Git gnutls hand shake failed… Error between keyboard and floor?

Tiny Tiny RSS Support
1

I tried to pull the latest from git and got this:

(master|…8); git pull origin master                                            
fatal: unable to access 'https://git.tt-rss.org/git/tt-rss/': gnutls_handshake() failed: Handshake failed

Which is really odd since I have not messed with git config in ages… There was an update to it today, bringin it to 2.19.2. So I did this:

(master|…8); openssl s_client -connect  git.tt-rss.org:443
CONNECTED(00000003)                                       
139798144841536:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Resumption PSK: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542901598
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---

Then I did this:

(master|…8); gnutls-cli -d 5 git.tt-rss.org -p 443            
Resolving 'git.tt-rss.org'...
Connecting to '2606:4700:30::6818:6522:443'...
|<4>| REC[0xb9cfb0]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0xb9cfb0]: Allocating epoch #1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xb9cfb0]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0xb9cfb0]: Sending extension SERVER NAME (19 bytes)
|<2>| EXT[0xb9cfb0]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0xb9cfb0]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0xb9cfb0]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0xb9cfb0]: CLIENT HELLO was sent [139 bytes]
|<4>| REC[0xb9cfb0]: Sending Packet[0] Handshake(22) with length: 139
|<4>| REC[0xb9cfb0]: Sent Packet[1] Handshake(22) with length: 144
|<4>| REC[0xb9cfb0]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xb9cfb0]: Received Packet[0] Alert(21) with length: 2
|<4>| REC[0xb9cfb0]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0xb9cfb0]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2773
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0xb9cfb0]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0xb9cfb0]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
|<4>| REC[0xb9cfb0]: Epoch #0 freed
|<4>| REC[0xb9cfb0]: Epoch #1 freed

Have I fucked up somewhere? Probably… Anyone care to point me to the right direction?

