Knot Resolver issues
https://gitlab.nic.cz/knot/knot-resolver/-/issues
2022-06-05T13:51:02+02:00
https://gitlab.nic.cz/knot/knot-resolver/-/issues/734
Make sure manager can work within Docker
2022-06-05T13:51:02+02:00
Vaclav Sraier
Make sure manager can work within Docker
In general, how should we approach it? Is supervisord really the solution? Are there any other ways? In the end, we should create a Docker image with full manager and resolver that works.
In general, how should we approach it? Is supervisord really the solution? Are there any other ways? In the end, we should create a Docker image with full manager and resolver that works.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/717
manager: ci: add missing integration tests to the CI
2022-06-05T13:49:36+02:00
Vaclav Sraier
manager: ci: add missing integration tests to the CI
After integration of repositories and after fixing the CI in !1249, manager's integration tests started by `poe integration` are not running within the CI.
After integration of repositories and after fixing the CI in !1249, manager's integration tests started by `poe integration` are not running within the CI.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/728
Infinite loop in doh2
2022-05-20T10:52:43+02:00
Héctor Molinero Fernández
Infinite loop in doh2
Making a request with cURL to the `/dns-query` endpoint without any parameters produces an infinite loop.
This is the simplest configuration I have found that reproduces the issue in Knot Resolver 5.4.4 in Debian 11.
```lua
log_level('d...
Making a request with cURL to the `/dns-query` endpoint without any parameters produces an infinite loop.
This is the simplest configuration I have found that reproduces the issue in Knot Resolver 5.4.4 in Debian 11.
```lua
log_level('debug')
net.listen('127.0.0.1', 443, { kind = 'doh2' })
```
<details>
<summary>
`kresd --config /etc/knot-resolver/kresd.conf`
</summary>
```
[system] loading config '/usr/lib/knot-resolver/postconfig.lua' (workdir '/')
[system] running as root, no capabilities dropped
Interactive mode:
> [plan ][00000.00] plan '.' type 'NS' uid [65536.00]
[iterat][65536.00] '.' type 'NS' new uid was assigned .01, parent uid .00
[cache ][65536.01] => satisfied by exact RRset: rank 060, new TTL 517436
[iterat][65536.01] <= rcode: NOERROR
[valdtr][65536.01] <= answer valid, OK
[resolv][65536.01] AD: request classified as SECURE
[resolv][65536.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'a.root-servers.net.' type 'A' uid [65537.00]
[iterat][65537.00] 'a.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65537.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65537.01] <= rcode: NOERROR
[resolv][65537.01] AD: request NOT classified as SECURE
[resolv][65537.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'a.root-servers.net.' type 'AAAA' uid [65538.00]
[iterat][65538.00] 'a.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65538.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65538.01] <= rcode: NOERROR
[resolv][65538.01] AD: request NOT classified as SECURE
[resolv][65538.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'b.root-servers.net.' type 'A' uid [65539.00]
[iterat][65539.00] 'b.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65539.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65539.01] <= rcode: NOERROR
[resolv][65539.01] AD: request NOT classified as SECURE
[resolv][65539.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'b.root-servers.net.' type 'AAAA' uid [65540.00]
[iterat][65540.00] 'b.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65540.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65540.01] <= rcode: NOERROR
[resolv][65540.01] AD: request NOT classified as SECURE
[resolv][65540.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'c.root-servers.net.' type 'A' uid [65541.00]
[iterat][65541.00] 'c.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65541.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65541.01] <= rcode: NOERROR
[resolv][65541.01] AD: request NOT classified as SECURE
[resolv][65541.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'c.root-servers.net.' type 'AAAA' uid [65542.00]
[iterat][65542.00] 'c.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65542.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65542.01] <= rcode: NOERROR
[resolv][65542.01] AD: request NOT classified as SECURE
[resolv][65542.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'd.root-servers.net.' type 'A' uid [65543.00]
[iterat][65543.00] 'd.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65543.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65543.01] <= rcode: NOERROR
[resolv][65543.01] AD: request NOT classified as SECURE
[resolv][65543.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'd.root-servers.net.' type 'AAAA' uid [65544.00]
[iterat][65544.00] 'd.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65544.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65544.01] <= rcode: NOERROR
[resolv][65544.01] AD: request NOT classified as SECURE
[resolv][65544.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'e.root-servers.net.' type 'A' uid [65545.00]
[iterat][65545.00] 'e.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65545.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65545.01] <= rcode: NOERROR
[resolv][65545.01] AD: request NOT classified as SECURE
[resolv][65545.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'e.root-servers.net.' type 'AAAA' uid [65546.00]
[iterat][65546.00] 'e.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65546.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65546.01] <= rcode: NOERROR
[resolv][65546.01] AD: request NOT classified as SECURE
[resolv][65546.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'f.root-servers.net.' type 'A' uid [65547.00]
