SABnzbd Forums


http://45.79.196.47/

Unable to connect to server (SSL Error)

http://45.79.196.47/viewtopic.php?t=22495

Page 2 of 2

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 1:52 am
by sander
Interesting, useful analysis!
fatgeek wrote:
So, I'm starting to think that the issue lies with unRAID, but have no idea how.
Technicaly I can think of one thing, which I find very unlikely: unRAID blocking SSL-traffic to news.altopia.com. That's easy to check from within the linuxserver/sabnzbd docker container:

Code: Select all

openssl s_client  -connect news.altopia.com:563
You should get

Code: Select all

200 Check out http://www.altopia.com/ for info about NNTP access (posting ok).
and then you can type HELP, and then QUIT

EDIT:
As Altopia also offers older SSL on port 666, you can try too:

Code: Select all

openssl s_client  -connect news.altopia.com:666
And try port 666 too from SABnzbd.

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 2:01 am
by fatgeek
I was screwing with s_client earlier. When I try to connect from the unRAID server itself, I get:

Code: Select all

root@tower:~# openssl s_client -connect news.altopia.com:563
CONNECTED(00000003)
And nothing else. HELP doesn't work, and either does QUIT. I have to Ctrl+C out of it.

When I do it from within the docker container:

Code: Select all

root@tower:~# docker exec -it sabnzbd /bin/bash
root@1fd8893aef7f:/# openssl s_client -connect news.altopia.com:563
CONNECTED(00000003)
Same behavior. No idea what is going on here.


EDIT:

666 does the same thing:

Code: Select all

root@1fd8893aef7f:/# openssl s_client -connect news.altopia.com:666
CONNECTED(00000003)
Doesn't work in Sab either.

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 2:11 am
by sander
So the problem is not in SABnzbd nor python.
It's in the host OS, or in the network

Below is the normal sequence

Code: Select all

sander@Streamer13:~$ openssl s_client  -connect news.altopia.com:563
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.altopia.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.altopia.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTzCCBTegAwIBAgIRAMngzmmClSeUI+u6AdKa4q0wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTYwNzI3MDAwMDAwWhcNMTkwNzI3MjM1OTU5WjBaMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRYwFAYDVQQDDA0qLmFsdG9waWEuY29tMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAv5nurlonAgISy7KO8hD7cpYanviNFpTbBXwUa087HEGY
zF7Aptcck+tgGOt22KOgTMPAV3FZNgCnJsYEC2v70SL5VB+ZglB0dOJRIJZ0Hm46
6tSFLZ1kGEYUGRI7T7ZnR9PEzpzOJqFYD6dxOVTTgvvjHD7IpP6F9QWFEI89s5js
17Iy4xo34JEba3QTe3WwGuai/l4gEay0aV0T63Vq3wYkAWIMlozRj+ZvjgSpDf57
YvEwT4v2SRI6c/7cAuyq/65pTXETHrJCDOHJS1idErx6TtFbz43onkOHT706KnTJ
Dt1qtNUPD6wDTL2DWNcE+oxG7D4Q5//g1v02l24EhUpf3MkFxvkLpDuadI3rLbBC
8Ey54SKqTNclr0SQ4e5IQlqWfmhAuAFWurmVRuxr1oN9PCSMRwoD/IlOHXMV/ppw
mU3H2L/clmhU2TAOk7v8JLk5v5Tp8HVvKyHpo8ivWExHKNOKT9KzBAp2Rd6zLF5v
xgydqRCcr+l8dSWCk3tvyh4gWvkhn5drLTuHpm9MKt2PM0GTwDB5IRQjSSdciB0R
7QuPVHI+m5jy/znd5WKhwCT5L2KmfC/COIAPkDavXQwKuyjtgP5fwhkEiSEMbH5j
BNssWwLZC0CYuavItQ2Nho35rnHlh2raBVfoX7sLKCCz39djigMbMO06azpCLcsC
AwEAAaOCAdcwggHTMB8GA1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0G
A1UdDgQWBBTBkxalasYXlKsM6biWtOe04GWfzjAOBgNVHQ8BAf8EBAMCBaAwDAYD
VR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0g
BEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0
cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNl
Y3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNo
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9u
U2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wJQYDVR0RBB4wHIINKi5hbHRvcGlhLmNvbYILYWx0b3BpYS5jb20w
DQYJKoZIhvcNAQELBQADggEBABkIQC2+eW/0A+ThEHNsK6f7AXclCYyspC9FKgD/
EDFjRiSECi1j7qb6tD2EyV1qNN2zkAk+Uc+qfOUfbOWY2fHw4eCllfItksJz+Ye0
K50jGJ/I71r6iBisntPtq3d54etAc+9VIPjcfWdwJG3r3lSYTFQPdPMkVn17HsiO
hNLOt1Ns505YYX89a/P+DOXM25P6V5JtnJu2yhS4BHHAJDPCCIMbGrK3tph9NSNO
BzqiPv1tOyicvUvwalm6fO6OUwhsU1BSJ4Q08kwg02XxH357kRb/jN63OblDeibo
tmE0GsEF134PCF7hJ2eMrW5e6ugvwLXM60RSD03x8Rb9WgU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.altopia.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6573 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 51EC74BA4965201307B48767575325BB6ACF49A43D3DDE1E90DEF16D46906E14
    Session-ID-ctx: 
    Master-Key: A3DB31025299BED280B17C93FBE65150C073010904796847D98B0A4B34F6EA17BB68E50F2ABE28779414BC1579259C1B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2a a6 6c 0e 9f 1b e9 84-97 27 80 3f df 06 fc b6   *.l......'.?....
    0010 - 4a a5 74 9a 76 1e 05 59-f3 25 2b 58 49 3d 12 59   J.t.v..Y.%+XI=.Y
    0020 - 5f a7 e5 d8 39 99 6f 4c-44 12 2c d4 ad 3b b7 e1   _...9.oLD.,..;..
    0030 - 98 c4 70 0d bb 62 d3 d1-d4 f1 b3 d0 28 66 85 0d   ..p..b......(f..
    0040 - 61 c9 47 6c 0b a2 9d e9-85 01 3e 44 35 b6 ba 14   a.Gl......>D5...
    0050 - b4 93 ae 85 f1 3f 48 7d-44 f3 a9 db 9a 3b 32 a9   .....?H}D....;2.
    0060 - 7f 25 8a 35 e5 23 81 45-34 f4 f0 41 a4 c1 24 12   .%.5.#.E4..A..$.
    0070 - ad 3c 32 0a 80 8d 90 df-13 4c 3f f0 af c9 8c e3   .<2......L?.....
    0080 - 48 ba 25 8d e0 23 7a ca-6a e3 e4 39 a4 4d ea 3f   H.%..#z.j..9.M.?
    0090 - cb 7e 14 e1 00 53 99 43-4f 72 14 cd fa 5c a9 23   .~...S.COr...\.#

    Start Time: 1489043262
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
200 Check out http://www.altopia.com/ for info about NNTP access (posting ok).
HELP
100 Legal commands
  authinfo user Name|pass Password
  starttls
  article [MessageID|Number]
  body [MessageID|Number]
  date
  group newsgroup
  head [MessageID|Number]
  help
  ihave MessageID
  last
  list [active|active.times|extensions|newsgroups|distributions|distrib.pats|overview.fmt|subscriptions|motd]
  listgroup newsgroup
  mode reader
  newgroups [YY]yymmdd hhmmss ["GMT"]
  newnews newsgroups [YY]yymmdd hhmmss ["GMT"]
  next
  post
  slave
  stat [MessageID|Number]
  xgtitle [group_pattern]
  xhdr header [range|MessageID]
  xover [range]
  xpat header range|MessageID pat [morepat...]
  xpath MessageID
Report problems to <support@altopia.com>
Altopia Usenet access info at: http://www.altopia.com/
.
QUIT
DONE
sander@Streamer13:~$

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 2:38 am
by fatgeek
Correct, it does not appear to be SABnzbd or Python related. I do appreciate your efforts though.

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 3:11 am
by sander
Another long shot: could it be Altopia is blocking your SSL requests?

Easy check: you said nzbget on Windows worked to altopia-ssl ... so, is that on the same home network, through the same NAT, so from the same public IP address?
... Or is your unRAID on another network?

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 3:44 am
by fatgeek
A resolution for the curious (and because I hate stumbling across threads for weird issues like this with no resolution)

The issue ended up being that my unRAID box had jumbo frames enabled. How, I do not know.

I worked with Altopia's support and they ran a tcpdump while I connected and spotted the issue. I reset my MTU and it connected right away.

Again, thanks for the help.

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 3:53 am
by safihre
Thanks for letting us know!

Re: Unable to connect to server (SSL Error)

Posted: March 9th, 2017, 3:55 am
by sander
Jumboframes and MTU ... coooll! I didn't know those problems still occured.

And kudo's to Altopia for running tcpdump!
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited