How to debug curl? gnutls_handshake failed -unexpected TLS packet (OpenSSL)
10,667
I had a blank line in my chain file and RootCA was not properly installed on the server that I run the openssl command from. Once fixed curl working fine.
Related videos on Youtube
Author by
Markus
Updated on September 18, 2022Comments
-
Markus over 1 year
How can I debug curl error further when Apache error.log is not showing any?
(35) gnutls_handshake() failed: An unexpected TLS packet was received.
curl -v https://example.com * Rebuilt URL to: https://example.com/ * Trying 127.0.0.1... * Connected to example.com(127.0.0.1) port 443 (#0) * found 151 certificates in /etc/ssl/certs/ca-certificates.crt * found 612 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * gnutls_handshake() failed: An unexpected TLS packet was received. * Closing connection 0
Ubuntu 16.04, apache2 working with SSL.
UPDATE:
echo | openssl s_client -connect example.com:443
CONNECTED(00000003) 139626124003072:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1531383152 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
UPDATE2 - SOLVED
Had a blank line in my chain file and RootCA was not properly installed on the server i run openssl command from.
-
Patrick Mevzek almost 6 yearsTry with
openssl s_client
. What does it say? TLS errors come before HTTP stuff so it can not necessarily show in Apache logfiles, and TLS errors are notoriously cryptic to debug. Alternatively, launch a network sniffer like wireshark. Anything special for your website? Static pages? Some application? What are your Apache TLS configuration directives? Did you try changing them? -
Dom almost 6 yearsAre you sure that the port 443 is a ssl encrypted port ? Not a non encrypted one ?
-
Markus almost 6 yearsThanks. I'm running Drupal 7 which works fine with https so I thought all was good but I ran
echo | openssl s_client -connect example.com:443
(see Update above) which now I think looks like certificates are not being sent properly? Checking my configuration now. -
Markus almost 6 yearsShould have added that it mentioned depth=1 which I understand is the 2nd cert being the intermediate one causing troubles from my chain file, which is strange as it's the same as in my other server config where it's working just fine. Bit stuck here.
-
Markus almost 6 yearsFigured it out, RootCA was not properly installed, working now.
-
Michael Hampton almost 6 yearsIf you've solved this yourself, please write an answer and mark it as accepted. Without it, people will still think you need help.
-
Markus almost 6 yearsSorry I had updated my question but will post the answer shortly as well, thanks
-