apt-get update error for syncthing on Debian / Ubuntu

Alex_Helfet · October 23, 2019, 7:53am

I get the following error running an apt-get update on Ubuntu 14.04.6 LTS:

W: Failed to fetch https://apt.syncthing.net/dists/syncthing/stable/binary-amd64/Packages  gnutls_handshake() failed: Handshake failed

W: Failed to fetch https://apt.syncthing.net/dists/syncthing/stable/binary-i386/Packages  gnutls_handshake() failed: Handshake failed

Running gnutls-cli for more info I get:

% gnutls-cli apt.syncthing.net -p 443 -d 3
Resolving 'apt.syncthing.net'...
Connecting to '82.196.13.137:443'...
|<2>| ASSERT: gnutls_constate.c:695
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x1b8dc40]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x1b8dc40]: Sending extension SERVER NAME (22 bytes)
|<2>| EXT[0x1b8dc40]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x1b8dc40]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x1b8dc40]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x1b8dc40]: CLIENT HELLO was sent [142 bytes]
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2773
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

I can view https://apt.syncthing.net/ fine and download the package files in Chrome.

A workaround is to substitute http for https in /etc/apt/sources.list.d/syncthing.list.

calmh · October 23, 2019, 8:26am

Probably your TLS stack is too old. You’re probably fine with HTTP. It’s what Debian and Ubuntu themselves use for their package archives.

system · November 22, 2019, 8:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.