starting Nmap 7.92 ( https://nmap.org  ) at 2021-12-13 14:52 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.0070s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.3: 
|     ciphers: 
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

* Fedora 35 (host1.example.org) from Fedora 35 (host2.example.org)

$ nmap -Pn --script ssl-enum-ciphers host1.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org  ) at 2021-12-13 14:55 CET
Nmap scan report for host1.example.org (129.132.65.51)
Host is up (0.013s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

* Same machines other direction. Fedora 35 (host2.example.org) from Fedora 35 (host1.example.org)

$ nmap -Pn --script ssl-enum-ciphers host2.example.org -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org  ) at 2021-12-13 14:56 CET
Nmap scan report for host2.example.org (138.201.94.172)
Host is up (0.013s latency).
Other addresses for host2.example.org (not scanned): 2a01:4f8:c17:cbd8::2

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds

I don't really get why both Fedora machines give a result from macOS but not when scanning from

.example.org

to

.example.org

when both should be configured in the same way. How can I debug the proble

This is the scenario: I have a server that's listening on port 6514 on TCP for logs. I created the .key .crt files on the server as described here: https://www.logzilla.net/2014/10/17/configuring-tls-tunnels-in-syslog-ng.html : [root@server1 ~]$ openssl genrsa -des3 -out logserver.key 2048 Generating RSA private key, 2048 bit long modulus .................................................+++ .+++ e is 65537 (0x10001) Enter pass phrase for logserver.key: Verifying - Enter pass phrase for logserver.key: [root@server1 ~]$ openssl req -new -key logserver.key -out logserver.csr Enter pass phrase for logserver.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@server1 ~]$ cp logserver.key logserver.key.org [root@server1 ~]$ openssl rsa -in logserver.key.org -out logserver.key Enter pass phrase for logserver.key.org: writing RSA key [root@server1 ~]$ openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting Private key and placed the settings in a created file named tls.conf in the /etc/syslog-ng/conf.d I followed the next instructions. Connect to the Client and mkdir -p /etc/syslog-ng/ssl. Download/Upload the /etc/syslog-ng/ssl/logserver.crt (which was created earlier on the Server) to the Client system and put the file in /etc/syslog-ng/ssl on the Client. Find the hash for your key by running openssl x509 -noout -hash -in /etc/syslog-ng/ssl/logserver.crt Next, create a symbolic link to the certificate that uses the hash returned by the previous command, with an added .0 suffix. ln -s /etc/syslog-ng/ssl/logserver.crt /etc/syslog-ng/ssl/84d92a45.0 As soon as I add the client-to-server.conf under /etc/syslog-ng/conf.d/client-to-server.conf that has the following @version:3.14 @define allow-config-dups 1 @include "scl.conf" destination d_tls { tcp("192.168.1.7" port(6514) tls( ca_dir("/etc/syslog-ng/ssl/")) ); }; log { source(s_sys); destination(d_tls); }; the syslog-ng service won't start on the client. systemctl restart syslog-ng.service Job for syslog-ng.service failed because the control process exited with error code. See "systemctl status syslog-ng.service" and "journalctl -xe" for details. [root@localhost conf.d]# systemctl status syslog-ng.service -l ● syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: failed (Result: start-limit) since Thu 2018-06-07 22:50:30 EEST; 7min ago Docs: man:syslog-ng(8) Process: 18196 ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS -p /var/run/syslogd.pid (code=exited, status=2) Main PID: 18196 (code=exited, status=2) Status: "Starting up... (Thu Jun 7 22:50:30 2018" Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: start request repeated too quickly for syslog-ng.service Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. [root@localhost conf.d]# journalctl -xe -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.022361] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.022410] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: Starting System Logger Daemon... -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.281966] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.282017] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: Starting System Logger Daemon... -- Subject: Unit syslog-ng.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has begun starting up. Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.522580] Error setting up TLS session context; tls_error='(null):(null):(null)' Jun 07 22:50:30 localhost.localdomain syslog-ng: [2018-06-07T22:50:30.522870] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7' Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service holdoff time over, scheduling restart. Jun 07 22:50:30 localhost.localdomain systemd: start request repeated too quickly for syslog-ng.service Jun 07 22:50:30 localhost.localdomain systemd: Failed to start System Logger Daemon. -- Subject: Unit syslog-ng.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit syslog-ng.service has failed. -- -- The result is failed. Jun 07 22:50:30 localhost.localdomain systemd: Unit syslog-ng.service entered failed state. Jun 07 22:50:30 localhost.localdomain systemd: syslog-ng.service failed. What am I doing wrong?

Does anyone know why curl with -k (--insecure) option and -I for show headers still shows the html response and not the headers as expected? Working as expected: $ curl -I https://validsslcert.example.com HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 ... $ curl -k -I https://validsslcert.example.com HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 ... $ curl -k https://invalidcert.example.com
... NOT working as expected: $ curl -k -I https://invalidcert.example.com

Maintenance

It doesn't really matter here what I'm doing, but I'm testing what headers get set to identify different backend acl logic on haproxy. I would expect curl to allow me to make an insecure connection (invalid certificate) and still return the headers?