2

WOMM…

git pull origin 
$ git pull origin master
remote: Enumerating objects: 107, done.
remote: Counting objects: 100% (107/107), done.
remote: Compressing objects: 100% (79/79), done.
remote: Total 79 (delta 60), reused 0 (delta 0)
Unpacking objects: 100% (79/79), done.
From https://tt-rss.org/git/tt-rss
 * branch              master     -> FETCH_HEAD
   5f66f872..e08990f7  master     -> origin/master
Updating 5f66f872..e08990f7
Fast-forward
 .gitignore                                      |    3 +
 classes/article.php                             |    8 +-
 classes/ccache.php                              |    4 +-
 classes/db/prefs.php                            |   10 +-
 classes/digest.php                              |   16 +-
 classes/feeds.php                               |    6 +-
 classes/handler/public.php                      |   33 +-
 classes/labels.php                              |    4 +-
 classes/mailer.php                              |   52 ++
 classes/opml.php                                |   18 +-
 classes/pluginhost.php                          |    3 +-
 classes/pref/feeds.php                          |   10 +-
 classes/pref/users.php                          |   29 +-
 classes/rssutils.php                            |   25 +-
 classes/ttrssmailer.php                         |   63 --
 config.php-dist                                 |   46 +-
 lib/phpmailer/class.phpmailer.php               | 4039 ----------------------------------------------------------------------------------
 lib/phpmailer/class.smtp.php                    | 1249 --------------------------
 lib/phpmailer/language/phpmailer.lang-am.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ar.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-az.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-be.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-bg.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-br.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ca.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ch.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-cs.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-cz.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-da.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-de.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-dk.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-el.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-eo.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-es.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-et.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-fa.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-fi.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-fo.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-fr.php    |   29 -
 lib/phpmailer/language/phpmailer.lang-gl.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-he.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-hr.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-hu.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-id.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-it.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-ja.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-ka.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ko.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-lt.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-lv.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ms.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-nb.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-nl.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-no.php    |   25 -
 lib/phpmailer/language/phpmailer.lang-pl.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-pt.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-pt_br.php |   28 -
 lib/phpmailer/language/phpmailer.lang-ro.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-ru.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-se.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-sk.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-sl.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-sr.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-sv.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-tr.php    |   29 -
 lib/phpmailer/language/phpmailer.lang-uk.php    |   27 -
 lib/phpmailer/language/phpmailer.lang-vi.php    |   26 -
 lib/phpmailer/language/phpmailer.lang-zh.php    |   28 -
 lib/phpmailer/language/phpmailer.lang-zh_cn.php |   27 -
 plugins/mail/init.php                           |   26 +-
 plugins/search_sphinx/sphinxapi.php             |   40 +-
 plugins/vf_shared/init.php                      |    4 +-
 register.php                                    |   23 +-
 73 files changed, 218 insertions(+), 6831 deletions(-)
 create mode 100644 classes/mailer.php
 delete mode 100644 classes/ttrssmailer.php
 delete mode 100755 lib/phpmailer/class.phpmailer.php
 delete mode 100644 lib/phpmailer/class.smtp.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-am.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ar.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-az.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-be.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-bg.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-br.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ca.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ch.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-cs.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-cz.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-da.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-de.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-dk.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-el.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-eo.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-es.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-et.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-fa.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-fi.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-fo.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-fr.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-gl.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-he.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-hr.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-hu.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-id.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-it.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ja.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ka.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ko.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-lt.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-lv.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ms.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-nb.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-nl.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-no.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-pl.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-pt.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-pt_br.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ro.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-ru.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-se.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-sk.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-sl.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-sr.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-sv.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-tr.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-uk.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-vi.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-zh.php
