Ubuntu 20.04 - SSL handshake failed

[JJussi]

Ubuntu 20.04 Original problem (this same) with 2.5.1.10973+dfsg-1ubuntu4, so I tried Version 2.6.3daily20200530 (build 2600) but still when add new account, I get error: Failed to connect to ownCloud at https://owncloud.jjussi.com: SSL handshake failed

Program owncloud-client works at Ubuntu 18.04 (version 2.4.1+dfsg-1) without errors. Installing that same version to Ubuntu 20.04 doesn’t work…

Whole ticket can be found:

https://central.owncloud.org/t/ubuntu-20-04-ssl-handshake-failed/26366

[davidboutelier]

Identical problem after upgrading from 18.04 to 20.04

[jnweiger]

Tested owncloud-client 2.6.3 on ubuntu-20.04 against owncloud.jjussi.com and demo.owncloud.org: With demo, ssl handshake works fine, I can log in. With jjussi, ssl handshake fails, I get prompted to try http, client-certs, or other url.

Mostly the client just gives the http prompt, but once it reported, that the server cert of owncloud.jjussi.com is actually valid for a different domain iot.jjussi.com There is something weird going on at that server. Is there different certs being served?

The debug log has

06-24 01:02:34:625 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::slotFinished ]:      Network job OCC::RequestEtagJob finished for "/"
06-24 01:02:36:349 [ debug gui.wizard ] [ OCC::OwncloudSetupWizard::slotCheckServer ]:  Trying to look up system proxy
06-24 01:02:36:367 [ info gui.wizard ]: No system proxy set by OS
06-24 01:02:36:367 [ info sync.accessmanager ]: 2 "" "https://owncloud.jjussi.com/status.php" has X-Request-ID "6584372e-d6bc-430f-9bdd-4e434d1d7c0f"
06-24 01:02:36:367 [ debug sync.cookiejar ]     [ OCC::CookieJar::cookiesForUrl ]:      QUrl("https://owncloud.jjussi.com/status.php") requests: ()
06-24 01:02:36:367 [ info sync.networkjob ]:    OCC::CheckServerJob created for "https://owncloud.jjussi.com" + "status.php" "OCC::OwncloudSetupWizard"
06-24 01:02:36:519 [ warning sync.networkjob ]: SslHandshakeFailedError:  "SSL handshake failed"  : can be caused by a webserver wanting SSL client certificates
06-24 01:02:36:519 [ warning sync.networkjob ]: QNetworkReply::SslHandshakeFailedError "SSL handshake failed" QVariant(Invalid)
06-24 01:02:36:519 [ warning sync.networkjob.checkserver ]:     error: status.php replied  0 ""
06-24 01:02:36:519 [ info sync.accessmanager ]: 2 "" "https://owncloud.jjussi.com" has X-Request-ID "dfd93bf0-15f0-4659-ba09-bb04fd30df76"
06-24 01:02:36:519 [ debug sync.cookiejar ]     [ OCC::CookieJar::cookiesForUrl ]:      QUrl("https://owncloud.jjussi.com") requests: ()
06-24 01:02:36:520 [ info sync.networkjob ]:    OCC::SimpleNetworkJob created for "https://owncloud.jjussi.com" + "" ""
06-24 01:02:36:520 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::slotFinished ]:      Network job OCC::CheckServerJob finished for "status.php"
06-24 01:02:36:640 [ warning sync.networkjob ]: SslHandshakeFailedError:  "SSL handshake failed"  : can be caused by a webserver wanting SSL client certificates
06-24 01:02:36:640 [ warning sync.networkjob ]: QNetworkReply::SslHandshakeFailedError "SSL handshake failed" QVariant(Invalid)
06-24 01:02:36:640 [ info sync.accessmanager ]: 2 "" "https://owncloud.jjussi.com/status.php" has X-Request-ID "34f0953c-3f12-4c59-bdba-de722ac006bc"
06-24 01:02:36:640 [ debug sync.cookiejar ]     [ OCC::CookieJar::cookiesForUrl ]:      QUrl("https://owncloud.jjussi.com/status.php") requests: ()
06-24 01:02:36:641 [ info sync.networkjob ]:    OCC::CheckServerJob created for "https://owncloud.jjussi.com" + "status.php" "OCC::OwncloudSetupWizard"
06-24 01:02:36:641 [ debug sync.networkjob ]    [ OCC::AbstractNetworkJob::slotFinished ]:      Network job OCC::SimpleNetworkJob finished for ""
06-24 01:02:36:777 [ warning sync.networkjob ]: SslHandshakeFailedError:  "SSL handshake failed"  : can be caused by a webserver wanting SSL client certificates
06-24 01:02:36:778 [ warning sync.networkjob ]: QNetworkReply::SslHandshakeFailedError "SSL handshake failed" QVariant(Invalid)
06-24 01:02:36:778 [ warning sync.networkjob.checkserver ]:     error: status.php replied  0 ""