[iterat][65547.00] 'f.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65547.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65547.01] <= rcode: NOERROR
[resolv][65547.01] AD: request NOT classified as SECURE
[resolv][65547.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'f.root-servers.net.' type 'AAAA' uid [65548.00]
[iterat][65548.00] 'f.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65548.01] => satisfied by exact RRset: rank 030, new TTL 517493
[iterat][65548.01] <= rcode: NOERROR
[resolv][65548.01] AD: request NOT classified as SECURE
[resolv][65548.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'g.root-servers.net.' type 'A' uid [65549.00]
[iterat][65549.00] 'g.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65549.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65549.01] <= rcode: NOERROR
[resolv][65549.01] AD: request NOT classified as SECURE
[resolv][65549.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'g.root-servers.net.' type 'AAAA' uid [65550.00]
[iterat][65550.00] 'g.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65550.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65550.01] <= rcode: NOERROR
[resolv][65550.01] AD: request NOT classified as SECURE
[resolv][65550.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'h.root-servers.net.' type 'A' uid [65551.00]
[iterat][65551.00] 'h.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65551.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65551.01] <= rcode: NOERROR
[resolv][65551.01] AD: request NOT classified as SECURE
[resolv][65551.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'h.root-servers.net.' type 'AAAA' uid [65552.00]
[iterat][65552.00] 'h.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65552.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65552.01] <= rcode: NOERROR
[resolv][65552.01] AD: request NOT classified as SECURE
[resolv][65552.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'i.root-servers.net.' type 'A' uid [65553.00]
[iterat][65553.00] 'i.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65553.01] => satisfied by exact RRset: rank 030, new TTL 517493
[iterat][65553.01] <= rcode: NOERROR
[resolv][65553.01] AD: request NOT classified as SECURE
[resolv][65553.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'i.root-servers.net.' type 'AAAA' uid [65554.00]
[iterat][65554.00] 'i.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65554.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65554.01] <= rcode: NOERROR
[resolv][65554.01] AD: request NOT classified as SECURE
[resolv][65554.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'j.root-servers.net.' type 'A' uid [65555.00]
[iterat][65555.00] 'j.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65555.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65555.01] <= rcode: NOERROR
[resolv][65555.01] AD: request NOT classified as SECURE
[resolv][65555.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'j.root-servers.net.' type 'AAAA' uid [65556.00]
[iterat][65556.00] 'j.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65556.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65556.01] <= rcode: NOERROR
[resolv][65556.01] AD: request NOT classified as SECURE
[resolv][65556.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'k.root-servers.net.' type 'A' uid [65557.00]
[iterat][65557.00] 'k.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65557.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65557.01] <= rcode: NOERROR
[resolv][65557.01] AD: request NOT classified as SECURE
[resolv][65557.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'k.root-servers.net.' type 'AAAA' uid [65558.00]
[iterat][65558.00] 'k.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65558.01] => satisfied by exact RRset: rank 030, new TTL 517493
[iterat][65558.01] <= rcode: NOERROR
[resolv][65558.01] AD: request NOT classified as SECURE
[resolv][65558.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'l.root-servers.net.' type 'A' uid [65559.00]
[iterat][65559.00] 'l.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65559.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65559.01] <= rcode: NOERROR
[resolv][65559.01] AD: request NOT classified as SECURE
[resolv][65559.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'l.root-servers.net.' type 'AAAA' uid [65560.00]
[iterat][65560.00] 'l.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65560.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65560.01] <= rcode: NOERROR
[resolv][65560.01] AD: request NOT classified as SECURE
[resolv][65560.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'm.root-servers.net.' type 'A' uid [65561.00]
[iterat][65561.00] 'm.root-servers.net.' type 'A' new uid was assigned .01, parent uid .00
[cache ][65561.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65561.01] <= rcode: NOERROR
[resolv][65561.01] AD: request NOT classified as SECURE
[resolv][65561.01] finished in state: 4, queries: 1, mempool: 81952 B
[plan ][00000.00] plan 'm.root-servers.net.' type 'AAAA' uid [65562.00]
[iterat][65562.00] 'm.root-servers.net.' type 'AAAA' new uid was assigned .01, parent uid .00
[cache ][65562.01] => satisfied by exact RRset: rank 030, new TTL 517436
[iterat][65562.01] <= rcode: NOERROR
[resolv][65562.01] AD: request NOT classified as SECURE
[resolv][65562.01] finished in state: 4, queries: 1, mempool: 81952 B
[primin] triggered priming query, next in 517436 seconds
[plan ][00000.00] plan '.' type 'NS' uid [65563.00]
[iterat][65563.00] '.' type 'NS' new uid was assigned .01, parent uid .00
[zoncut][65563.01] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[select][65563.01] => id: '53759' choosing: 'f.root-servers.net.'@'192.5.5.241#00053' with timeout 34 ms zone cut: '.'
