Andrew,


I was not even aware of the move from NTP to NTPsec. Thanks for
posting. I should [fully] read the release notes.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#changes-to-packages-that-set-the-system-clock
5.1.2. Changes to packages that set the system clock
The ntp package, which used to be the default way to set the system
clock from a Network Time Protocol (NTP) server, has been replaced by
ntpsec.



When I did a bit of research I found this comment which seems similar
to your issue (well at least to me it does):


https://forums.debian.net/viewtopic.php?t=156136
/etc/ntpsec/ntp.conf


Re: NTPSec: no servers found error despite finding the server
#3 Post by michael_S » 2023-09-26 13:54
Solved the problem for me. The cause behind this behaviour is the
following line in /etc/ntpsec/ntp.conf
Code: Select all
tos minclock 4 minsane 3

The option minsane 3 implies to (my understanding) that the ntpd wants
at least 3 "good" NTP servers, i.e. servers that somewhat agree. I
changed this to
Code: Select all
tos minclock 4 minsane 2

And now it works for me with 2 NTP servers available. If you only have
a single NTP server, change this to 1 should work - but it naturally
there won't be any redundancy in there.
Last edited by michael_S on 2023-09-26 13:55, edited 1 time in total.


https://docs.ntpsec.org/latest/miscopt.html
minsane _minsane_

    Specify the number of servers used by the selection algorithm
as the minimum to set the system clock. The default is 1 for legacy
purposes; however, for critical applications the value should be
somewhat higher (e.g. 3) but less than minclock.



Please let me know if the above solves your problem?


George.


https://docs.ntpsec.org/latest/quick.html







On Tuesday, 24-09-2024 at 06:05 Andrew Wood wrote:


Hi

Is there a way to get  MariaDB on Bookworm to log verbosely
everything
to do with connection attempts in order to try and debug why a client
keeps getting error  2026 SSL connection error: protocol version
mismatch?

There is currently nothing being logged on the server other than:

 [Warning] Aborted connection 332 to db: 'unconnected' user:
'unauthenticated' host: '192.168.253.231' (This connection closed
normally without authentication)

SHOW GLOBAL VARIABLES LIKE 'tls_version'; gives
TLSv1.1,TLSv1.2,TLSv1.3
and the client is based on a relatively recent version of
libmysqlclient
so Im struggling to understand what is going wrong without some more
detailed logging. I cant find anything in the MariaDB manual.

Thanks

Andrew

I typically use OpenSSL's s_client to connect to the server. It is an
excellent debugging tool for times like this. Something like:

openssl s_client -connect db.example.com:443 -servername db.example.com

You can also use -tls1_2 and -tls1_3 if you want to nail down a
particular version of the protocol. See
<https://docs.openssl.org/3.0/man1/openssl-s_client/> for more
options.

I suspect (and it is just a guess) that the mismatch is due to a plain
text error page being returned to the TLS client rather than a TLS
protocol message with a well formed version. That usually means a TLS
server is _not_ listening on the port you are connecting to. Rather,
just a regular server is listening (without TLS).
Jeff