[JJussi]

If I go to https://owncloud.jjussi.com, it's certificate points to that address

If I go to https://iot.jjussi.com, it's have own certificate....

And.. If I try to use IP-address (or host name jjussi.com), then I get information that it's not secure, because certificate points to iot.jjussi.com

So, do owncloud -client try to connect to jjussi.com or owncloud.jjussi.com?

[jnweiger]

On the client side we have	Platform	Test	Result
ubuntu:20.04	01_cmd_vers.sh	owncloud version 2.6.3 (build 2795)
ubuntu:18.04	01_cmd_vers.sh	owncloud version 2.6.3 (build 2795)
ubuntu:20.04	12_openssl_vers.sh	Using 'OpenSSL 1.1.1f 31 Mar 2020'
ubuntu:18.04	12_openssl_vers.sh	Using 'OpenSSL 1.1.1 11 Sep 2018'

Maybe this very new openssl does not want to talk to your server with the ssl/tls protocol versions that our code supports?

Regarding the iot.jjussi.com cert: maybe I mistyped the url on that one attempt that gave me the iot.jjussi.com cert. I cannot reproduce that anymore.

[JJussi]

And at the Manjaro (5.6.15) where owncloud-client works fine it's ownCloud version 2.6.1 Git revision 6793f774adcd4beff46923ff7186ff1a9b6ec47c Using Qt 5.14.2, built against Qt 5.14.1 Using 'OpenSSL 1.1.1g 21 Apr 2020'

So, maybe it's that 1.1.1f?!?

[jnweiger]

https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ has something scary:

There are new ciphersuites that only work in TLSv1.3. The old ciphersuites cannot be used for TLSv1.3 connections.

So if the new 1.1.1f insists on using TLSv1.3, and your server cannot do this, then the connection must fail. :-( To test that hypothesis: We'd need to find the supported tls versions on both ends and see if or if not we have some protocol version in common.

[michaelstingl]

You‘ll get detailed lists of ciphers with https://www.ssllabs.com/ssltest/

[jnweiger]

https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.jjussi.com Lists the supported protocols like this:

So it is TLS-1.2 only on the server side. Now we need to find out, if our clients are locked to TLS-1.3 when running on Ubuntu-20.04

[jnweiger]

@JJussi Please also note: https://www.ssllabs.com/ssltest/analyze.html?d=owncloud.jjussi.com lists the iot.jjussi.com cert as a second certificate under owncloud.jjussi.com -- Is that the expected reading?

[JJussi]

@jnweiger That host have multiple sub-sites and as you saw, if you ask certificate with IP-address (or just jjussi.com), it will return with iot.jjussi.com -certificate. Anyway, iot.jjussi.com and owncloud.jjussi.com are at same host and with share same IP-address.

> nslookup 185.81.166.228

228.166.81.185.in-addr.arpa name = owncloud.jjussi.com.

