Unable to connect to server (SSL Error)

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Unable to connect to server (SSL Error)

Post by sander »

Interesting, useful analysis!
fatgeek wrote:
So, I'm starting to think that the issue lies with unRAID, but have no idea how.
Technicaly I can think of one thing, which I find very unlikely: unRAID blocking SSL-traffic to news.altopia.com. That's easy to check from within the linuxserver/sabnzbd docker container:

Code: Select all

openssl s_client  -connect news.altopia.com:563
You should get

Code: Select all

200 Check out http://www.altopia.com/ for info about NNTP access (posting ok).
and then you can type HELP, and then QUIT

EDIT:
As Altopia also offers older SSL on port 666, you can try too:

Code: Select all

openssl s_client  -connect news.altopia.com:666
And try port 666 too from SABnzbd.
fatgeek
Newbie
Newbie
Posts: 23
Joined: December 9th, 2015, 6:15 pm

Re: Unable to connect to server (SSL Error)

Post by fatgeek »

I was screwing with s_client earlier. When I try to connect from the unRAID server itself, I get:

Code: Select all

root@tower:~# openssl s_client -connect news.altopia.com:563
CONNECTED(00000003)
And nothing else. HELP doesn't work, and either does QUIT. I have to Ctrl+C out of it.

When I do it from within the docker container:

Code: Select all

root@tower:~# docker exec -it sabnzbd /bin/bash
root@1fd8893aef7f:/# openssl s_client -connect news.altopia.com:563
CONNECTED(00000003)
Same behavior. No idea what is going on here.


EDIT:

666 does the same thing:

Code: Select all

root@1fd8893aef7f:/# openssl s_client -connect news.altopia.com:666
CONNECTED(00000003)
Doesn't work in Sab either.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Unable to connect to server (SSL Error)

Post by sander »

So the problem is not in SABnzbd nor python.
It's in the host OS, or in the network

Below is the normal sequence

Code: Select all

sander@Streamer13:~$ openssl s_client  -connect news.altopia.com:563
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.altopia.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.altopia.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTzCCBTegAwIBAgIRAMngzmmClSeUI+u6AdKa4q0wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTYwNzI3MDAwMDAwWhcNMTkwNzI3MjM1OTU5WjBaMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHTAbBgNVBAsTFFBvc2l0aXZlU1NMIFdp
bGRjYXJkMRYwFAYDVQQDDA0qLmFsdG9waWEuY29tMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAv5nurlonAgISy7KO8hD7cpYanviNFpTbBXwUa087HEGY
zF7Aptcck+tgGOt22KOgTMPAV3FZNgCnJsYEC2v70SL5VB+ZglB0dOJRIJZ0Hm46
6tSFLZ1kGEYUGRI7T7ZnR9PEzpzOJqFYD6dxOVTTgvvjHD7IpP6F9QWFEI89s5js
17Iy4xo34JEba3QTe3WwGuai/l4gEay0aV0T63Vq3wYkAWIMlozRj+ZvjgSpDf57
YvEwT4v2SRI6c/7cAuyq/65pTXETHrJCDOHJS1idErx6TtFbz43onkOHT706KnTJ
Dt1qtNUPD6wDTL2DWNcE+oxG7D4Q5//g1v02l24EhUpf3MkFxvkLpDuadI3rLbBC
8Ey54SKqTNclr0SQ4e5IQlqWfmhAuAFWurmVRuxr1oN9PCSMRwoD/IlOHXMV/ppw
mU3H2L/clmhU2TAOk7v8JLk5v5Tp8HVvKyHpo8ivWExHKNOKT9KzBAp2Rd6zLF5v
xgydqRCcr+l8dSWCk3tvyh4gWvkhn5drLTuHpm9MKt2PM0GTwDB5IRQjSSdciB0R
7QuPVHI+m5jy/znd5WKhwCT5L2KmfC/COIAPkDavXQwKuyjtgP5fwhkEiSEMbH5j
BNssWwLZC0CYuavItQ2Nho35rnHlh2raBVfoX7sLKCCz39djigMbMO06azpCLcsC
AwEAAaOCAdcwggHTMB8GA1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0G
A1UdDgQWBBTBkxalasYXlKsM6biWtOe04GWfzjAOBgNVHQ8BAf8EBAMCBaAwDAYD
VR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0g
BEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0
cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNl
Y3VyZVNlcnZlckNBLmNybDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNo
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9u
U2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wJQYDVR0RBB4wHIINKi5hbHRvcGlhLmNvbYILYWx0b3BpYS5jb20w
DQYJKoZIhvcNAQELBQADggEBABkIQC2+eW/0A+ThEHNsK6f7AXclCYyspC9FKgD/
EDFjRiSECi1j7qb6tD2EyV1qNN2zkAk+Uc+qfOUfbOWY2fHw4eCllfItksJz+Ye0
K50jGJ/I71r6iBisntPtq3d54etAc+9VIPjcfWdwJG3r3lSYTFQPdPMkVn17HsiO
hNLOt1Ns505YYX89a/P+DOXM25P6V5JtnJu2yhS4BHHAJDPCCIMbGrK3tph9NSNO
BzqiPv1tOyicvUvwalm6fO6OUwhsU1BSJ4Q08kwg02XxH357kRb/jN63OblDeibo
tmE0GsEF134PCF7hJ2eMrW5e6ugvwLXM60RSD03x8Rb9WgU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.altopia.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6573 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 51EC74BA4965201307B48767575325BB6ACF49A43D3DDE1E90DEF16D46906E14
    Session-ID-ctx: 
    Master-Key: A3DB31025299BED280B17C93FBE65150C073010904796847D98B0A4B34F6EA17BB68E50F2ABE28779414BC1579259C1B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2a a6 6c 0e 9f 1b e9 84-97 27 80 3f df 06 fc b6   *.l......'.?....
    0010 - 4a a5 74 9a 76 1e 05 59-f3 25 2b 58 49 3d 12 59   J.t.v..Y.%+XI=.Y
    0020 - 5f a7 e5 d8 39 99 6f 4c-44 12 2c d4 ad 3b b7 e1   _...9.oLD.,..;..
    0030 - 98 c4 70 0d bb 62 d3 d1-d4 f1 b3 d0 28 66 85 0d   ..p..b......(f..
    0040 - 61 c9 47 6c 0b a2 9d e9-85 01 3e 44 35 b6 ba 14   a.Gl......>D5...
    0050 - b4 93 ae 85 f1 3f 48 7d-44 f3 a9 db 9a 3b 32 a9   .....?H}D....;2.
    0060 - 7f 25 8a 35 e5 23 81 45-34 f4 f0 41 a4 c1 24 12   .%.5.#.E4..A..$.
    0070 - ad 3c 32 0a 80 8d 90 df-13 4c 3f f0 af c9 8c e3   .<2......L?.....
    0080 - 48 ba 25 8d e0 23 7a ca-6a e3 e4 39 a4 4d ea 3f   H.%..#z.j..9.M.?
    0090 - cb 7e 14 e1 00 53 99 43-4f 72 14 cd fa 5c a9 23   .~...S.COr...\.#