 delete mode 100644 lib/phpmailer/language/phpmailer.lang-zh_cn.php
openssl s_client -connect git.tt-rss.org:443 
$ openssl s_client -connect  git.tt-rss.org:443
CONNECTED(00000003)
140349786542528:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542904744
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
gnutls-cli -d 5 git.tt-rss.org -p 443 
$ gnutls-cli -d 5 git.tt-rss.org -p 443
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
<snip lots of more asserts>
|<3>| ASSERT: mpi.c[_gnutls_x509_read_uint]:246
|<3>| ASSERT: mpi.c[_gnutls_x509_read_uint]:246
Processed 133 CA certificate(s).
Resolving 'git.tt-rss.org:443'...
Connecting to '2606:4700:30::6818:6422:443'...
|<5>| REC[0x560f51fe4930]: Allocating epoch #0
|<3>| ASSERT: constate.c[_gnutls_epoch_get]:600
|<5>| REC[0x560f51fe4930]: Allocating epoch #1
|<4>| HSK[0x560f51fe4930]: Adv. version: 3.3
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305 (CC.A9)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CCM (C0.AD)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CCM (C0.AC)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384 (C0.30)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CHACHA20_POLY1305 (CC.A8)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1 (C0.14)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_256_CBC_SHA384 (C0.28)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1 (C0.13)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_AES_128_CBC_SHA256 (C0.27)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_GCM_SHA384 (C0.7B)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CCM (C0.9D)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_256_CBC_SHA256 (00.C0)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_GCM_SHA256 (C0.7A)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CCM (C0.9C)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_CAMELLIA_128_CBC_SHA256 (00.BA)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_GCM_SHA384 (00.9F)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CHACHA20_POLY1305 (CC.AA)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CCM (C0.9F)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_256_CBC_SHA256 (00.6B)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_GCM_SHA256 (00.9E)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CCM (C0.9E)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_AES_128_CBC_SHA256 (00.67)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA256 (00.BE)
|<4>| HSK[0x560f51fe4930]: Keeping ciphersuite: GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| EXT[0x560f51fe4930]: Sending extension Extended Master Secret (0 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension Encrypt-then-MAC (0 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension OCSP Status Request (5 bytes)
|<2>| HSK[0x560f51fe4930]: sent server name: 'git.tt-rss.org'
|<4>| EXT[0x560f51fe4930]: Sending extension Server Name Indication (19 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension Safe Renegotiation (1 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension Session Ticket (0 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension Supported curves (12 bytes)
|<4>| EXT[0x560f51fe4930]: Sending extension Supported ECC Point Formats (2 bytes)
|<4>| EXT[0x560f51fe4930]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x560f51fe4930]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x560f51fe4930]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x560f51fe4930]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x560f51fe4930]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x560f51fe4930]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x560f51fe4930]: sent signature algo (3.1) RSA-SHA224
|<4>| EXT[0x560f51fe4930]: sent signature algo (3.3) ECDSA-SHA224
|<4>| EXT[0x560f51fe4930]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x560f51fe4930]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x560f51fe4930]: Sending extension Signature Algorithms (22 bytes)
|<4>| HSK[0x560f51fe4930]: CLIENT HELLO was queued [256 bytes]
|<5>| REC[0x560f51fe4930]: Preparing Packet Handshake(22) with length: 256 and min pad: 0
|<5>| REC[0x560f51fe4930]: Sent Packet[1] Handshake(22) in epoch 0 and length: 261
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 67
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 67
|<5>| REC[0x560f51fe4930]: Decrypted Packet[0] Handshake(22) with length: 67
|<4>| HSK[0x560f51fe4930]: SERVER HELLO (2) was received. Length 63[63], frag offset 0, frag length: 63, sequence: 0
|<4>| HSK[0x560f51fe4930]: Server's version: 3.3
|<4>| HSK[0x560f51fe4930]: SessionID length: 0
|<4>| HSK[0x560f51fe4930]: SessionID: cc
|<4>| HSK[0x560f51fe4930]: Selected cipher suite: ECDHE_ECDSA_CHACHA20_POLY1305
|<4>| HSK[0x560f51fe4930]: Selected compression method: NULL (0)
|<4>| EXT[0x560f51fe4930]: Parsing extension 'Extended Master Secret/23' (0 bytes)
|<4>| EXT[0x560f51fe4930]: Parsing extension 'Safe Renegotiation/65281' (1 bytes)
|<4>| EXT[0x560f51fe4930]: Parsing extension 'Supported ECC Point Formats/11' (2 bytes)
|<4>| EXT[0x560f51fe4930]: Parsing extension 'Session Ticket/35' (0 bytes)
|<4>| EXT[0x560f51fe4930]: Parsing extension 'OCSP Status Request/5' (0 bytes)
|<4>| HSK[0x560f51fe4930]: Safe renegotiation succeeded
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 2203
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 2203
|<5>| REC[0x560f51fe4930]: Decrypted Packet[1] Handshake(22) with length: 2203
|<4>| HSK[0x560f51fe4930]: CERTIFICATE (11) was received. Length 2199[2199], frag offset 0, frag length: 2199, sequence: 0
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 288
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 288
|<5>| REC[0x560f51fe4930]: Decrypted Packet[2] Handshake(22) with length: 288
|<4>| HSK[0x560f51fe4930]: CERTIFICATE STATUS (22) was received. Length 284[284], frag offset 0, frag length: 284, sequence: 0
- Certificate type: X.509
- Got a certificate list of 2 certificates.
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- Certificate[0] info:
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
 - subject `CN=sni.cloudflaressl.com,O=CloudFlare\, Inc.,L=San Francisco,ST=CA,C=US', issuer `CN=CloudFlare Inc ECC CA-2,O=CloudFlare\, Inc.,L=San Francisco,ST=CA,C=US', serial 0x04a928d7aa8ca7679703fc67e662cbe9, EC/ECDSA key 256 bits, signed using ECDSA-SHA256, activated `2018-11-16 00:00:00 UTC', expires `2019-11-16 12:00:00 UTC', pin-sha256="BF8E47eUGrjH2qWRdiN9ps3wP/SyGnSD5EtzJ5Mon1M="
        Public Key ID:
                sha1:41847711af25f9e0313d05926222d4022c840b62
                sha256:045f04e3b7941ab8c7daa59176237da6cdf03ff4b21a7483e44b732793289f53
        Public Key PIN:
                pin-sha256:BF8E47eUGrjH2qWRdiN9ps3wP/SyGnSD5EtzJ5Mon1M=
        Public key's random art:
                +--[SECP256R1]----+
                |oo.o.. oo ++...  |
                |=E. o +.+ o= .   |
                |+o   o +.o* =    |
                |.        o O .   |
                |        S o .    |
                |                 |
                |                 |
                |                 |
                |                 |
                +-----------------+

