Cannot connect. TLS issue?

[risros]

I cannot sync with my Owncloud/Tomboy server. Says "server not responding". Is possible that SSL library lacks TLS1.2 support? (that's the only protocol I have enabled on server side)

[DEBUG 10:42:02.590] EnableDisable Called: enabling... True [DEBUG 10:42:02.590] Binding key '<Alt>F12' for '/apps/tomboy/global_keybindings/show_note_menu' [DEBUG 10:42:02.606] Binding key '<Alt>F11' for '/apps/tomboy/global_keybindings/open_start_here' [WARN 10:42:02.606] Preference key '/apps/tomboy/global_keybindings/open_search' does not exist, using default. [DEBUG 10:42:02.684] Unable to load icon 'tomboy-panel'. [INFO 10:42:03.075] Initializing Mono.Addins [DEBUG 10:42:03.184] AddinManager.OnAddinLoaded: Tomboy.Tomboy [DEBUG 10:42:03.184] Name: Tomboy.Tomboy,0.10 [DEBUG 10:42:03.184] Description: [DEBUG 10:42:03.184] Namespace: Tomboy [DEBUG 10:42:03.184] Enabled: True [DEBUG 10:42:03.184] File: C:\Program Files (x86)\Tomboy\Tomboy.exe [DEBUG 10:42:04.434] AddinManager.OnAddinLoaded: Tomboy.ExportToHtmlAddin [DEBUG 10:42:04.434] Name: Export to HTML [DEBUG 10:42:04.434] Description: Exports individual notes to HTML. [DEBUG 10:42:04.434] Namespace: Tomboy [DEBUG 10:42:04.434] Enabled: True [DEBUG 10:42:04.434] File: C:\Program Files (x86)\Tomboy\ExportToHtml.dll [DEBUG 10:42:04.450] AddinManager.OnAddinLoaded: Tomboy.FileSystemSyncServiceAddin [DEBUG 10:42:04.450] Name: Local Directory Sync Service Add-in [DEBUG 10:42:04.450] Description: Synchronize Tomboy Notes to a local file system path [DEBUG 10:42:04.465] Namespace: Tomboy [DEBUG 10:42:04.465] Enabled: True [DEBUG 10:42:04.465] File: C:\Program Files (x86)\Tomboy\FileSystemSyncService.dll [DEBUG 10:42:04.465] AddinManager.OnAddinLoaded: Tomboy.WebSyncServiceAddin [DEBUG 10:42:04.465] Name: Web Sync Service Add-in [DEBUG 10:42:04.465] Description: Synchronize Tomboy Notes with Tomboy Online and other compatible web services [DEBUG 10:42:04.481] Namespace: Tomboy [DEBUG 10:42:04.481] Enabled: True [DEBUG 10:42:04.481] File: C:\Program Files (x86)\Tomboy\WebSyncServiceAddin.dll [DEBUG 10:42:04.497] Loading notes [DEBUG 10:42:04.590] AddinManager.OnAddinLoaded: Tomboy.PrintNotesAddin [DEBUG 10:42:04.590] Name: Printing Support [DEBUG 10:42:04.590] Description: Allows you to print a note. [DEBUG 10:42:04.590] Namespace: Tomboy [DEBUG 10:42:04.590] Enabled: True [DEBUG 10:42:04.590] File: C:\Program Files (x86)\Tomboy\PrintNotes.dll [DEBUG 10:42:04.606] AddinManager.OnAddinLoaded: Tomboy.FixedWidthAddin [DEBUG 10:42:04.606] Name: Fixed Width [DEBUG 10:42:04.606] Description: Adds fixed-width font style. [DEBUG 10:42:04.606] Namespace: Tomboy [DEBUG 10:42:04.606] Enabled: True [DEBUG 10:42:04.606] File: C:\Program Files (x86)\Tomboy\FixedWidth.dll [DEBUG 10:42:04.622] AddinManager.OnAddinLoaded: Tomboy.BacklinksAddin [DEBUG 10:42:04.622] Name: Backlinks [DEBUG 10:42:04.622] Description: See which notes link to the one you're currently viewing. [DEBUG 10:42:04.622] Namespace: Tomboy [DEBUG 10:42:04.622] Enabled: True [DEBUG 10:42:04.637] File: C:\Program Files (x86)\Tomboy\Backlinks.dll [DEBUG 10:42:04.653] Autosync pref changed...restarting sync timer [DEBUG 10:42:04.684] Tomboy remote control active. [DEBUG 10:42:04.684] Windows Taskbar: Begin jump list [DEBUG 10:42:04.731] Windows Taskbar: Commit jump list [WARN 10:42:15.954] libproxy not installed [ERROR 10:42:16.142] Caught exception. Message: The underlying connection was closed: An unexpected error occurred on a send. [ERROR 10:42:16.157] Stack trace for previous exception: at System.Net.HttpWebRequest.GetResponse() at Tomboy.WebSync.Api.AnonymousConnection.WebRequest(String method, String uri) in C:\MyDocs\dev\tomboy\tomboy-github\Tomboy\Addins\WebSyncService\Api\AnonymousConnection.cs:line 78 [ERROR 10:42:16.173] Failed to get Root resource https://myserver.net/c/index.php/apps/grauphel/api/1.0. Exception was: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Net.TlsStream.CallProcessAuthentication(Object state) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at Tomboy.WebSync.Api.AnonymousConnection.WebRequest(String method, String uri) in C:\MyDocs\dev\tomboy\tomboy-github\Tomboy\Addins\WebSyncService\Api\AnonymousConnection.cs:line 84 at Tomboy.WebSync.Api.AnonymousConnection.Get(String uri, IDictionary2 parameters) in C:\MyDocs\dev\tomboy\tomboy-github\Tomboy\Addins\WebSyncService\Api\AnonymousConnection.cs:line 45 at Tomboy.WebSync.Api.RootInfo.GetRoot(String rootUri, IWebConnection connection) in C:\MyDocs\dev\tomboy\tomboy-github\Tomboy\Addins\WebSyncService\Api\RootInfo.cs:line 37 at Tomboy.WebSync.WebSyncPreferencesWidget.OnAuthButtonClicked(Object sender, EventArgs args) in C:\MyDocs\dev\tomboy\tomboy-github\Tomboy\Addins\WebSyncService\WebSyncPreferencesWidget.cs:line 116`