I run dovecot and Postfix and lets encrypt.
When I ssh into my postfix and run openssl for check mail such as:
openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = E5 verify return:1 depth=0 CN = pahlevanzadeh.org verify return:1 --- Certificate chain 0 s:CN = pahlevanzadeh.org i:C = US, O = Let's Encrypt, CN = E5 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384 v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6 BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u 8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU +Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb LWQL -----END CERTIFICATE----- subject=CN = pahlevanzadeh.org issuer=C = US, O = Let's Encrypt, CN = E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2410 bytes and written 408 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: DD436BF44CDC6F2C7046EC7A42DE9A97EA379E51902323A34A009F4539FF1B5C Session-ID-ctx: Resumption PSK: C056509B8FCB34CAB041316D294F993D21093841461563833DF5DDC59682FDF8E50A040AF00089B164278E15075BD0BC PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 72 06 8e a4 63 84 11 12-1d 78 ff 11 5f 40 ef d0 r...c....x.._@.. 0010 - 38 3b 02 93 5c e9 ae 5f-bd 74 b4 42 6b 9b 01 cd 8;..\.._.t.Bk... 0020 - e2 05 85 33 55 1b 6f e7-a1 bb 5b f6 fb 95 25 af ...3U.o...[...%. 0030 - a9 1d f3 79 c8 5d b6 10-04 fa ee 5b bf ac c7 bb ...y.].....[.... 0040 - e7 39 5a 49 c3 e4 b1 2d-0d a9 fe cf 5f 18 01 76 .9ZI...-...._..v 0050 - f0 74 31 51 94 36 b8 0f-70 5e 35 8e b4 fc 4a 25 .t1Q.6..p^5...J% 0060 - 75 bc 6e b6 6d 02 2e a1-63 13 a8 ae aa 21 5e 14 u.n.m...c....!^. 0070 - 9e a7 94 95 6f ac 4d df-bb 9b 0d 3a ba a6 37 3a ....o.M....:..7: 0080 - 09 59 26 a9 62 89 e0 f5-4a da 76 8d 41 f9 70 02 .Y&.b...J.v.A.p. 0090 - b6 0c bf 56 76 1a a7 99-a0 86 1c e0 e3 55 7f 2b ...Vv........U.+ 00a0 - 2b 70 b7 ae d3 dd c2 67-fb 2d 61 c3 f7 2f 6f bb +p.....g.-a../o. 00b0 - c0 76 7c a6 16 de 05 3c-16 e3 2a 26 75 30 17 54 .v|..........5.. 0060 - ba 5b 12 2b ff 44 0e e7-52 7a c7 42 5a f1 71 27 .[.+.D..Rz.BZ.q' 0070 - b4 bb d0 44 fe da 63 cf-e4 4e 4d d7 50 1f 09 55 ...D..c..NM.P..U 0080 - ac 92 b1 11 02 63 0d 12-e4 51 13 2c db a9 e8 7e .....c...Q.,...~ 0090 - 54 72 7c eb 35 b9 36 d3-05 7a e6 df 44 b6 7c 78 Tr|.5.6..z..D.|x 00a0 - c3 74 d6 ac 04 a4 9a 6d-6c 46 df 34 80 e0 8f ce .t.....mlF.4.... 00b0 - 52 39 2f 37 ec 43 8c 65-f2 29 d3 7d c0 4d c3 02 R9/7.C.e.).}.M.. 00c0 - a8 fc a5 4d c4 55 77 31-34 20 e5 4a d8 10 95 c6 ...M.Uw14 .J.... 00d0 - a5 25 c3 57 d6 92 df 7a-b7 e3 90 ce 8b 99 e7 8c .%.W...z........ Start Time: 1751891526 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK +OK MDA server ready. It means everything is okey and ready to get USER , PASS and another verbs of POP3 protocol.
In machine B : mohsen@m:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 40772B28757F0000:error:8000006E:system library:BIO_connect:Connection timed out:../crypto/bio/bio_sock2.c:114:calling connect() 40772B28757F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:116: connect:errno=110 And in machine C: mohsen@debian:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995 Connecting to 54.37.192.44 CONNECTED(00000003) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=E5 verify return:1 depth=0 CN=pahlevanzadeh.org verify return:1 --- Certificate chain 0 s:CN=pahlevanzadeh.org i:C=US, O=Let's Encrypt, CN=E5 a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384 v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT 1 s:C=US, O=Let's Encrypt, CN=E5 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6 BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u 8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU +Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb LWQL -----END CERTIFICATE----- subject=CN=pahlevanzadeh.org issuer=C=US, O=Let's Encrypt, CN=E5 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ecdsa_secp256r1_sha256 Peer Temp Key: X25519, 253 bits --- SSL handshake has read 2409 bytes and written 1644 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Protocol: TLSv1.3 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- I have 2 serious question:
1. Why I have 2 result in 2 machine B and C? 2. Why I can't connect to mail.pahlevanzadeh.org from machine C completely?