|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
- Certificate[1] info:
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
 - subject `CN=CloudFlare Inc ECC CA-2,O=CloudFlare\, Inc.,L=San Francisco,ST=CA,C=US', issuer `CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE', serial 0x0ff3e61639aa3d1a1265f41f8b34e5b6, EC/ECDSA key 256 bits, signed using RSA-SHA256, activated `2015-10-14 12:00:00 UTC', expires `2020-10-09 12:00:00 UTC', pin-sha256="3kcNJzkUJ1RqMXJzFX4Zxux5WfETK+uL6Viq9lJNn4o="
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1522
|<3>| ASSERT: ocsp.c[find_signercert]:1909
|<3>| ASSERT: common.c[_gnutls_x509_der_encode]:865
|<3>| ASSERT: ocsp.c[find_signercert]:1996
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1522
|<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_verify]:2254
|<3>| ASSERT: common.c[_gnutls_x509_get_raw_field2]:1522
|<3>| ASSERT: ocsp.c[find_signercert]:1909
|<3>| ASSERT: common.c[_gnutls_x509_der_encode]:865
|<3>| ASSERT: ocsp.c[find_signercert]:1996
|<3>| ASSERT: ocsp.c[gnutls_ocsp_resp_get_single]:1562
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
|<3>| ASSERT: dn.c[_gnutls_x509_compare_raw_dn]:1003
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<3>| ASSERT: common.c[x509_read_value]:698
- Status: The certificate is trusted. 
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 149
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 149
|<5>| REC[0x560f51fe4930]: Decrypted Packet[3] Handshake(22) with length: 149
|<4>| HSK[0x560f51fe4930]: SERVER KEY EXCHANGE (12) was received. Length 145[145], frag offset 0, frag length: 145, sequence: 0
|<2>| received curve SECP256R1
|<4>| HSK[0x560f51fe4930]: Selected ECC curve SECP256R1 (2)
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: common.c[x509_read_value]:698
|<3>| ASSERT: extensions.c[_gnutls_get_extension]:65
|<4>| HSK[0x560f51fe4930]: verify handshake data: using ECDSA-SHA256
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 4
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 4
|<5>| REC[0x560f51fe4930]: Decrypted Packet[4] Handshake(22) with length: 4
|<4>| HSK[0x560f51fe4930]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: buffers.c[get_last_packet]:1151
|<3>| ASSERT: buffers.c[_gnutls_handshake_io_recv_int]:1380
|<4>| HSK[0x560f51fe4930]: CLIENT KEY EXCHANGE was queued [70 bytes]
|<4>| REC[0x560f51fe4930]: Sent ChangeCipherSpec
|<5>| REC[0x560f51fe4930]: Initializing epoch #1
|<5>| REC[0x560f51fe4930]: Epoch #1 ready
|<4>| HSK[0x560f51fe4930]: Cipher Suite: ECDHE_ECDSA_CHACHA20_POLY1305
|<4>| HSK[0x560f51fe4930]: Initializing internal [write] cipher sessions
|<4>| HSK[0x560f51fe4930]: recording tls-unique CB (send)
|<4>| HSK[0x560f51fe4930]: FINISHED was queued [16 bytes]
|<5>| REC[0x560f51fe4930]: Preparing Packet Handshake(22) with length: 70 and min pad: 0
|<5>| REC[0x560f51fe4930]: Sent Packet[2] Handshake(22) in epoch 0 and length: 75
|<5>| REC[0x560f51fe4930]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
|<5>| REC[0x560f51fe4930]: Sent Packet[3] ChangeCipherSpec(20) in epoch 0 and length: 6
|<5>| REC[0x560f51fe4930]: Preparing Packet Handshake(22) with length: 16 and min pad: 0
|<5>| REC[0x560f51fe4930]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 202
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 202
|<5>| REC[0x560f51fe4930]: Decrypted Packet[5] Handshake(22) with length: 202
|<4>| HSK[0x560f51fe4930]: NEW SESSION TICKET (4) was received. Length 198[198], frag offset 0, frag length: 198, sequence: 0
|<5>| REC[0x560f51fe4930]: SSL 3.3 ChangeCipherSpec packet received. Epoch 0, length: 1
|<5>| REC[0x560f51fe4930]: Expected Packet ChangeCipherSpec(20)
|<5>| REC[0x560f51fe4930]: Received Packet ChangeCipherSpec(20) with length: 1
|<5>| REC[0x560f51fe4930]: Decrypted Packet[6] ChangeCipherSpec(20) with length: 1
|<4>| HSK[0x560f51fe4930]: Cipher Suite: ECDHE_ECDSA_CHACHA20_POLY1305
|<3>| ASSERT: buffers.c[get_last_packet]:1160
|<5>| REC[0x560f51fe4930]: SSL 3.3 Handshake packet received. Epoch 0, length: 32
|<5>| REC[0x560f51fe4930]: Expected Packet Handshake(22)
|<5>| REC[0x560f51fe4930]: Received Packet Handshake(22) with length: 32
|<5>| REC[0x560f51fe4930]: Decrypted Packet[0] Handshake(22) with length: 16
|<4>| HSK[0x560f51fe4930]: FINISHED (20) was received. Length 12[12], frag offset 0, frag length: 12, sequence: 0
|<5>| REC[0x560f51fe4930]: Start of epoch cleanup
|<5>| REC[0x560f51fe4930]: Epoch #0 freed
|<5>| REC[0x560f51fe4930]: End of epoch cleanup
- Description: (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
- Session ID: BE:CF:43:41:C6:92:1A:1D:65:62:F8:1D:49:47:C8:E3:F8:DF:FE:53:3A:D5:A6:EC:EB:50:BB:E8:D1:73:73:13
|<3>| ASSERT: server_name.c[gnutls_server_name_get]:301
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-ECDSA
- Server Signature: ECDSA-SHA256
- Cipher: CHACHA20-POLY1305
- MAC: AEAD
- Compression: NULL
- Options: extended master secret, safe renegotiation, OCSP status request,
|<3>| ASSERT: srtp.c[gnutls_srtp_get_selected_profile]:317
|<3>| ASSERT: alpn.c[gnutls_alpn_get_selected_protocol]:238
- Handshake was completed