[resolv][65563.01] => id: '53759' querying: 'f.root-servers.net.'@'192.5.5.241#00053' zone cut: '.' qname: '.' qtype: 'NS' proto: 'udp'
[taupd ] refreshing TA for .
[plan ][00000.00] plan '.' type 'DNSKEY' uid [65564.00]
[iterat][65564.00] '.' type 'DNSKEY' new uid was assigned .01, parent uid .00
[zoncut][65564.01] found cut: . (rank 060 return codes: DS -2, DNSKEY 0)
[resolv][65564.01] >< TA: '.'
[select][65564.01] => id: '14006' choosing: 'e.root-servers.net.'@'2001:500:a8::e#00053' with timeout 68 ms zone cut: '.'
[resolv][65564.01] => id: '14006' querying: 'e.root-servers.net.'@'2001:500:a8::e#00053' zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
[select][65563.01] => id: '53759' updating: 'f.root-servers.net.'@'192.5.5.241#00053' zone cut: '.' with rtt 12 to srtt: 14 and variance: 4
[iterat][65563.01] <= rcode: NOERROR
[cache ][65563.01] => not overwriting NS .
[resolv][65563.01] AD: request NOT classified as SECURE
[resolv][65563.01] finished in state: 4, queries: 1, mempool: 98352 B
[timesk] Local system time "Sat Mar 12 18:00:24 2022" is within RRSIG validity interval <"Sat Mar 12 16:00:00 2022","Fri Mar 25 17:00:00 2022">.
[select][65564.01] NO6: timed out, appended, timeouts 1/6
[select][65564.01] => id: '14006' noting selection error: 'e.root-servers.net.'@'2001:500:a8::e#00053' zone cut: '.' error: 1 QUERY_TIMEOUT
[iterat][65564.01] '.' type 'DNSKEY' new uid was assigned .02, parent uid .00
[select][65564.02] => id: '10194' choosing: 'f.root-servers.net.'@'192.5.5.241#00053' with timeout 34 ms zone cut: '.'
[resolv][65564.02] => id: '10194' querying: 'f.root-servers.net.'@'192.5.5.241#00053' zone cut: '.' qname: '.' qtype: 'DNSKEY' proto: 'udp'
[select][65564.02] => id: '10194' updating: 'f.root-servers.net.'@'192.5.5.241#00053' zone cut: '.' with rtt 11 to srtt: 14 and variance: 4
[iterat][65564.02] <= rcode: NOERROR
[valdtr][65564.02] <= answer valid, OK
[cache ][65564.02] => stashed . DNSKEY, rank 060, 824 B total, incl. 1 RRSIGs
[tasign] signalling query triggered: _ta-4f66.
[resolv][65564.02] AD: request classified as SECURE
[resolv][65564.02] finished in state: 4, queries: 1, mempool: 98352 B
[taupd ] next refresh for . in 12 hours
[plan ][00000.00] plan '_ta-4f66.' type 'NULL' uid [65565.00]
[iterat][65565.00] '_ta-4f66.' type 'NULL' new uid was assigned .01, parent uid .00
[cache ][65565.01] => trying zone: ., NSEC, hash 0
[cache ][65565.01] => NSEC sname: covered by: . -> aaa., new TTL 85436
[cache ][65565.01] => NSEC wildcard: covered by: . -> aaa., new TTL 85436
[iterat][65565.01] <= rcode: NXDOMAIN
[iterat][00000.00] deleted duplicate RR
[iterat][00000.00] deleted duplicate RR
[valdtr][65565.01] <= answer valid, OK
[resolv][65565.01] AD: request classified as SECURE
[resolv][65565.01] finished in state: 4, queries: 1, mempool: 98352 B
[gnutls] (2) signing structure using ECDSA-SHA256
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111
[gnutls] (3) ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-SHA256
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA256
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-SHA384
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA384
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-SHA512
[gnutls] (4) cannot use privkey of EC/ECDSA with RSA-PSS-RSAE-SHA512
[gnutls] (4) cannot use privkey of EC/ECDSA with EdDSA-Ed25519
[gnutls] (4) cannot use privkey of EC/ECDSA with EdDSA-Ed448
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[tls ] Using ephemeral TLS credentials
[tls ] RFC 7858 OOB key-pin (0): pin-sha256=""
[gnutls] (3) ASSERT: ../../lib/cert-cred-x509.c[gnutls_certificate_get_x509_crt]:901
[gnutls] (5) REC[0x211e170]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55200
[gnutls] (5) REC[0x211e170]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e170]: SSL 3.1 Handshake packet received. Epoch 0, length: 512
[gnutls] (5) REC[0x211e170]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e170]: Received Packet Handshake(22) with length: 512
[gnutls] (5) REC[0x211e170]: Decrypted Packet[0] Handshake(22) with length: 512
[gnutls] (4) HSK[0x211e170]: CLIENT HELLO (1) was received. Length 508[508], frag offset 0, frag length: 508, sequence: 0
[gnutls] (4) HSK[0x211e170]: Client's version: 3.3
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e170]: Found version: 3.4
[gnutls] (4) EXT[0x211e170]: Found version: 3.3
[gnutls] (4) EXT[0x211e170]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e170]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e170]: Ignoring extension 'ClientHello Padding/21'
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e170]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e170]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e170]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e170]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e170]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e170]: Selected group X25519
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e170]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e170]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e170]: PSK KE mode 01 received
[gnutls] (4) HSK[0x211e170]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (3) ASSERT: ../../../lib/ext/server_name.c[gnutls_server_name_get]:239
[gnutls] (4) HSK[0x211e170]: Requested server name: ''
[gnutls] (4) HSK[0x211e170]: checking compat of GNUTLS_AES_256_GCM_SHA384 with certificate[0] (EC/ECDSA/X.509)
[gnutls] (4) checking cert compat with ECDSA-SECP256R1-SHA256
[gnutls] (4) Selected signature algorithm: ECDSA-SECP256R1-SHA256
[gnutls] (2) Selected (EC/ECDSA) cert based on ciphersuite 13.2: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e170]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e170]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e170]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e170]: Received key share for X25519
[gnutls] (4) HSK[0x211e170]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e170]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e170]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e170]: SessionID: 0ed0901089315c6dffb1e8c78fe66d7ff0318d3874a74f009691b35a019bbcc8
[gnutls] (4) EXT[0x211e170]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: sending key share for X25519