[risros]

I figured it out. TLSv1.2 is not supported. TLSv1 is a must. Is it possible to raise the level of TLS?

[alex-ter]

I haven't yet had a chance to check this out in detail, as I was travelling until yesterday. I think though we are using system libraries for this level of comms, so as you're using Windows, I'd suggest you to start with checking out how .NET deals with that, whether your version supports than and and how to switch the supported proto list.

[risros]

Well to me it seems that the library comes from mono. (I'm not a pro programmer)

[alex-ter]

Ok, let's then step back and understand your environment better - you don't really need to install Mono when running on Windows, standard dotnet install is enough. How did you install Tomboy, which version is this and which dotnet version do you have?

[risros]

Tomboy 1.15.7 .net Version 4.6.01586 Installation was done through msi installer. GTK from link suggested. I see some mono libraries in Tomboy directory... You can reproduce it, I'm sure, if you disable all protocols but TLS1.2 on server side.

[alex-ter]

Ok, those mono libraries are not related to thos functionality, so it comes from your system's dotnet. I don't have such setup handy to test this, but I'll look into this.

[risros]

Can I try something else? I installed it on two win 10 computers, but same result. TLS1.2 is not working

[alex-ter]

Unless you want to get your hands dirty and investigate how dotnet creates the list of supported protocols it sends during https handshake, nope. It would need to wait until I or someone else has time to look into this, unfortunately.

[alex-ter]

As an investigation note, apparently, .NET 4.5's default is SSL3 and TLS 1.0. Not sure about 4.6 (and haven't tested it in the code, just read some interwebs + documentation). Looks like the only way to set protocols is to assign proper set to ServicePointManager.SecurityProtocol (or equivalent in our code). I'll hopefully be able to do some experimenting and a test drop for you @risros tomorrow.

[alex-ter]

I've just confirmed one more time it's SSLv3+TLS1.0 by default on Windows. On Linux it's TLS1.0+1.1+1.2.

So I plan to set all possible options, leaving the previously used ones for compatibility + explicitly adding TLS1.1 and 1.2 into the set. That way client (Tomboy) and server should be able to negotiate the maximum supported one between themselves.

Attached here is an engineering drop with that added (built from gh48-enable-tls11-12 branch, you can see the exact change there). Please give it a try and let me know if that works for you.

Please run Tomboy with --debug switch and attach (or send directly to me) the full log file, that will help me to understand the situation better.

[risros]

Confirmed working with the build you provided! Thank you for a quick resolution.

[alex-ter]

Good to know, thanks for the confirmation! Let me reopen this one for a while - I'll make a full release with this fix and close it after that.

[alex-ter]

Fixed with e6327fa22468d657b67d58affe07f563ea2d160c

[thmo]

Note: The patch does not compile with Mono 4.2.4.

Not sure though what the minimal required version is, it compiles with 4.4.2.

[alex-ter]

Yeah, there was a discussion about that on the mail list. Looks like e.g. Ubuntu has quite an old Mono version (4.2.something) and that doesn't compile there. By the contrast, Fedora 25 is fine. I've added a note to building instructions on the wiki, but if you have any additional ideas, I'm all ears (or would gladly review a readme patch, for example).