Logging TLS handshake? (OpenSSL/Mysql) Fatal Protocol Version (70)

I am getting an error instead of Server Hello from the server handshake, an alert protocol version with error 70. The description of SSL Layer shows description of 70. https://tools.ietf.org/html/rfc5246 The description describes version mismatch.

I cloned the server and uninstalled mysql8 and installed 5.7, and it works fine.
It looks like the same exact client hello is offered to the servers but the mysql8 server rejects the version.

Here is a screenshot of the 2 pcaps: https://imgur.com/JwgOHqN

I am unsure on how to log the processes (openssl or mysql) to see what the client (google apps jdbc) is offering for version, or how to dissect the pcap more than wireshark screenshot comparisons.

There are open bug tickets about this on google apps site, but none detailing the TLS handshake causing the failure.

Any ideas on how to troubleshoot this? Enable logging? Dissect the pcap more?
I already enabled all the mysql logs I can find. No info in them.

I want to post about it with detailed “google you are offering this jdbc version but mysql8 requires this version” instead of just “it don’t work”

tls – SSL handshake – what is the purpose of the finishedClient message?

I am having some difficulties in understanding why is the finishedClient needed.

In case an attacker attempts an attack like a replay attack, it will show immediately that the attacker wasn’t able to derive the correct set of keys.

However, this would be evident even without this message as the attacker wouldn’t be able to encrypt and decrypt messages.

Is that the reason for this message, or is there another reason? What can we learn from this message that we wouldn’t have learned without it?

How does the server get the correct MSS value in the TCP triple handshake

When the client establishes TCP connection with the server, it will report its MSS value during the third handshake. According to my understanding, the MSS value should be obtained by subtraction 40 from the MTU value of its interface. If the MTU value of the client interface is 1500, its MSS value to the server is 1460, which is OK at the client.What I find confusing is that the MSS given by the server to the client seems to dynamically sense the minimum MTU between the server and the client and then subtract 40. For example, if I change the MTU of the router interface between the client and the server to 1400, the MSS given by the server to the client would be 1360;I know that it is possible to detect changes through PMTUD after establishing a TCP connection, but this is happening during the TCP handshake 3, and the server gets the correct MSS value. How is this happening?

ipsec – ikev2 handshake : 4 or 8 packets?

(Unlike IKEv1) the IKEv2 exchange is variable. At best, it can exchange as few as
four packets. At worst, this can increase to as many as 30 packets (if
not more), depending on the complexity of authentication, the number
of Extensible Authentication Protocol (EAP) attributes used, as well
as the number of SAs formed.

So, eight packets is within acceptable range for an IKEv2 negotiation.

usb connection mode – Heimdall gives ERROR: Failed to receive handshake response. Result: -7 on samsung J5 (2016)

I am trying to connect to a Samsung J5 (2016) SM-J510FN, using linux ubuntu 20.04 (libusb-1.0.0), to flash a TWRP image using heimdall v1.4.2 (build from master a2cfdaa)

I have set the udev based on the git repository android-udev-rules

Mobile has USB debbuging on and OEM unlock. And using samsung cables for connection

Mobile phone is visible on lsusb either in normal OS boot or in download mode

Normal Boot:
Bus 001 Device 096: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode)

Download mode / Odin mode:
Bus 001 Device 097: ID 04e8:685d Samsung Electronics Co., Ltd GT-I9100 Phone (Galaxy S II)(Download mode)

Running heimdall print-pit works without problems. But then:

heimdall flash --RECOVERY twrp-3.4.0-0-j5nlte.img  --stdout-errors --verbose --no-reboot

Initialising protocol...
ERROR: Failed to receive handshake response. Result: -7
ERROR: Failed to receive handshake response. Result: -7
ERROR: Protocol initialisation failed!

ERROR: Protocol initialisation failed!

Releasing device interface...

My computer only has usb3.0 but also tried with a porthub for usb2.0, this looks like issue #209

Any ideas or tips on how to solve this problem ?!