[gnutls] (4) EXT[0x211e170]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e170]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e170]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) HSK[0x211e170]: SERVER HELLO was queued [122 bytes]
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 122 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[1] Handshake(22) in epoch 0 and length: 127
[gnutls] (5) REC[0x211e170]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e170]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e170]: Initializing epoch #1
[gnutls] (5) REC[0x211e170]: Epoch #1 ready
[gnutls] (4) HSK[0x211e170]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e170]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e170]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e170]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e170]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e170]: CERTIFICATE was queued [407 bytes]
[gnutls] (4) checking cert compat with ECDSA-SECP256R1-SHA256
[gnutls] (4) HSK[0x211e170]: signing TLS 1.3 handshake data: using ECDSA-SECP256R1-SHA256 and PRF: SHA384
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (3) ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60
[gnutls] (4) HSK[0x211e170]: CERTIFICATE VERIFY was queued [79 bytes]
[gnutls] (4) HSK[0x211e170]: sending finished
[gnutls] (4) HSK[0x211e170]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 407 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[2] Handshake(22) in epoch 1 and length: 429
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 79 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[3] Handshake(22) in epoch 1 and length: 101
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[4] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e170]: Allocating epoch #2
[gnutls] (4) HSK[0x211e170]: unauthenticated session eligible for early start
[gnutls] (5) REC[0x211e170]: Initializing epoch #2
[gnutls] (5) REC[0x211e170]: Epoch #2 ready
[gnutls] (4) HSK[0x211e170]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e170]: switching early to application traffic keys
[gnutls] (4) HSK[0x211e170]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e170]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e170]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e170]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e170]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e170]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e170]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e170]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e170]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e170]: parsing finished
[gnutls] (4) HSK[0x211e170]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (5) REC[0x211e170]: Start of epoch cleanup
[gnutls] (5) REC[0x211e170]: Epoch #0 freed
[gnutls] (5) REC[0x211e170]: Epoch #1 freed
[gnutls] (5) REC[0x211e170]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55200 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e170]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e170]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e170]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e170]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e170]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e170]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e170]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e170]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e170]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e170]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e170]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e170]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e170]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e170]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55200' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e170]: Start of epoch cleanup
[gnutls] (5) REC[0x211e170]: End of epoch cleanup
[gnutls] (5) REC[0x211e170]: Epoch #2 freed
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55202
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.1 Handshake packet received. Epoch 0, length: 593
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Handshake(22) with length: 593
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 593
[gnutls] (4) HSK[0x211e0e0]: CLIENT HELLO (1) was received. Length 589[589], frag offset 0, frag length: 589, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: Client's version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e0e0]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e0e0]: Selected group X25519
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: PSK KE mode 01 received
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Pre Shared Key/41' (289 bytes)
[gnutls] (4) EXT[0x211e0e0]: selected DHE-PSK mode
[gnutls] (4) EXT[0x211e0e0]: selected resumption PSK identity (0)
[gnutls] (4) HSK[0x211e0e0]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (4) HSK[0x211e0e0]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received key share for X25519
[gnutls] (4) HSK[0x211e0e0]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e0e0]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e0e0]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e0e0]: SessionID: 81d219ba924093e708406e0b027ebc4d0bf7be0ba922e155a1a774179cad5de5
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: sending key share for X25519
[gnutls] (4) EXT[0x211e0e0]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Pre Shared Key/41 (2 bytes)
[gnutls] (4) HSK[0x211e0e0]: SERVER HELLO was queued [128 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 128 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 133
[gnutls] (5) REC[0x211e0e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e0e0]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #1
[gnutls] (5) REC[0x211e0e0]: Epoch #1 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e0e0]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e0e0]: sending finished
[gnutls] (4) HSK[0x211e0e0]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #2
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #2
[gnutls] (5) REC[0x211e0e0]: Epoch #2 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: switching early to application traffic keys
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e0e0]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: parsing finished
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #0 freed
[gnutls] (5) REC[0x211e0e0]: Epoch #1 freed
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55202 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e0e0]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55202' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #2 freed
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55204
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.1 Handshake packet received. Epoch 0, length: 593
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Handshake(22) with length: 593
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 593
[gnutls] (4) HSK[0x211e0e0]: CLIENT HELLO (1) was received. Length 589[589], frag offset 0, frag length: 589, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: Client's version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e0e0]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e0e0]: Selected group X25519
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: PSK KE mode 01 received
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Pre Shared Key/41' (289 bytes)
[gnutls] (4) EXT[0x211e0e0]: selected DHE-PSK mode
[gnutls] (4) EXT[0x211e0e0]: selected resumption PSK identity (0)
[gnutls] (4) HSK[0x211e0e0]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (4) HSK[0x211e0e0]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received key share for X25519
[gnutls] (4) HSK[0x211e0e0]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e0e0]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e0e0]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e0e0]: SessionID: 5ebe5c5449e6975c7b5df57b8eafe41c4c155382cc7ca1576b340fbeef1280ca
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: sending key share for X25519
[gnutls] (4) EXT[0x211e0e0]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Pre Shared Key/41 (2 bytes)
[gnutls] (4) HSK[0x211e0e0]: SERVER HELLO was queued [128 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 128 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 133
[gnutls] (5) REC[0x211e0e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e0e0]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #1
[gnutls] (5) REC[0x211e0e0]: Epoch #1 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e0e0]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e0e0]: sending finished
[gnutls] (4) HSK[0x211e0e0]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #2
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #2
[gnutls] (5) REC[0x211e0e0]: Epoch #2 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: switching early to application traffic keys
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e0e0]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: parsing finished
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #0 freed
[gnutls] (5) REC[0x211e0e0]: Epoch #1 freed
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55204 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e0e0]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55204' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #2 freed
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55206
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.1 Handshake packet received. Epoch 0, length: 593
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Handshake(22) with length: 593
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 593
[gnutls] (4) HSK[0x211e0e0]: CLIENT HELLO (1) was received. Length 589[589], frag offset 0, frag length: 589, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: Client's version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e0e0]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e0e0]: Selected group X25519
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: PSK KE mode 01 received
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Pre Shared Key/41' (289 bytes)
[gnutls] (4) EXT[0x211e0e0]: selected DHE-PSK mode
[gnutls] (4) EXT[0x211e0e0]: selected resumption PSK identity (0)
[gnutls] (4) HSK[0x211e0e0]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (4) HSK[0x211e0e0]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received key share for X25519
[gnutls] (4) HSK[0x211e0e0]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e0e0]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e0e0]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e0e0]: SessionID: 3c698c13d66f681ba04710d2656623517471ec4673ba070bdf70a2c90f3b2c36
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: sending key share for X25519
[gnutls] (4) EXT[0x211e0e0]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Pre Shared Key/41 (2 bytes)
[gnutls] (4) HSK[0x211e0e0]: SERVER HELLO was queued [128 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 128 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 133
[gnutls] (5) REC[0x211e0e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e0e0]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #1
[gnutls] (5) REC[0x211e0e0]: Epoch #1 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e0e0]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e0e0]: sending finished
[gnutls] (4) HSK[0x211e0e0]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #2
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #2
[gnutls] (5) REC[0x211e0e0]: Epoch #2 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: switching early to application traffic keys
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e0e0]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: parsing finished
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #0 freed
[gnutls] (5) REC[0x211e0e0]: Epoch #1 freed
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55206 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e0e0]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55206' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #2 freed
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55208
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.1 Handshake packet received. Epoch 0, length: 593
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Handshake(22) with length: 593
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 593
[gnutls] (4) HSK[0x211e0e0]: CLIENT HELLO (1) was received. Length 589[589], frag offset 0, frag length: 589, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: Client's version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e0e0]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e0e0]: Selected group X25519
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: PSK KE mode 01 received
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Pre Shared Key/41' (289 bytes)
[gnutls] (4) EXT[0x211e0e0]: selected DHE-PSK mode
[gnutls] (4) EXT[0x211e0e0]: selected resumption PSK identity (0)
[gnutls] (4) HSK[0x211e0e0]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (4) HSK[0x211e0e0]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received key share for X25519
[gnutls] (4) HSK[0x211e0e0]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e0e0]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e0e0]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e0e0]: SessionID: ee078dd4ccdf28113228a239675d9f6a179689abc17c1229a6be4c47fef694e4
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: sending key share for X25519
[gnutls] (4) EXT[0x211e0e0]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Pre Shared Key/41 (2 bytes)
[gnutls] (4) HSK[0x211e0e0]: SERVER HELLO was queued [128 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 128 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 133
[gnutls] (5) REC[0x211e0e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e0e0]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #1
[gnutls] (5) REC[0x211e0e0]: Epoch #1 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e0e0]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e0e0]: sending finished
[gnutls] (4) HSK[0x211e0e0]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #2
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #2
[gnutls] (5) REC[0x211e0e0]: Epoch #2 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: switching early to application traffic keys
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e0e0]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: parsing finished
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #0 freed
[gnutls] (5) REC[0x211e0e0]: Epoch #1 freed
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55208 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e0e0]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55208' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #2 freed
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #0
[gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
[doh ] [0x21373f0] h2 session created for 127.0.0.1#55210
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #1
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.1 Handshake packet received. Epoch 0, length: 593
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Handshake(22) with length: 593
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 593
[gnutls] (4) HSK[0x211e0e0]: CLIENT HELLO (1) was received. Length 589[589], frag offset 0, frag length: 589, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: Client's version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Versions/43' (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Found version: 3.3
[gnutls] (4) EXT[0x211e0e0]: Negotiated version: 3.4
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'ALPN/16' (14 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Extended Master Secret/23' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported EC Point Formats/11' (4 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Supported Groups/10' (12 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received group X25519 (0x1d)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP256R1 (0x17)
[gnutls] (4) EXT[0x211e0e0]: Received group X448 (0x1e)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP521R1 (0x19)
[gnutls] (4) EXT[0x211e0e0]: Received group SECP384R1 (0x18)
[gnutls] (4) EXT[0x211e0e0]: Selected group X25519
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Post Handshake Auth/49' (0 bytes)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Signature Algorithms/13' (42 bytes)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.3) ECDSA-SECP256R1-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.3) ECDSA-SECP384R1-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.3) ECDSA-SECP521R1-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.7) EdDSA-Ed25519
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.8) EdDSA-Ed448
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.9) RSA-PSS-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.10) RSA-PSS-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.11) RSA-PSS-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.4) RSA-PSS-RSAE-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.5) RSA-PSS-RSAE-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (8.6) RSA-PSS-RSAE-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.1) RSA-SHA256
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.1) RSA-SHA384
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.1) RSA-SHA512
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.3) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.1) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (3.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (4.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (5.2) (null)
[gnutls] (4) EXT[0x211e0e0]: rcvd signature algo (6.2) (null)
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'PSK Key Exchange Modes/45' (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: PSK KE mode 01 received
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Pre Shared Key/41' (289 bytes)
[gnutls] (4) EXT[0x211e0e0]: selected DHE-PSK mode
[gnutls] (4) EXT[0x211e0e0]: selected resumption PSK identity (0)
[gnutls] (4) HSK[0x211e0e0]: Received safe renegotiation CS
[gnutls] (2) checking 13.02 (GNUTLS_AES_256_GCM_SHA384) for compatibility
[gnutls] (4) HSK[0x211e0e0]: Selected cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: Selected version TLS1.3
[gnutls] (4) EXT[0x211e0e0]: Parsing extension 'Key Share/51' (38 bytes)
[gnutls] (4) EXT[0x211e0e0]: Received key share for X25519
[gnutls] (4) HSK[0x211e0e0]: Selected group X25519 (6)
[gnutls] (2) EXT[0x211e0e0]: server generated X25519 shared key
[gnutls] (4) HSK[0x211e0e0]: Safe renegotiation succeeded
[gnutls] (4) HSK[0x211e0e0]: SessionID: 7ff8144c36adcd7b45acdfe51b213d89c8c2694797c6ca4172d443b4f326d87c
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Client Certificate Type/19) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Certificate Type/20) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Groups/10) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRTP/14) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Heartbeat/15) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ALPN/16) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Key Share/51) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: sending key share for X25519
[gnutls] (4) EXT[0x211e0e0]: Sending extension Key Share/51 (36 bytes)
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Versions/43) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Supported Versions/43 (2 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Server Name Indication/0) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Early Data/42) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (PSK Key Exchange Modes/45) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Record Size Limit/28) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Maximum Record Size/1) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Pre Shared Key/41) for 'TLS 1.3 server hello'
[gnutls] (4) EXT[0x211e0e0]: Sending extension Pre Shared Key/41 (2 bytes)
[gnutls] (4) HSK[0x211e0e0]: SERVER HELLO was queued [128 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 128 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 133
[gnutls] (5) REC[0x211e0e0]: Preparing Packet ChangeCipherSpec(20) with length: 1 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] ChangeCipherSpec(20) in epoch 0 and length: 6
[gnutls] (4) REC[0x211e0e0]: Sent ChangeCipherSpec
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #1
[gnutls] (5) REC[0x211e0e0]: Epoch #1 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 re-key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (OCSP Status Request/5) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Client Certificate Type/19) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Certificate Type/20) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Supported Groups/10) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported EC Point Formats/11) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (SRP/12) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Signature Algorithms/13) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (SRTP/14) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Heartbeat/15) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (ALPN/16) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Sending extension ALPN/16 (5 bytes)
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Encrypt-then-MAC/22) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Extended Master Secret/23) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Session Ticket/35) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Key Share/51) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Supported Versions/43) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Post Handshake Auth/49) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Safe Renegotiation/65281) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Server Name Indication/0) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Cookie/44) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Early Data/42) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (PSK Key Exchange Modes/45) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Record Size Limit/28) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Preparing extension (Maximum Record Size/1) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (ClientHello Padding/21) for 'encrypted extensions'
[gnutls] (4) EXT[0x211e0e0]: Not sending extension (Pre Shared Key/41) for 'encrypted extensions'
[gnutls] (4) HSK[0x211e0e0]: ENCRYPTED EXTENSIONS was queued [15 bytes]
[gnutls] (4) HSK[0x211e0e0]: sending finished
[gnutls] (4) HSK[0x211e0e0]: FINISHED was queued [52 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 1 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 52 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 1 and length: 74
[gnutls] (3) ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:955
[gnutls] (5) REC[0x211e0e0]: Allocating epoch #2
[gnutls] (5) REC[0x211e0e0]: Initializing epoch #2
[gnutls] (5) REC[0x211e0e0]: Epoch #2 ready
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set write key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: switching early to application traffic keys
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/tls13/finished.c[_gnutls13_recv_finished]:101
[gnutls] (3) ASSERT: ../../lib/buffers.c[get_last_packet]:1185
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 ChangeCipherSpec packet received. Epoch 1, length: 1
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet ChangeCipherSpec(20) with length: 1
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 1, length: 69
[gnutls] (5) REC[0x211e0e0]: Expected Packet Handshake(22)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 69
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Handshake(22) with length: 52
[gnutls] (4) HSK[0x211e0e0]: FINISHED (20) was received. Length 48[48], frag offset 0, frag length: 48, sequence: 0
[gnutls] (4) HSK[0x211e0e0]: parsing finished
[gnutls] (4) HSK[0x211e0e0]: TLS 1.3 set read key with cipher suite: GNUTLS_AES_256_GCM_SHA384
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (4) HSK[0x211e0e0]: NEW SESSION TICKET was queued [251 bytes]
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[1] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Handshake(22) with length: 251 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[2] Handshake(22) in epoch 2 and length: 273
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #0 freed
[gnutls] (5) REC[0x211e0e0]: Epoch #1 freed
