TLS Handshake error in Keybase from within corporate intranet

[ids-nick]

Hi, I'm trying to proof-of-concept Keybase as a useful tool at work but cannot get it working within our network. It works fine on my non-work machines, and works fine on my work machine when using an outside network.

I've already asked the network infrastructure to whitelist api.keybase.io. Now that that is done, I can install and open keybase and sign in, but most functionality fails.

Most/all ui features show this error:

Error: API network error: doRetry failed, attempts: 6, timeout 11.390625s, last err: Get https://api.keybase.io/_/api/1.0/sesscheck.json: remote error: tls: handshake failure at l.t (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:1:249154) at l (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:1:249758) at s (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:1:249449) at t.convertToError (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:1:249636) at _rpcClient.invoke.e (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:1:236528) at file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:11:249324 at e.t.Deferrals.e._call (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:6:233825) at file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:6:233976 at s (file:///C:/Users/Dev/AppData/Local/Keybase/Gui/resources/app/desktop/dist/index.bundle.js:6:233605) at e.t.Deferrals.e._fulfill...

From keybase commandline I get a similar TLS error with a possibly useful error code of 1601:

C:\Users\Dev\AppData\Local\Keybase>keybase id chris

• WARNING (CONN keybase service bc29b304) Connection: error dialing transport: remote error: tls: handshake failure
• ERROR API network error: doRetry failed, attempts: 3, timeout 13.5s, last err: Get https://api.keybase.io/_/api/1.0/user/lookup.json?fields=basics%2Cpublic_keys%2Cpictures&load_deleted=1&multi=1&username=chris: remote error: tls: handshake failure (code 1601)

I will do a keybase log send and add the id. This may well be an issue on our side, but I need some guidance as to what to ask the network team to change, my network is otherwise usable and functional.

Keybase GUI Version: 1.0.33-20171003151350+ea019b3

[ids-nick]

Unsurprisingly, log send failed :(

C:\Users\Dev\AppData\Local\Keybase>keybase log send This command will send recent keybase log entries to keybase.io for debugging purposes only.

These logs don’t include your private keys or encrypted data, but they will include filenames and other metadata keybase normally can’t read, for debugging purposes.

Continue sending logs to keybase.io? (type 'YES' to confirm): yes Enter feedback (or ENTER to send): This goes to the github issue 9207 Enter feedback (or ENTER to send):

• INFO ignoring error getting keybase status: API network error: doRetry failed, attempts: 6, timeout 11.390625s, last err: Get https://api.keybase.io/_/api/1.0/sesscheck.json: remote error: tls: handshake failure (error 1601)
• ERROR API network error: Post https://api.keybase.io/_/api/1.0/logdump/send.json: remote error: tls: handshake failure

Let me know what if any logs you need.

[ids-nick]

By the by, I notice that (when coming from outside the corporate network) I get a self-signed cert error when trying to hit api.keybase.io from a browser. It could be our network gurus have some kind of rule to block traffic to https sites with self-signed certs?

From within our network I get SSL_ERROR_NO_CYPHER_OVERLAP, which seems to be the error Firefox throws when a site only supports RC4, which seems unlikely to be the case...

[pipiche38]

I'm amazed that a problem from 2017 is still not addressed !

I have the same problem and cannot use Keybase due to that !

[Vladx71]

it is still exists.... it seems keybase does not use OS certificate trust store, so cannot be used behind TLS inspection. Any chance to fix it?

[maxtaco]

This should work now if you enable proxy settings.

[Vladx71]

This is a transparent proxy solution works for almost everything else

Pál, László vlad@vlad.hu

On 2020. Jan 10., at 16:19, Maxwell Krohn notifications@github.com wrote:

This should work now if you enable proxy settings.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/keybase/client/issues/9207?email_source=notifications&email_token=AB3RO2SBNA2SFQ43FGHZPUTQ5CGWZA5CNFSM4EATQTZKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIUHJ2A#issuecomment-573076712, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3RO2T4XHNSATQCGA3EQHDQ5CGWZANCNFSM4EATQTZA.