I've looked at the related issues, but none of them have solved my issue. I'm trying to transfer files via FTP using curl to a server in my DMZ from an FTPS server on an EC2 server running vsftpd. $ curl ftps://ec2-myserver.compute.amazonaws.com --verbose --tlsv1.1 * Rebuilt URL to: ftps://ec2-myserver.us-east-2.compute.amazonaws.com/ * Trying ip_addr... * TCP_NODELAY set * Connected to ec2-myserver.us-east-2.compute.amazonaws.com (ip_addr) port ---- (#0) * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.1 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 I can get the file connection FTPS from Filezilla on a Windows server. I am getting the same error in every TLS version. I've tried enabling ssl3 on the vsfpd server, but it didn't solve it.

I need to access some webpage for which the TLS certificate is invalid, but lynx refuses to connect. Is there an option similar to curl -k for lynx? Here's config file as request .h1 Auxiliary Facilities .h2 INCLUDE .ex .ex .h2 STARTFILE .ex .h2 HELPFILE .url http://lynx.isc.org/release/breakout/lynx_help/lynx_help_main.html .ex HELPFILE:file://localhost/usr/share/doc/lynx-cur/lynx_help/lynx_help_main.html.gz .h2 DEFAULT_INDEX_FILE DEFAULT_INDEX_FILE:http://scout.wisc.edu/ .h1 Interaction .h2 GOTOBUFFER .h2 JUMP_PROMPT .h1 Auxiliary Facilities .h2 JUMPFILE .ex .h2 JUMPBUFFER .h1 Internal Behavior .h2 SAVE_SPACE .h2 REUSE_TEMPFILES .h2 LYNX_HOST_NAME .h2 LOCALHOST_ALIAS .ex 2 .h2 LOCAL_DOMAIN .h1 Session support .h2 AUTO_SESSION .h2 SESSION_FILE .h2 SESSION_LIMIT .h1 Character Sets .h2 CHARACTER_SET .nf .fi .url http://tools.ietf.org/html/rfc1345 CHARACTER_SET:iso-8859-1 .h2 LOCALE_CHARSET LOCALE_CHARSET:TRUE .h2 HTML5_CHARSETS .h2 ASSUME_CHARSET .h2 ASSUMED_DOC_CHARSET_CHOICE .h2 DISPLAY_CHARSET_CHOICE .ex .ex 4 .h2 ASSUME_LOCAL_CHARSET .h2 PREPEND_CHARSET_TO_SOURCE PREPEND_CHARSET_TO_SOURCE:FALSE .h2 NCR_IN_BOOKMARKS .h2 FORCE_8BIT_TOUPPER .h2 OUTGOING_MAIL_CHARSET .h2 ASSUME_UNREC_CHARSET .h2 PREFERRED_LANGUAGE PREFERRED_LANGUAGE:en .h2 PREFERRED_CHARSET .url http://tools.ietf.org/html/rfc2068 .h2 CHARSETS_DIRECTORY .h2 CHARSET_SWITCH_RULES .h1 Interaction .h2 URL_DOMAIN_PREFIXES .h2 URL_DOMAIN_SUFFIXES .h2 FORMS_OPTIONS .h2 PARTIAL .h2 PARTIAL_THRES .h2 SHOW_KB_RATE .h2 SHOW_KB_NAME .url http://www.romulus2.com/articles/guides/misc/bitsbytes.shtml .h1 Timeouts .h2 INFOSECS .h2 MESSAGESECS .h2 ALERTSECS .h2 NO_PAUSE .h2 DEBUGSECS .h2 REPLAYSECS .h1 Appearance .h2 USE_SELECT_POPUPS .h2 SHOW_CURSOR SHOW_CURSOR:TRUE .h2 UNDERLINE_LINKS .h2 BOLD_HEADERS .h2 BOLD_H1 .h2 BOLD_NAME_ANCHORS .h1 Internal Behavior .h2 DEFAULT_CACHE_SIZE .h2 DEFAULT_VIRTUAL_MEMORY_SIZE .h2 SOURCE_CACHE .h2 SOURCE_CACHE_FOR_ABORTED .h2 ALWAYS_RESUBMIT_POSTS .h2 TRIM_INPUT_FIELDS .h1 HTML Parsing .h2 NO_ISMAP_IF_USEMAP .h2 SEEK_FRAG_MAP_IN_CUR .h2 SEEK_FRAG_AREA_IN_CUR .h1 CGI scripts .h2 LOCAL_EXECUTION_LINKS_ALWAYS_ON .h2 LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE LOCAL_EXECUTION_LINKS_ALWAYS_ON:FALSE LOCAL_EXECUTION_LINKS_ON_BUT_NOT_REMOTE:FALSE .h2 TRUSTED_EXEC TRUSTED_EXEC:none .h2 ALWAYS_TRUSTED_EXEC ALWAYS_TRUSTED_EXEC:none .h2 TRUSTED_LYNXCGI TRUSTED_LYNXCGI:none .h2 LYNXCGI_ENVIRONMENT .h2 LYNXCGI_DOCUMENT_ROOT .h1 Cookies .h2 FORCE_SSL_COOKIES_SECURE .h1 Internal Behavior .h2 MAIL_SYSTEM_ERROR_LOGGING .h2 CHECKMAIL .h1 News-groups .h2 NNTPSERVER .url http://tools.ietf.org/html/rfc1738 .h2 LIST_NEWS_NUMBERS .h2 LIST_NEWS_DATES .h2 NEWS_CHUNK_SIZE .h2 NEWS_MAX_CHUNK .h2 NEWS_POSTING .h2 LYNX_SIG_FILE .h1 Bibliographic Protocol (bibp scheme) .h2 BIBP_GLOBAL_SERVER .h2 BIBP_BIBHOST .h1 Interaction .h2 SCROLLBAR .h2 SCROLLBAR_ARROW .h2 USE_MOUSE .h1 HTML Parsing .h2 COLLAPSE_BR_TAGS .h2 TAGSOUP .h1 Cookies .h2 SET_COOKIES .h2 ACCEPT_ALL_COOKIES .h2 COOKIE_ACCEPT_DOMAINS .h2 COOKIE_REJECT_DOMAINS .h2 COOKIE_LOOSE_INVALID_DOMAINS .h2 COOKIE_STRICT_INVALID_DOMAINS .h2 COOKIE_QUERY_INVALID_DOMAINS .h2 MAX_COOKIES_DOMAIN .h2 MAX_COOKIES_GLOBAL .h2 MAX_COOKIES_BUFFER .h2 PERSISTENT_COOKIES PERSISTENT_COOKIES:FALSE .h2 COOKIE_FILE .h2 COOKIE_SAVE_FILE .h1 Mail-related .h2 SYSTEM_MAIL .h2 SYSTEM_MAIL_FLAGS .ex 2 .ex 2 .ex 2 .ex 2 .ex 2 .url http://lynx.isc.org/lynx-2.8.1/lynx_w32.zip .url ftp://lynx.isc.org/lynx-2.8.1/lynx_w32.zip .url http://glob.com.au/sendmail/ .h2 MAIL_ADRS .h2 USE_FIXED_RECORDS .h1 Keyboard Input .h2 VI_KEYS_ALWAYS_ON .h2 EMACS_KEYS_ALWAYS_ON .h2 DEFAULT_KEYPAD_MODE .h2 NUMBER_LINKS_ON_LEFT .h2 NUMBER_FIELDS_ON_LEFT .h2 DEFAULT_KEYPAD_MODE_IS_NUMBERS_AS_ARROWS .h2 CASE_SENSITIVE_ALWAYS_ON .h1 Auxiliary Facilities .h2 DEFAULT_BOOKMARK_FILE .h2 MULTI_BOOKMARK_SUPPORT .h2 BLOCK_MULTI_BOOKMARKS .h1 Interaction .h2 DEFAULT_USER_MODE .h1 External Programs .h2 DEFAULT_EDITOR .h2 SYSTEM_EDITOR .h3 POSITIONABLE_EDITOR .h1 Proxy .h2 HTTP_PROXY .h2 HTTPS_PROXY .h2 FTP_PROXY .h2 GOPHER_PROXY .h2 NEWSPOST_PROXY .h2 NEWSREPLY_PROXY .h2 NEWS_PROXY .h2 NNTP_PROXY .h2 SNEWSPOST_PROXY .h2 SNEWSREPLY_PROXY .h2 SNEWS_PROXY .h2 WAIS_PROXY .h2 FINGER_PROXY .h2 CSO_PROXY .ex 15 .h2 NO_PROXY .ex .ex .h1 External Programs .h2 PRINTER .h2 DOWNLOADER .h2 UPLOADER .ex 3 .ex .ex .ex .ex .ex .ex .ex .ex 2 .ex .h1 Interaction .h2 NO_DOT_FILES NO_DOT_FILES:FALSE .h1 Internal Behavior .h2 NO_FROM_HEADER .h2 NO_REFERER_HEADER .h1 Internal Behavior .h2 NO_FILE_REFERER .h2 REFERER_WITH_QUERY .h1 Appearance .h2 VERBOSE_IMAGES .h2 MAKE_LINKS_FOR_ALL_IMAGES .h2 MAKE_PSEUDO_ALTS_FOR_INLINES .h2 SUBSTITUTE_UNDERSCORES .h1 Interaction .h2 QUIT_DEFAULT_YES .h1 HTML Parsing .h2 HISTORICAL_COMMENTS .h2 MINIMAL_COMMENTS MINIMAL_COMMENTS:TRUE .h2 SOFT_DQUOTES .h2 STRIP_DOTDOT_URLS .h1 Appearance .h2 ENABLE_SCROLLBACK .h2 SCAN_FOR_BURIED_NEWS_REFS .h2 PREPEND_BASE_TO_SOURCE .h1 External Programs .h2 GLOBAL_EXTENSION_MAP .h2 PERSONAL_EXTENSION_MAP GLOBAL_EXTENSION_MAP:/etc/mime.types PERSONAL_EXTENSION_MAP:.mime.types .h2 SUFFIX_ORDER .h2 SUFFIX .ex .ex .ex .ex .ex 29 SUFFIX:.tgz:application/octet-stream SUFFIX:.deb:application/octet-stream .h2 XLOADIMAGE_COMMAND .h2 VIEWER .ex 7 .h2 GLOBAL_MAILCAP .h2 PERSONAL_MAILCAP .url http://tools.ietf.org/html/rfc1524 GLOBAL_MAILCAP:/etc/mailcap PERSONAL_MAILCAP:.mailcap .h2 PREFERRED_MEDIA_TYPES .h2 PREFERRED_ENCODING .h1 Keyboard Input .h2 KEYBOARD_LAYOUT .h2 KEYMAP .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .nf .fi .h1 External Programs .h2 CSWING_PATH .h1 Internal Behavior .h2 AUTO_UNCACHE_DIRLISTS .h1 Appearance .h2 LIST_FORMAT .nf .fi .ex .ex .ex .h1 External Programs .h2 DIRED_MENU .nf .fi .h1 Internal Behavior .h2 NONRESTARTING_SIGWINCH .h2 NO_FORCED_CORE_DUMP .h1 Appearance .h2 COLOR .nf .fi COLOR:6:brightred:black .h2 COLOR_STYLE .h2 NESTED_TABLES .h2 ASSUMED_COLOR .h2 DEFAULT_COLORS .h1 External Programs .h2 EXTERNAL .h2 EXTERNAL_MENU .ex 1 .h1 Internal Behavior .h2 RULE .h2 RULESFILE .ex 5 .h1 Appearance .h2 PRETTYSRC .h2 PRETTYSRC_SPEC .nf .fi .ex .ex .ex .h2 HTMLSRC_ATTRNAME_XFORM .h2 HTMLSRC_TAGNAME_XFORM .h2 PRETTYSRC_VIEW_NO_ANCHOR_NUMBERING .h1 HTML Parsing .h2 FORCE_EMPTY_HREFLESS_A .h2 HIDDEN_LINK_MARKER .h2 XHTML_PARSING .h1 Appearance .h2 JUSTIFY .h2 JUSTIFY_MAX_VOID_PERCENT .h1 Interaction .h2 TEXTFIELDS_NEED_ACTIVATION .h2 LEFTARROW_IN_TEXTFIELD_PROMPT .h1 Timeouts .h2 CONNECT_TIMEOUT .h2 READ_TIMEOUT .h1 Internal Behavior .h2 FTP_PASSIVE .h2 ENABLE_LYNXRC .nf .fi .h1 External Programs .h2 BZIP2_PATH .h2 CHMOD_PATH .h2 COMPRESS_PATH .h2 COPY_PATH .h2 GZIP_PATH .h2 INFLATE_PATH .h2 INSTALL_PATH .h2 MKDIR_PATH .h2 MV_PATH .h2 RLOGIN_PATH .h2 RMDIR_PATH .h2 RM_PATH .h2 SETFONT_PATH .h2 TAR_PATH .h2 TELNET_PATH .h2 TN3270_PATH .h2 TOUCH_PATH .h2 UNCOMPRESS_PATH .h2 UNZIP_PATH .h2 UUDECODE_PATH .h2 ZCAT_PATH .h2 ZIP_PATH .h1 Interaction .h2 FORCE_SSL_PROMPT .h2 FORCE_COOKIE_PROMPT .h2 SSL_CERT_FILE SSL_CERT_FILE:/etc/ssl/certs/ca-certificates.crt .h1 Appearance .h2 SCREEN_SIZE .h2 NO_MARGINS .h2 NO_TITLE .h1 External Programs .h2 SYSLOG_REQUESTED_URLS SYSLOG_REQUESTED_URLS:FALSE .h2 SYSLOG_TEXT .h1 Internal Behavior .h2 BROKEN_FTP_RETR .h2 BROKEN_FTP_EPSV .h1 Appearance .h2 FTP_FORMAT .h1 Internal Behavior .h2 STATUS_BUFFER_SIZE .h2 MAX_URI_SIZE .h1 Appearance .h2 UNIQUE_URLS .h1 Character Sets .h2 MESSAGE_LANGUAGE .h2 CONV_JISX0201KANA .h1 External Programs .h2 WAIT_VIEWER_TERMINATION .h1 Mail-related .h2 BLAT_MAIL .url http://www.blat.net .h2 ALT_BLAT_MAIL .url http://www.piedey.co.jp/blatj/ .h1 Internal Behavior .h2 TRACK_INTERNAL_LINKS EXTERNAL:ftp:w3m %s:TRUE EXTERNAL:file:w3m %s:TRUE EXTERNAL:http:w3m %s:TRUE EXTERNAL:http:wget %s:TRUE EXTERNAL:http:wget -r %s:TRUE EXTERNAL:ftp:x-www-browser %s:TRUE EXTERNAL:file:x-www-browser %s:TRUE EXTERNAL:http:x-www-browser %s:TRUE INCLUDE:/etc/lynx-cur/local.cfg INCLUDE:~/.lynx/colors:COLOR INCLUDE:~/.lynx/keymap:KEYMAP INCLUDE:~/.lynx/viewers:VIEWER INCLUDE:~/.lynx/external:EXTERNAL Complete file (with comments) can be found [here](https://clbin.com/hxB4N)

I am trying to get my Ubuntu machine to properly recognize and use the certificate from Fiddler as a trusted source so I can decryt HTTPS traffic (specifically to google-analytics). I had this working once before, but had to since reinstall Ubuntu and now have to re-setup Fiddler. I can't remember what I did in the first place and I've spent the better part of today trying to figure it out. I think I am inching closer to getting this certificate to recognize. By that I mean that when I went to Google a few hours ago, while using Fiddler, I would see the 'Connection Not Secure message' - which I think means Google is just actively refusing to recognize Fiddler's certificate. Now, I am getting a This Site Can't Be Reached page (ERR_SOCKET_NOT_CONNECTED) page. I have tried a number of different things today to try to get this to work, but this is what I did with my last attempt: Used THIS SITE as a jumping off point to get Fiddler installed. - Installed mono 4.8.0 - Did not run the '/usr/lib/mono//mozroots --import --sync' command from the Linux setup page since when I tried I got a message in Terminal saying that mozroots is depreciated and to use client_sync instead. (client_sync seems to just update the mono cert store with whatever CRT file you pass to it. - Installed Fiddler (Left it as default as I could - using 8888 as listing port) - Ticked the 'Decrpyt HTTPS' box in Fiddler - Exported the Fiddler certificate to the desktop - Converted the CER cert file to PEM format (CRT specifically) with openssl (update-ca-certificates on ubuntu needs a PEM formatted cert file and the CER file Fiddler exports is in a binary format.) - Copied the CRT file to /usr/share/ca-certificates/ - From terminal ran 'sudo dpkg-reconfigure ca-certificates' (Clicked 'Ask' then 'OK') (this re configures ca-certificates, runs update-ca-certificate, and updates mono cert store (by running client_sync from mono and passes it the updated ca-certificates.crt file that this process creates). This places a PEM version of the Fiddler CRT file into /etc/ssl/ca-certificates/ and packages it into the bigger ca-certificates.conf file. This is pretty much where I am at right now. Turning Fiddler off - I can get to Google just fine, turning it on gives me the page I mentioned at the top of this post. I can see all other HTTP requests as expected. When I got this to work last time, I was reading a lot of suggestions of the web for how to get a CA certificate installed on Ubuntu and tried to pick that trail up again, but everything I read has since blended together. I do vaguely remember importing the Fiddler cert file into Firefox as a Person, exporting that cert, then importing the file I just exported back into FF as a CA trusted root, then deleted the person cert that I installed in the first place. I think I them used the cert exported from FF to import to the system with 'update-ca-certificates'. I have no idea if this was a critical step or not. I was also playing around with mitmproxy at the same time which also needed a proxy - again, no idea if that helped the process at all. I am basically throwing things at a wall right now and seeing what sticks.