14.04 – gnutls_handshake() failed: Handshake failed when doing a git fetch from Bitbucket

Our server version is Ubuntu 14.04.

When doing a

sudo git fetch

I get the following error:

fatal: unable to access 'https://bitbucket.org/my-account/my-repo.git/': gnutls_handshake() failed: Handshake failed

I’ve tried the solutions at fatal: unable to access “…”: gnutls_handshake() failed: Handshake failed but none of them worked:

  1. Use SSH instead of HTTPS
  2. Update CURL

I didn’t try recompiling Git, because it used to work and I’m trying to keep the maintenance of the server as simple as possible.

GIT_CURL_VERBOSE=1 git ls-remote https://bitbucket.org/
* Couldn't find host bitbucket.org in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 104.192.141.1...
* Connected to bitbucket.org (104.192.141.1) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
fatal: unable to access 'https://bitbucket.org/': gnutls_handshake() failed: Handshake failed

What has changed to break Git, and how can I fix this simply?

ubuntu – OpenVpn – TLS Error: TLS handshake failed

I have setup an OpenVpn server but when I tried to connect I get this error : TLS Error: TLS handshake failed.

I will try to make a very detailed description of the configuration I made.

I am on a Windows 10 Pro machine and I run a Virtualbox on wich I installed an Ubuntu Server 20.
I setup a bridged network connection for this virtual machine, I setup a static Ip for this VM here is the netplan config file :

network:
version: 2
renderer: networkd
ethernets:
  enp0s3:
    dhcp4: no
    addresses:
     - 192.168.1.30/24
    gateway4: 192.168.1.1
    nameservers:
      addresses: (192.168.1.1, 1.1.1.1)

I used this script to install and configure the OpenVpn server on my Ubuntu Virtual machine : https://github.com/angristan/openvpn-install

Here are the detailed answers I made when launching the install script :

IP address: 192.168.1.30
Public IPv4 address or hostname: XXX.XXX.XXX.XXX (My public IP addresse)
Do you want to enable IPv6 support (NAT)? (y/n): n

What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random (49152-65535)
Port choice (1-3): 1

UDP is faster. Unless it is not available, you shouldn't use TCP.
 1) UDP
 2) TCP
 Protocol (1-2): 1

What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
(1-12): 1

Enable compression? (y/n): n

Customize encryption settings? (y/n): n

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: client

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option (1-2): 1

Here is the server conf file generated :

port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_BsZeqkP3kaxXmzMY.crt
key server_BsZeqkP3kaxXmzMY.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
log /var/log/openvpn/access.log
verb 3

Here is the client conf file generated :

client
proto udp
explicit-exit-notify
remote XXX.XXX.XXX.XXX(my public IP addresse) 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_BsZeqkP3kaxXmzMY name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIB2DCCAX2gAwIBAgIUPR+k3RjtY+qrq1IMnol5atzh+8QwCgYIKoZIzj0EAwIw
HjEcMBoGA1UEAwwTY25fTkJRczNJQnNwRGRWYUNBMTAeFw0yMDExMDYxOTU5MTBa
Fw0zMDExMDQxOTU5MTBaMB4xHDAaBgNVBAMME2NuX05CUXMzSUJzcERkVmFDQTEw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASPdtAdcJPcZ5vuqQ6ykHXTeNkToPp6
Lh6edMCRS5yiDoExcNKXbftT2DdrDjb8aqZ382NVphwDpeSSmK9JF+jJo4GYMIGV
MB0GA1UdDgQWBBQ6xjgAgegFiZSk7y2h4aTrmxL1JDBZBgNVHSMEUjBQgBQ6xjgA
gegFiZSk7y2h4aTrmxL1JKEipCAwHjEcMBoGA1UEAwwTY25fTkJRczNJQnNwRGRW
YUNBMYIUPR+k3RjtY+qrq1IMnol5atzh+8QwDAYDVR0TBAUwAwEB/zALBgNVHQ8E
BAMCAQYwCgYIKoZIzj0EAwIDSQAwRgIhAI4Csvi2wYQo9OPHaPQqm0YZduTlNR7I
RRPL8BLw5E/QAiEA7THFNyUyqMAPbhMD/Hu2UhF/GW9LRHm/F3SC/kVZnN0=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIB2TCCAX+gAwIBAgIRAMsiqurvblLijt69UxjgRUIwCgYIKoZIzj0EAwIwHjEc
MBoGA1UEAwwTY25fTkJRczNJQnNwRGRWYUNBMTAeFw0yMDExMDYyMDEwMTZaFw0y
MzAyMDkyMDEwMTZaMBExDzANBgNVBAMMBmNsaWVudDBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABJXY8u/fvG8ARCB7WYXeNSqAXrVwwoNcjO6VVaRJElfRjuLQQKQS
yFdJydw6M/MysT+QbbisXTdB1pJCzmXv2PmjgaowgacwCQYDVR0TBAIwADAdBgNV
HQ4EFgQUz/WKN5dbcUrmErA89m9bAl1xLygwWQYDVR0jBFIwUIAUOsY4AIHoBYmU
pO8toeGk65sS9SShIqQgMB4xHDAaBgNVBAMME2NuX05CUXMzSUJzcERkVmFDQTGC
FD0fpN0Y7WPqq6tSDJ6JeWrc4fvEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAsGA1Ud
DwQEAwIHgDAKBggqhkjOPQQDAgNIADBFAiEAiGCko0LBXZKxeopxrDYajQSCq26U
yq9JFYVezAx+xdUCIDOhOjYFKYePeWW03A921xxvEFE481bk9omiwhcJTbZW
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgU+W68oaAgaYCvmXt
yj+Sv6A9kYZc182F7E0JaJsC+AahRANCAASV2PLv37xvAEQge1mF3jUqgF61cMKD
XIzulVWkSRJX0Y7i0ECkEshXScncOjPzMrE/kG24rF03QdaSQs5l79j5
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4f120cee69a7225db7eb024660385ab8
9575f34b554a4d0e3071052df2bcb615
357f9bea4f0cda190ffea37a14873830
57456da1da782b4f308f6ee95d751227
7f8960edce36536d9ecfcf00a9ceb27e
01cb8d71aabcbd1f7aa441898d574913
99278780c0842959d35fb78e37a19b92
76ee34ebfe1824a6e66a1176742b649a
f22d6fbf532916b49624ce6d47f77aa0
a263b545af97d063085d36165a3b6324
39a328091742e2903b4add4ae010c912
65ffaea62f8bc453441f9a64d96b5f3d
614c8e2d44917ff79232bdc5f96a237d
a84c56d31d1fa3cd20edaed2dfc70ab2
345d3b2563e8a30fb4e30684af16df05
640f0ca1d3d8f732e5a9e48b6aa49340
-----END OpenVPN Static key V1-----
</tls-crypt>

Then I export my client.ovpn file on my windows machine and I import the file in thi OpenVpn Client : https://openvpn.net/client-connect-vpn-for-windows/

When I try to connect it fails, I get those logs on the server :

Fri Nov  6 21:25:02 2020 XXX.XXX.XXX.XXX:59885 TLS: Initial packet from (AF_INET)XXX.XXX.XXX.XXX:59885, sid=5c6aeba5 5aa38cbe
Fri Nov  6 21:25:36 2020 XXX.XXX.XXX.XXX:59884 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov  6 21:25:36 2020 XXX.XXX.XXX.XXX:59884 TLS Error: TLS handshake failed
Fri Nov  6 21:25:36 2020 XXX.XXX.XXX.XXX:59884 SIGUSR1(soft,tls-error) received, client-instance restarting
Fri Nov  6 21:25:44 2020 XXX.XXX.XXX.XXX:55880 TLS: Initial packet from (AF_INET)XXX.XXX.XXX.XXX:55880, sid=9bf3110e b1f25a43
Fri Nov  6 21:26:02 2020 XXX.XXX.XXX.XXX:59885 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Nov  6 21:26:02 2020 XXX.XXX.XXX.XXX:59885 TLS Error: TLS handshake failed
Fri Nov  6 21:26:02 2020 XXX.XXX.XXX.XXX:59885 SIGUSR1(soft,tls-error) received, client-instance restarting