- Simple Client Mode:

|<5>| REC[0x560f51fe4930]: SSL 3.3 Alert packet received. Epoch 0, length: 18
|<5>| REC[0x560f51fe4930]: Expected Packet Application Data(23)
|<5>| REC[0x560f51fe4930]: Received Packet Alert(21) with length: 18
|<5>| REC[0x560f51fe4930]: Decrypted Packet[1] Alert(21) with length: 2
|<5>| REC[0x560f51fe4930]: Alert[1|0] - Close notify - was received
|<3>| ASSERT: record.c[_gnutls_recv_in_buffers]:1328
- Peer has closed the GnuTLS connection
|<5>| REC[0x560f51fe4930]: Start of epoch cleanup
|<5>| REC[0x560f51fe4930]: End of epoch cleanup
|<5>| REC[0x560f51fe4930]: Epoch #1 freed
curl -LI https://git.tt-rss.org:443 
$ curl -LI https://git.tt-rss.org:443
HTTP/2 302 
date: Thu, 22 Nov 2018 16:44:23 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=dcf84ccc6d3cb903df6a145d8b87cfe831542905061; expires=Fri, 22-Nov-19 16:44:21 GMT; path=/; domain=.tt-rss.org; HttpOnly
location: /explore
set-cookie: lang=en-US; Path=/; Max-Age=2147483647
set-cookie: i_like_gogs=d87ed6db4f806c10; Path=/; HttpOnly
set-cookie: _csrf=0OplIrqeHuLdMp3nLfdKK55ydzI6MTU0MjkwNTA2MzMyNzU5NzYzMQ%3D%3D; Path=/; Expires=Fri, 23 Nov 2018 16:44:23 GMT; HttpOnly
x-varnish: 310423
age: 0
via: 1.1 varnish (Varnish/5.0)
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 47dcdc3aedbf93ae-SJC

HTTP/2 302 
date: Thu, 22 Nov 2018 16:44:24 GMT
content-type: text/html; charset=utf-8
set-cookie: __cfduid=d2d66bb191a545a8df3058d8c3177e0891542905063; expires=Fri, 22-Nov-19 16:44:23 GMT; path=/; domain=.tt-rss.org; HttpOnly
location: /explore/repos
set-cookie: lang=en-US; Path=/; Max-Age=2147483647
set-cookie: i_like_gogs=9293eebffcc3b01a; Path=/; HttpOnly
set-cookie: _csrf=kiUrYAyLh9xPWsEzOaiyw5gTDzY6MTU0MjkwNTA2NDEwODQ0MjczNQ%3D%3D; Path=/; Expires=Fri, 23 Nov 2018 16:44:24 GMT; HttpOnly
x-varnish: 768012
age: 0
via: 1.1 varnish (Varnish/5.0)
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 47dcdc467bf393ae-SJC