I am trying to get open SASL to work on CentOS 6.2. I followed this tutorial: http://wiki.centos.org/HowTos/postfix_sasl I suspect it works perfectly for CentOS 5.x so all I really need is an update for use on CentOS 6.2. I was feeling confident right up until I discovered half way through that dovecot.conf goes mad with these settings. This link recommends that people running CentOS 6 use a different method. http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL Neither of the methods outlined in these links work. Also I don't know how to get Open-Xchange to use SMTP authentication. It seems to be very poorly documented and their CE forum is not letting me post, nor is it showing much activity at all.

I found the following in the logs: sssd_kcm: Starting up postfix/submission/smtpd: initializing the server-side TLS engine postfix/submission/smtpd: connect from unknown[::1] postfix/submission/smtpd: warning: connect to Milter service unix:/run/spamass-milter/spamass-milter.sock: No such file or directory postfix/submission/smtpd: setting up TLS connection from unknown[::1] postfix/submission/smtpd: unknown[::1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" postfix/submission/smtpd: SSL_accept:before SSL initialization postfix/submission/smtpd: SSL_accept:before SSL initialization postfix/submission/smtpd: SSL_accept:SSLv3/TLS read client hello postfix/submission/smtpd: SSL_accept:SSLv3/TLS write server hello postfix/submission/smtpd: SSL_accept:SSLv3/TLS write change cipher spec postfix/submission/smtpd: SSL_accept:TLSv1.3 write encrypted extensions postfix/submission/smtpd: SSL_accept:SSLv3/TLS write certificate postfix/submission/smtpd: SSL_accept:TLSv1.3 write server certificate verify postfix/submission/smtpd: SSL_accept:SSLv3/TLS write finished postfix/submission/smtpd: SSL_accept:TLSv1.3 early data postfix/submission/smtpd: SSL3 alert read:fatal:bad certificate postfix/submission/smtpd: SSL_accept:error in error postfix/submission/smtpd: SSL_accept error from unknown[::1]: -1 postfix/submission/smtpd: warning: TLS library problem: error:0A000412:SSL routines::sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1586:SSL alert number 42: postfix/submission/smtpd: lost connection after STARTTLS from unknown[::1] postfix/submission/smtpd: disconnect from unknown[::1] ehlo=1 starttls=0/1 commands=1/2 Those two lines show up any time a user presses a "Password reset" button on a User authentication form. This is happening on all Django projects hosted on a VPS at the moment. Consequently, the server does not send the email that initiates the reset. Instead, users see "Server Error (500)" on the browser. This phenomenon is new. The pages were working months before. The log entries seem to suggest that the certificates are bad. I have renewed all certs on that server in an attempt to resolve the issue but the it persists. Note that mail submission via remote and local clients are working perfectly. I would appreciate guidance on how to remedy the situation. **# postconf | grep cert | grep smtp** smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_cert_file = smtp_tls_dcert_file = smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_eccert_file = smtp_tls_eckey_file = $smtp_tls_eccert_file smtp_tls_fingerprint_cert_match = smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_scert_verifydepth = 9 smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_verify_cert_match = hostname smtpd_tls_ask_ccert = no smtpd_tls_ccert_verifydepth = 9 smtpd_tls_cert_file = /etc/letsencrypt/live/site.com/fullchain.pem smtpd_tls_dcert_file = smtpd_tls_dkey_file = $smtpd_tls_dcert_file smtpd_tls_eccert_file = smtpd_tls_eckey_file = $smtpd_tls_eccert_file smtpd_tls_req_ccert = no tlsproxy_client_cert_file = $smtp_tls_cert_file tlsproxy_client_dcert_file = $smtp_tls_dcert_file tlsproxy_client_eccert_file = $smtp_tls_eccert_file tlsproxy_client_scert_verifydepth = $smtp_tls_scert_verifydepth tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth tlsproxy_tls_cert_file = $smtpd_tls_cert_file tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert

Apache2 can transfer compressed data by using the deflate filter. However, it does a HTTP-level compression: it sends back a compressed response, and it shows in the response headers to the clients to deal with it accordingly. However, not this is what I want. Beside the https-level compression, also TLS has a compression functionality (for example, here is it visible in the mbedtls API). Can I set up somehow Apache to compress the SSL transfers with it, and not on the http level?

I am trying to set up my own mail server (for 'fun'). I followed this tutorial to the bone. But I get this error message: imap-login: Disconnected (auth failed, 2 attempts in 9 secs): user=, method=PLAIN, rip=203.210.7.43, lip=1.2.3.4, TLS: Disconnected, session= I am using the SSL certificate and key I have for my nginx web server, on the same machine. I disabled plaintext authentication by adding these two lines (as per tutorial) to /etc/dovecot/conf.d/10-auth.conf: disable_plaintext_auth = yes auth_mechanisms = plain login But the method in the log entry still says PLAIN, and TLS is Disconnected. Could that be an issue? There're too many configurations to post them all here. if you think you need more information, please tell me which parts and I will update my question.

When I try an https request to google.com, I just recently started seeing [root@ip-172-31-47-76 ~]# curl -I -v https://google.com * Rebuilt URL to: https://google.com/ * Trying 216.58.193.78... * TCP_NODELAY set * Connected to google.com (216.58.193.78) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US * start date: Feb 20 14:17:23 2018 GMT * expire date: May 15 14:08:00 2018 GMT * common name: *.google.com * issuer: CN=Google Internet Authority G2,O=Google Inc,C=US * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * stopped the pause stream! * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: https://curl.haxx.se/docs/sslcerts.html This is affecting my ability to update the system as yum update requests fail as well. I've tried reimporting my certificates using the instructions on this page: https://access.redhat.com/solutions/1549003 . I've also tried manually adding Google cert using the instructions here: https://curl.haxx.se/docs/sslcerts.html . Neither worked. I'm not sure if it's related but I tried troubleshooting further with the certutil utility but that can't be run [root@ip-172-31-47-76 ~]# certutil certutil: /usr/local/firefox/libnss3.so: version `NSS_3.30' not found (required by certutil) Not quite sure what happened here but I would appreciate any help. This is using an Amazon Linux image.

Is it possible to use **TLSv1.3** in Apache2.4? As of October 2015, TLS 1.3 is a working draft, i.e. [TLSv1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#Description) .

I want to use curl to get the session ID. Is there is any way to get the session ID using curl? I was using Open SSL to capture the session id before. Now, I don't want to use it. I tried to send this command:

-shell
curl_7_35_0 -v -k -tls1.2 --sessionid 'not_sure_what_to_use_here' https://30.1.1.101/ssl_ecdhe.txt 

Am I missing something here? If yes, please do let me know. Output with OpenSSL is:

-shellsession
Cli31(runs)# /usr/local/ssl/bin/openssl s_client -connect 30.1.1.101:443 -tls1_2 -servername 20.1.1.1 -reconnect -crlf

CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Jose, O = A10Networks Inc., OU = QA, CN = www.automationserver.com, emailAddress = info@a10networks.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Jose, O = A10Networks Inc., OU = QA, CN = www.automationserver.com, emailAddress = info@a10networks.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Jose/O=A10Networks Inc./OU=QA/CN=www.automationserver.com/emailAddress=info@a10networks.com
   i:/C=US/ST=California/L=San Jose/O=A10Networks Inc./OU=QA/CN=www.automationserver.com/emailAddress=info@a10networks.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkTCCAjigAwIBAgIJAMSTNrUEbSQ4MAkGByqGSM49BAEwgaUxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMREwDwYDVQQHDAhTYW4gSm9zZTEZMBcG
A1UECgwQQTEwTmV0d29ya3MgSW5jLjELMAkGA1UECwwCUUExITAfBgNVBAMMGHd3
dy5hdXRvbWF0aW9uc2VydmVyLmNvbTEjMCEGCSqGSIb3DQEJARYUaW5mb0BhMTBu
ZXR3b3Jrcy5jb20wHhcNMTQxMTE0MDk0ODU2WhcNMjQxMTExMDk0ODU2WjCBpTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExETAPBgNVBAcMCFNhbiBK
b3NlMRkwFwYDVQQKDBBBMTBOZXR3b3JrcyBJbmMuMQswCQYDVQQLDAJRQTEhMB8G
A1UEAwwYd3d3LmF1dG9tYXRpb25zZXJ2ZXIuY29tMSMwIQYJKoZIhvcNAQkBFhRp
bmZvQGExMG5ldHdvcmtzLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEIt
e+YKJNyZtyshcoELz8raSxvviLnYElxSdhedUSWluLOdV7RQFvcA7vUSSXpJkKCN
LFSsN3ZuLe0bEOfe/RyjUDBOMB0GA1UdDgQWBBRdh99xn941eV8A/zYpsSWKE8vW
cjAfBgNVHSMEGDAWgBRdh99xn941eV8A/zYpsSWKE8vWcjAMBgNVHRMEBTADAQH/
MAkGByqGSM49BAEDSAAwRQIhAOvWNfesjT2CPQjEDato2C84lEXeOGx8wKxDKKLV
7kxfAiBDcWCPPXPQLfW/PtEn+yrRNyrd2KDKk3uU3CvviFJt6w==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=A10Networks Inc./OU=QA/CN=www.automationserver.com/emailAddress=info@a10networks.com
issuer=/C=US/ST=California/L=San Jose/O=A10Networks Inc./OU=QA/CN=www.automationserver.com/emailAddress=info@a10networks.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1010 bytes and written 475 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
drop connection and then reconnect
CONNECTED(00000003)
---
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: 0AABABCBB2C24ABD3D5BD4B84A1914EC563E3D518108A89487A6B056BB879CC4
    Session-ID-ctx: 
    Master-Key: BCD8B034C67DB603132FB69295FEB996628502A08BE9E58BAF03D365A8FFCC03E117A4D836BB782AAA2D65424686BB2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503310272
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
GET /ssl_ecdhe.txt HTTP/1.0

read:errno=104

I am using CentOS 5 with Apache2. Into an additional config file: /etc/apache2/conf/extra/ssl.conf I have put these lines: SSLHonorCipherOrder On SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 I still can't enable TLSv1.3. The error says when restarting the service > Starting httpd: Syntax error on line 113 of /etc/apache2/conf/extra/ssl.conf: > SSLProtocol: Illegal protocol 'TLSv1.3' ------------- System: CentOS 5.11 (Final). OpenSSL: 1.1.1a 20 Nov 2018.