Here is my client log file :

06/11/2020 à 21:28:41 OpenVPN core 3.git::662eae9a win x86_64 64-bit built on Oct 27 2020 12:49:07
⏎06/11/2020 à 21:28:41 Frame=512/2048/512 mssfix-ctrl=1250
⏎06/11/2020 à 21:28:41 UNUSED OPTIONS
2 (explicit-exit-notify) 
5 (resolv-retry) (infinite) 
6 (nobind) 
7 (persist-key) 
8 (persist-tun) 
10 (verify-x509-name) (server_BsZeqkP3kaxXmzMY) (name) 
12 (auth-nocache) 
14 (tls-client) 
16 (tls-cipher) (TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256) 
17 (ignore-unknown-option) (block-outside-dns) 
18 (block-outside-dns) 
19 (verb) (3) 
⏎06/11/2020 à 21:28:41 EVENT: RESOLVE ⏎06/11/2020 à 21:28:41 EVENT: WAIT ⏎06/11/2020 à 21:28:41 Contacting XXX.XXX.XXX.XXX:1194 via UDP
⏎06/11/2020 à 21:28:41 WinCommandAgent: transmitting bypass route to XXX.XXX.XXX.XXX
{
    "host" : "XXX.XXX.XXX.XXX",
    "ipv6" : false
}

⏎06/11/2020 à 21:28:41 Connecting to (XXX.XXX.XXX.XXX):1194 (XXX.XXX.XXX.XXX) via UDPv4
⏎06/11/2020 à 21:28:41 EVENT: CONNECTING ⏎06/11/2020 à 21:28:41 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth (null-digest),keysize 128,key-method 2,tls-client
⏎06/11/2020 à 21:28:41 Creds: UsernameEmpty/PasswordEmpty
⏎06/11/2020 à 21:28:41 Peer Info:
IV_VER=3.git::662eae9a
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.2.2-1455
IV_SSO=openurl

⏎06/11/2020 à 21:29:21 Session invalidated: KEEPALIVE_TIMEOUT
⏎06/11/2020 à 21:29:21 Client terminated, restarting in 2000 ms...
⏎06/11/2020 à 21:29:23 EVENT: RECONNECTING ⏎06/11/2020 à 21:29:23 EVENT: RESOLVE ⏎06/11/2020 à 21:29:23 Contacting XXX.XXX.XXX.XXX:1194 via UDP
⏎06/11/2020 à 21:29:23 WinCommandAgent: transmitting bypass route to XXX.XXX.XXX.XXX
{
    "host" : "XXX.XXX.XXX.XXX",
    "ipv6" : false
}

⏎06/11/2020 à 21:29:23 EVENT: WAIT ⏎06/11/2020 à 21:29:23 Connecting to (XXX.XXX.XXX.XXX):1194 (XXX.XXX.XXX.XXX) via UDPv4
⏎06/11/2020 à 21:29:23 EVENT: CONNECTING ⏎06/11/2020 à 21:29:23 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-128-GCM,auth (null-digest),keysize 128,key-method 2,tls-client
⏎06/11/2020 à 21:29:23 Creds: UsernameEmpty/PasswordEmpty
⏎06/11/2020 à 21:29:23 Peer Info:
IV_VER=3.git::662eae9a
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_IPv6=0
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.2.2-1455
IV_SSO=openurl

⏎06/11/2020 à 21:29:41 EVENT: CONNECTION_TIMEOUT ⏎06/11/2020 à 21:29:41 EVENT: DISCONNECTED ⏎

I tried to change the IP adresse on my client config file and I changed it to the IP of my Virtal box machine where is the OpenVpn Server -> 192.168.1.30 and when I try to connect with this change it works, so it seems that if I connect from a computer that is on the same local network than my server it works but if I try to connect via the Wan it doesn’t work.

Any idea of what could be the problem ? thank you by advance.