OK.. There is "error"... I need to change that certificate to there... Earlier machine IP-address was tight to iot.jjussi.com, but I change it few weeks ago... That didn't change this problem earlier.

[JJussi]

Server is Ubuntu 15.04, so you cannot have Apache 2.4.37 what supports TLS 1.3 It's VPS server, so upgrading OS is not possible without destroying everything :-(

[jnweiger]

@TheOneRing The open question now is, if the desktop client should be able to connect via TLS-1.2 when running on Ubuntu-20.04 with their openssl-1.1.1f -- or if we can make that happen.

[guruz]

(Maybe related to https://blog.cloudflare.com/encrypted-sni/ ? Just a super wild guess...)

[TheOneRing]

Could you try https://github.com/owncloud/client/actions/runs/257441975 the builds provides an app image for testing and it comes with our own openssl build.

[JJussi]

I tested that version and it worked very well against my owncloud-server.

[TheOneRing]

So we can assume its due to an old openssl, thx.

[dpsi]

Hi, I am also facing TLS related issues with Simon Fraser University's ownCloud instance. The above app image worked without issue.

When you say "due to an old openssl", do you mean old openssl on the server? On the Ubuntu client openssl 1.1.1f is still newish, only 1 release behind.

$ curl -V
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
$ curl -v https://vault.sfu.ca
*   Trying 142.58.104.89:443...
* TCP_NODELAY set
* Connected to vault.sfu.ca (142.58.104.89) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
* Closing connection 0
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

[jayonhisphone]

Hi, I am also facing TLS related issues with Simon Fraser University's ownCloud instance. The above app image worked without issue.

When you say "due to an old openssl", do you mean old openssl on the server? On the Ubuntu client openssl 1.1.1f is still newish, only 1 release behind.

$ curl -V
curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
Release-Date: 2020-01-08
$ curl -v https://vault.sfu.ca
*   Trying 142.58.104.89:443...
* TCP_NODELAY set
* Connected to vault.sfu.ca (142.58.104.89) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
* Closing connection 0
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

@dpsi did you find a resolution? Are you staff or student? I am also having this problem, just having upgraded to ubuntu 20.4 from 18.4. I put in a ticket with the FS IT staff, but I'm not holding my breath. ( I work at Facilities Services) jhaynes

[dpsi]

@dpsi did you find a resolution? Are you staff or student? I am also having this problem, just having upgraded to ubuntu 20.4 from 18.4.

Hey there, the packaged version of ownCloud (2.6.3 (build 2668)) still does not work with SFU Vault. For now I have been manually running the AppImage mentioned above.

I will shoot you an email so we can discuss further.

[TheOneRing]

Could you try a recent non working 2.7 build and paste the output of --version here? It should look similar to

testpilotcloud 2.7.0daily20201019 (build 2310) Oct 19 2020 02:11:56
https://github.com/owncloud/client/commit/b32bdc69a5c546c2170ac7a71e54e16150045d0e
Libraries Qt 5.12.9, OpenSSL 1.1.1g  21 Apr 2020
Using virtual files plugin: suffix

If the openssl version would be missing we could be certain that something is seriously broken

[TheOneRing]

Does the issue still exists?

[JJussi]

No problem anymore.

[kuateric]

i have the same problem since the upgrade to ubuntu 22.04 the output of --version is :

gui.platform: adding plugin directory "/opt/ownCloud/ownCloud/bin/../lib/x86_64-linux-gnu/plugins"
ownCloud ownCloud 3.0.0.9215-
https://github.com/owncloud/client/commit/457b08ed362e4c9ae430797508791ff25171c36c
Libraries Qt 5.15.2, OpenSSL 3.0.2 15 Mar 2022
Using virtual files plugin: suffix
ubuntu-5.15.0-56-generic 

[michaelstingl]

@kuateric thanks for the feedback. Too many many things changed between 2.7 and 3.0. Please open a new issue with all required information.

[kuateric]

okay