HTTP/2 200 
date: Thu, 22 Nov 2018 16:44:24 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=de26f9d6bc065a1d3f632da9aea06e1611542905064; expires=Fri, 22-Nov-19 16:44:24 GMT; path=/; domain=.tt-rss.org; HttpOnly
set-cookie: lang=en-US; Path=/; Max-Age=2147483647
set-cookie: i_like_gogs=51897f19e102da09; Path=/; HttpOnly
set-cookie: _csrf=YbO8VYEtwsCct6ELUolLLnYFs8U6MTU0MjkwNTA2NDMxNTEzNTE3Mg%3D%3D; Path=/; Expires=Fri, 23 Nov 2018 16:44:24 GMT; HttpOnly
x-varnish: 310426
age: 0
via: 1.1 varnish (Varnish/5.0)
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 47dcdc4b4e3f93ae-SJC
3

How old is your gnutls? I ask because even before the point at which yours fails (seems to be during CLIENT HELLO, some negotiation of ciphers?) the output is different from mine (gnutls-cli 3.5.8 & libgnutls 3.5.8 - both from Debian stable).

4 
$ gnutls-cli -v v
gnutls-cli 3.5.18
5

FWIW the openssl s_client is failing because you need to specify -servername as well. This works:

openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org

gnutls-cli appears to do SNI by default though.

6

Bear in mind that I’m not the one with the problem - that’s @Kierun; I was just showing the output on my apparently working system for them to compare to.

Anyway - my box:

openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org 
$ openssl s_client -connect git.tt-rss.org:443 -servername git.tt-rss.org
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = CloudFlare Inc ECC CA-2
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = sni.cloudflaressl.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
   i:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
 1 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE4zCCBImgAwIBAgIQBKko16qMp2eXA/xn5mLL6TAKBggqhkjOPQQDAjBvMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkRmxhcmUg
SW5jIEVDQyBDQS0yMB4XDTE4MTExNjAwMDAwMFoXDTE5MTExNjEyMDAwMFowbTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMR4wHAYDVQQDExVzbmkuY2xvdWRm
bGFyZXNzbC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkEO0AuifPZJn5
eReMmficjveNRBneTJbEKuVHm6ZuCdqOg4up12DH/iqytvgrheK/N/5j2C85U5SP
4hi6ux7/o4IDBzCCAwMwHwYDVR0jBBgwFoAUPnQtH89FdQR+P8Cihz5MQ4NRE8Yw
HQYDVR0OBBYEFIFwWnX3YNTJUuJF1BibWBX2+Cg1MDoGA1UdEQQzMDGCCnR0LXJz
cy5vcmeCDCoudHQtcnNzLm9yZ4IVc25pLmNsb3VkZmxhcmVzc2wuY29tMA4GA1Ud
DwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweQYDVR0f
BHIwcDA2oDSgMoYwaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Nsb3VkRmxhcmVJ
bmNFQ0NDQTIuY3JsMDagNKAyhjBodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vQ2xv
dWRGbGFyZUluY0VDQ0NBMi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAo
BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwB
AgIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
bS9DbG91ZEZsYXJlSW5jRUNDQ0EtMi5jcnQwDAYDVR0TAQH/BAIwADCCAQUGCisG
AQQB1nkCBAIEgfYEgfMA8QB3AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABZx20x3UAAAQDAEgwRgIhAMlI9DOHtkPCL+M4TSqEXEymTsIa8h4gfEmA
d3fU2qhzAiEAspWYZFc7q98ekLTxzS1BwG56u7vfBQSVUmW7tjp3aTAAdgB0ftqD
Ma0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWcdtMdPAAAEAwBHMEUCIQCG
Pc8U3hY+cmqJWTpgzRacMnsZAgA1PzyzoXytUwdG0gIgdOXmVawnUgoLvQS7x+g7
Qo1tLAGIika5WPAZqjtNvccwCgYIKoZIzj0EAwIDSAAwRQIgKLr/HsIiux/YLPWh
DLF+bS6WzJhA198FAPyOAqtnpEcCIQCLeUV4thDF1E8Ls1M8tx4fVK7mv4wiAFtD
rxvmmiJUtg==
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=sni.cloudflaressl.com
issuer=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2654 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: 6F4AF663756049C0BFB44D7F31A4A4F980CDAA24EFB12C13D203479DB3B900C6
    Session-ID-ctx: 
    Master-Key: 4671A9361163828485F10B6F4F650BFF06A4CCCA1A51F242DCC689996106DEEA184175D2FB7DAC4F2237AC21CF8DB6B3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - 06 b2 80 4e 7e 28 97 eb-f0 74 7b ed 1c 87 50 b7   ...N~(...t{...P.
    0010 - 9b 7e 8f 29 39 f2 e3 64-e8 06 01 61 6c 8a 59 e0   .~.)9..d...al.Y.
    0020 - dd 5f 9f 1d 94 28 9e 1f-68 5a 44 52 8c 3d f5 3c   ._...(..hZDR.=.<
    0030 - 42 f3 71 07 a8 b4 71 f1-5c 1f 38 12 a0 92 cf ef   B.q...q.\.8.....
    0040 - 6a d8 f0 4e b6 cc fc af-a3 ff 70 e4 f0 47 31 cc   j..N......p..G1.
    0050 - 71 1f 19 3d c8 7f cc 2e-c4 7e a2 29 ae 8b 94 70   q..=.....~.)...p
    0060 - 3d 5a 9f 97 bb c0 3f 35-7e f5 0c d7 7b be df f7   =Z....?5~...{...
    0070 - 1c af ae 2b 06 70 f3 f3-c3 3c c1 37 a9 c5 92 f0   ...+.p...<.7....
    0080 - 3d 85 d5 e6 f1 d3 72 5c-44 13 e3 7e 10 1e 99 49   =.....r\D..~...I
    0090 - 7d 5f cf df ec ea aa 75-4b 07 18 6a f2 b1 01 21   }_.....uK..j...!
    00a0 - 55 38 c5 d1 2a ba 11 0e-65 ea 74 a7 01 67 52 2e   U8..*...e.t..gR.
    00b0 - 0f b4 1f a2 6b 13 3b 91-43 97 47 03 ca a7 7d 25   ....k.;.C.G...}%

