Rocky 8.5 GnuTLS: An unexpected TLS packet was received

Rocky Linux General
1

Hello. I recently migrated from CentOS 8 to Rocky 8 (8.5) using the Rocky Linux migration script. The migration went smoothly. However a Perl app that allows file downloads using https (https is provided via stunnel launched via xinetd) has stopped working. The following error occurs:

$ wget https://fqdn/file.tar
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

There have been no changes to the server in terms of hostname, IP, SSL certs, or other configuration. Testing the SSL connection via openssl seems to indicate everything is well:

$ openssl s_client -debug -connect fqdn:443

SSL handshake has read 5 bytes and written 325 bytes
Verification: OK

Verify return code: 0 (ok)

stunnel logs also don’t indicate any errors. I reinstalled Perl SSL modules but no effect. So not sure what may be going on. Any help/pointers would be appreciated.

Other relevant info:

$ cat /etc/redhat-release
Rocky Linux release 8.5 (Green Obsidian)

$ dnf list installed | grep -i tls
gnutls.x86_64 3.6.16-4.el8 @baseos
gnutls-dane.x86_64 3.6.16-4.el8 @appstream
gnutls-utils.x86_64 3.6.16-4.el8 @appstream
rsyslog-gnutls.x86_64 8.2102.0-5.el8 @appstream

$ dnf list installed | grep -i ssl
apr-util-openssl.x86_64 1.6.1-6.el8.1 @appstream
mod_ssl.x86_64 1:2.4.37-43.module+el8.5.0+714+5ec56ee8 @appstream
openssl.x86_64 1:1.1.1k-4.el8 @baseos
openssl-devel.x86_64 1:1.1.1k-4.el8 @baseos
openssl-libs.x86_64 1:1.1.1k-4.el8 @baseos
openssl-pkcs11.x86_64 0.4.10-2.el8 @baseos
perl-IO-Socket-SSL.noarch 2.066-4.module+el8.4.0+512+d4f0fc54 @appstream
perl-Net-SSLeay.x86_64 1.88-1.module+el8.4.0+512+d4f0fc54 @appstream
python3-pyOpenSSL.noarch 19.0.0-1.el8 @appstream
xmlsec1-openssl.x86_64 1.2.25-4.el8 @appstream

$ dnf list installed | grep -i stunnel
stunnel.x86_64 5.56-5.el8_3 @baseos

2

I’m getting this same error using RL v8.6.

Any guidance?

Here is what I’m seeing:

$ wget "https://tms.byron.zeetix.com:6060"
--2022-10-05 12:58:30--  https://tms.byron.zeetix.com:6060/
Resolving tms.byron.zeetix.com (tms.byron.zeetix.com)... 54.144.238.19
Connecting to tms.byron.zeetix.com (tms.byron.zeetix.com)|54.144.238.19|:6060... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.

The port (6060) is open (according firewall-cmd) and has a listener. I see no indication from the listener (a nodejs service) that it’s receiving anything.

3

Have you checked the TLS protocol version they are running at ‘tms.byron.zeetix.com’?

4

My case turned out to be a “feature” of working in the AWS/EC2 ecosystem. I was attempting the “wget” on either the same machine or from my home machine connecting to an AWS/EC2 instance.

I’ve lost track of the intricacies (after I got it working). I’m under the (empirical) impression that AWS “elastic IP addresses” are not available for secure connections on the same Amazon “Virtual Private Cloud”. The IP address noted in the above example is a public address. One step towards getting that “wget” to work was editing /etc/hosts on the originating machine to bind domain name to the internal AWS/EC2 address assigned by Amazon.

One change worth noting is that I got this error while using a listener (on 6060) provided from a dated “sample” provided by “auth0”. I replaced that listener with one I built myself from “node express” that I know works and that I know how to debug.

My bottom line is I treat this complaint (“An unexpected TLS packet was received”) as my system’s way of telling me that I screwed up the connection configuration (IP address, ports, etc).