    Start Time: 1489043262
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
200 Check out http://www.altopia.com/ for info about NNTP access (posting ok).
HELP
100 Legal commands
  authinfo user Name|pass Password
  starttls
  article [MessageID|Number]
  body [MessageID|Number]
  date
  group newsgroup
  head [MessageID|Number]
  help
  ihave MessageID
  last
  list [active|active.times|extensions|newsgroups|distributions|distrib.pats|overview.fmt|subscriptions|motd]
  listgroup newsgroup
  mode reader
  newgroups [YY]yymmdd hhmmss ["GMT"]
  newnews newsgroups [YY]yymmdd hhmmss ["GMT"]
  next
  post
  slave
  stat [MessageID|Number]
  xgtitle [group_pattern]
  xhdr header [range|MessageID]
  xover [range]
  xpat header range|MessageID pat [morepat...]
  xpath MessageID
Report problems to <[email protected]>
Altopia Usenet access info at: http://www.altopia.com/
.
QUIT
DONE
sander@Streamer13:~$
fatgeek
Newbie
Newbie
Posts: 23
Joined: December 9th, 2015, 6:15 pm

Re: Unable to connect to server (SSL Error)

Post by fatgeek »

Correct, it does not appear to be SABnzbd or Python related. I do appreciate your efforts though.
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Unable to connect to server (SSL Error)

Post by sander »

Another long shot: could it be Altopia is blocking your SSL requests?

Easy check: you said nzbget on Windows worked to altopia-ssl ... so, is that on the same home network, through the same NAT, so from the same public IP address?
... Or is your unRAID on another network?
fatgeek
Newbie
Newbie
Posts: 23
Joined: December 9th, 2015, 6:15 pm

Re: Unable to connect to server (SSL Error)

Post by fatgeek »

A resolution for the curious (and because I hate stumbling across threads for weird issues like this with no resolution)

The issue ended up being that my unRAID box had jumbo frames enabled. How, I do not know.

I worked with Altopia's support and they ran a tcpdump while I connected and spotted the issue. I reset my MTU and it connected right away.

Again, thanks for the help.
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: Unable to connect to server (SSL Error)

Post by safihre »

Thanks for letting us know!
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
User avatar
sander
Release Testers
Release Testers
Posts: 8811
Joined: January 22nd, 2008, 2:22 pm

Re: Unable to connect to server (SSL Error)

Post by sander »

Jumboframes and MTU ... coooll! I didn't know those problems still occured.

And kudo's to Altopia for running tcpdump!
Post Reply