    Start Time: 1542907768
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
^C
7

@fox
Did you end up enabling cloudflare?

SSLLabs is showing an ECDSA certificate only. Some clients only support RSA certificates.

8

yes. i’m sorry guys but you’ll have to use git over https for the time being.
it should work both ways (for pushes) but you’ll have to enter your gogs password.

https://git.tt-rss.org/git/tt-rss/

this particular url should work, it does work for me
maybe cloudflare doesn’t like your IP :frowning:

e: known contributors who want to use git over ssh, PM me for the super-secret™ exposed server IP.

9

I don’t have a Cloudflare account so I can’t check. But is there an option to enable RSA certificates? That may fix OP’s issue.

10

I don’t think you can enable older ciphers, for free anyway

11

I’ve got the same error…

[~/public_html/rss]# git pull origin master
error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure while accessing https://tt-rss.org/git/tt-rss.git/info/refs?service=git-upload-pack
fatal: HTTP request failed

I have NO idea what to do…could someone explain what to do or the files to change

Thanks,
Stacey

12

the tldr version is that software on your server is likely too old (what distro are you running?) and doesn’t support necessary ciphers

my ssl setup for tt-rss.org has been somewhat conservative with disabling older stuff, cloudflare has a different approach

e: in all fairness both my debian jessie (released 2015) and centos 6 (released god knows when, updated to 6.10) can check out from cloudflare just fine. if you’re using something even older and unmaintained, maybe it’s time to finally upgrade, if only for all the vulnerabilities this setup is going to have.

13

Hi Fox,

Thanks for the quick response.

I’m trying to get my config from my hosting company, for now, is there a work around?

Stacey

14

Here goes:

; gnutls-cli -v v
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.8)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Nikos Mavrogiannopoulos.

Hum… Too old?

15

And I got giggled at for running php 5.ancient:speak_no_evil:

I’ll shut up now…

16

oh yikes!

/20charRRrrrrRrRr

17

The joys of running Ubuntu⸮… Such up to date systems.

18

ii libgnutls30:amd64 3.5.18-1ubuntu1

the trick with ubuntu is not running 12.04, forever

19

So, fun times. Trusty has the same version for git.

ii  git                      1:1.9.1-1ubuntu0. amd64             fast, scalable, distributed revision control system

depends on

 ii  libcurl3-gnutls:amd64    7.35.0-1ubuntu2.1 amd64             easy-to-use client-side URL transfer library (GnuTLS

depends on

ii  libgnutls26:amd64        2.12.23-12ubuntu2 amd64             GNU TLS library - runtime library
20

Since I was running Trusty (14.something), that’s not a shock. :smiling_face: