Re: SSL/TLS debugging on MariaDB - tos minclock 4 minsane 1

To: debian-user@lists.debian.org
Subject: Re: SSL/TLS debugging on MariaDB - tos minclock 4 minsane 1
From: George at Clug <Clug@goproject.info>
Date: Tue, 24 Sep 2024 08:23:05 +1000
Message-id: <[🔎] 3d9ffcf8036ee698704a5fd03d44a28b@go.goproject.info>
In-reply-to: <[🔎] 8b9969f5-c6d5-43d4-9ae6-dc639ba34f73@ymail.com>
References: <[🔎] 8b9969f5-c6d5-43d4-9ae6-dc639ba34f73@ymail.com>

Andrew,

I was not even aware of the move from NTP to NTPsec. Thanks for posting. I should [fully] read the release notes.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#changes-to-packages-that-set-the-system-clock
5.1.2. Changes to packages that set the system clock
The ntp package, which used to be the default way to set the system clock from a Network Time Protocol (NTP) server, has been replaced by ntpsec.

When I did a bit of research I found this comment which seems similar to your issue (well at least to me it does):

https://forums.debian.net/viewtopic.php?t=156136

/etc/ntpsec/ntp.conf

Re: NTPSec: no servers found error despite finding the server
#3 Post by michael_S » 2023-09-26 13:54
Solved the problem for me. The cause behind this behaviour is the following line in /etc/ntpsec/ntp.conf
Code: Select all
tos minclock 4 minsane 3

The option minsane 3 implies to (my understanding) that the ntpd wants at least 3 "good" NTP servers, i.e. servers that somewhat agree. I changed this to
Code: Select all
tos minclock 4 minsane 2

And now it works for me with 2 NTP servers available. If you only have a single NTP server, change this to 1 should work - but it naturally there won't be any redundancy in there.
Last edited by michael_S on 2023-09-26 13:55, edited 1 time in total.

https://docs.ntpsec.org/latest/miscopt.html
minsane minsane

Specify the number of servers used by the selection algorithm as the minimum to set the system clock. The default is 1 for legacy purposes; however, for critical applications the value should be somewhat higher (e.g. 3) but less than minclock.

Please let me know if the above solves your problem?

George.

https://docs.ntpsec.org/latest/quick.html

On Tuesday, 24-09-2024 at 06:05 Andrew Wood wrote:

Hi

Is there a way to get MariaDB on Bookworm to log verbosely everything
to do with connection attempts in order to try and debug why a client
keeps getting error 2026 SSL connection error: protocol version mismatch?

There is currently nothing being logged on the server other than:

[Warning] Aborted connection 332 to db: 'unconnected' user:
'unauthenticated' host: '192.168.253.231' (This connection closed
normally without authentication)

SHOW GLOBAL VARIABLES LIKE 'tls_version'; gives TLSv1.1,TLSv1.2,TLSv1.3
and the client is based on a relatively recent version of libmysqlclient
so Im struggling to understand what is going wrong without some more
detailed logging. I cant find anything in the MariaDB manual.

Thanks

Andrew

Reply to:

Follow-Ups:
- Re: SSL/TLS debugging on MariaDB - tos minclock 4 minsane 1
  - From: Andy Smith <andy@strugglers.net>

References:
- SSL/TLS debugging on MariaDB
  - From: Andrew Wood <andrewjameswood@ymail.com>

Prev by Date: SSL/TLS debugging on MariaDB
Next by Date: Re: SSL/TLS debugging on MariaDB - tos minclock 4 minsane 1
Previous by thread: SSL/TLS debugging on MariaDB
Next by thread: Re: SSL/TLS debugging on MariaDB - tos minclock 4 minsane 1
Index(es):
- Date
- Thread