4

How can I debug curl error further when Apache error.log is not showing any?

(35) gnutls_handshake() failed: An unexpected TLS packet was received.

curl -v https://example.com
* Rebuilt URL to: https://example.com/
*   Trying 127.0.0.1...
* Connected to example.com(127.0.0.1) port 443 (#0)
* found 151 certificates in /etc/ssl/certs/ca-certificates.crt
* found 612 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0

Ubuntu 16.04, apache2 working with SSL.

UPDATE:

echo | openssl s_client -connect example.com:443

CONNECTED(00000003)
139626124003072:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1531383152
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

UPDATE2 - SOLVED

Had a blank line in my chain file and RootCA was not properly installed on the server i run openssl command from.

Markus
  • 171
  • 1
  • 1
  • 6
  • Try with `openssl s_client`. What does it say? TLS errors come before HTTP stuff so it can not necessarily show in Apache logfiles, and TLS errors are notoriously cryptic to debug. Alternatively, launch a network sniffer like wireshark. Anything special for your website? Static pages? Some application? What are your Apache TLS configuration directives? Did you try changing them? – Patrick Mevzek Jul 11 '18 at 16:12
  • Are you sure that the port 443 is a ssl encrypted port ? Not a non encrypted one ? – Dom Jul 11 '18 at 17:24
  • Thanks. I'm running Drupal 7 which works fine with **https** so I thought all was good but I ran `echo | openssl s_client -connect example.com:443` (see Update above) which now I think looks like certificates are not being sent properly? Checking my configuration now. – Markus Jul 12 '18 at 08:26
  • Should have added that it mentioned **depth=1** which I understand is the 2nd cert being the intermediate one causing troubles from my chain file, which is strange as it's the same as in my other server config where it's working just fine. Bit stuck here. – Markus Jul 12 '18 at 11:47
  • Figured it out, RootCA was not properly installed, working now. – Markus Jul 12 '18 at 13:59
  • If you've solved this yourself, please write an answer and mark it as accepted. Without it, people will still think you need help. – Michael Hampton Jul 12 '18 at 15:39
  • Sorry I had updated my question but will post the answer shortly as well, thanks – Markus Jul 12 '18 at 15:43

1 Answers1

2

I had a blank line in my chain file and RootCA was not properly installed on the server that I run the openssl command from. Once fixed curl working fine.

Markus
  • 171
  • 1
  • 1
  • 6
  • 2
    For future reference, when you see *New, (NONE), Cipher is (NONE)* in `openssl` output it means, despite that it says TLSv1.2 few lines below, that TLS handshake was **not** successful for whatever client or server or both sides problem. – Patrick Mevzek Jul 12 '18 at 19:14