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[tls ] TLS handshake with 127.0.0.1#55210 has completed
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 41
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 41
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[0] Application Data(23) with length: 24
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 44
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 44
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[1] Application Data(23) with length: 27
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 30
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 30
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[2] Application Data(23) with length: 13
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 15 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[3] Application Data(23) in epoch 2 and length: 37
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 9 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[4] Application Data(23) in epoch 2 and length: 31
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 62
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 62
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[3] Application Data(23) with length: 45
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: Preparing Packet Application Data(23) with length: 13 and min pad: 0
[gnutls] (5) REC[0x211e0e0]: Sent Packet[5] Application Data(23) in epoch 2 and length: 35
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 26
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 26
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[4] Application Data(23) with length: 9
[gnutls] (3) ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_int]:1776
[gnutls] (5) REC[0x211e0e0]: SSL 3.3 Application Data packet received. Epoch 2, length: 19
[gnutls] (5) REC[0x211e0e0]: Expected Packet Application Data(23)
[gnutls] (5) REC[0x211e0e0]: Received Packet Application Data(23) with length: 19
[gnutls] (5) REC[0x211e0e0]: Decrypted Packet[5] Alert(21) with length: 2
[gnutls] (5) REC[0x211e0e0]: Alert[1|0] - Close notify - was received
[gnutls] (3) ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1578
[io ] => connection to '127.0.0.1#55210' closed by peer (end of file)
[doh ] [0x21373f0] h2 session freed
[gnutls] (5) REC[0x211e0e0]: Start of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: End of epoch cleanup
[gnutls] (5) REC[0x211e0e0]: Epoch #2 freed
```
</details>
<details>
<summary>
`curl -vk 'https://127.0.0.1/dns-query'`
</summary>
```
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, retrying a fresh connect(retry count: 1)
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Issue another request to this URL: 'https://127.0.0.1/dns-query'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, retrying a fresh connect(retry count: 2)
* Closing connection 1
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Issue another request to this URL: 'https://127.0.0.1/dns-query'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#2)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, retrying a fresh connect(retry count: 3)
* Closing connection 2
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Issue another request to this URL: 'https://127.0.0.1/dns-query'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#3)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, retrying a fresh connect(retry count: 4)
* Closing connection 3
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Issue another request to this URL: 'https://127.0.0.1/dns-query'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#4)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, retrying a fresh connect(retry count: 5)
* Closing connection 4
* TLSv1.3 (OUT), TLS alert, close notify (256):
* Issue another request to this URL: 'https://127.0.0.1/dns-query'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:443...
* Connected to 127.0.0.1 (127.0.0.1) port 443 (#5)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* SSL re-using session ID
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=d86326eacf7b
* start date: Mar 12 17:45:29 2022 GMT
* expire date: Jun 10 18:00:29 2022 GMT
* issuer: CN=d86326eacf7b
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5578b4bcc560)
> GET /dns-query HTTP/2
> Host: 127.0.0.1
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 65535)!
* REFUSED_STREAM, retrying a fresh connect
* Connection died, tried 5 times before giving up
* stopped the pause stream!
* Closing connection 5
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (56) Connection died, tried 5 times before giving up
```
</details>
https://gitlab.nic.cz/knot/knot-resolver/-/issues/742
TLS: use GNUTLS_NO_TICKETS_TLS12
2022-05-20T09:39:49+02:00
Vladimír Čunát
vladimir.cunat@nic.cz
TLS: use GNUTLS_NO_TICKETS_TLS12
It's a new [feature](https://gitlab.com/gnutls/gnutls/-/merge_requests/1475) that will be part of gnutls > 3.7.4. With TLS 1.2, session resumption weakens privacy guarantees too much ([explanation](https://gitlab.com/gnutls/gnutls/-/mer...
It's a new [feature](https://gitlab.com/gnutls/gnutls/-/merge_requests/1475) that will be part of gnutls > 3.7.4. With TLS 1.2, session resumption weakens privacy guarantees too much ([explanation](https://gitlab.com/gnutls/gnutls/-/merge_requests/1475)), so it's better avoided – at least by default.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/708
datamodel: renaming 'server' section
2022-05-18T16:26:17+02:00
Aleš Mrázek
datamodel: renaming 'server' section
This section is basically a summary of things that do not fit elsewhere, so the name of this section may be confusing.
examples of the new name: `general`, `management`, ...
Or maybe try to split the section.
Current `server` section
...
This section is basically a summary of things that do not fit elsewhere, so the name of this section may be confusing.
examples of the new name: `general`, `management`, ...
Or maybe try to split the section.
Current `server` section
```yaml
server:
id:
hostname:
nsid:
workers:
use-cache-gc:
backend:
watchdog:
rundir:
management:
webmgmt:
```
Aleš Mrázek
Aleš Mrázek
https://gitlab.nic.cz/knot/knot-resolver/-/issues/738
fails to resolve planet.gnome.org when forwarding and DNSSEC validation is on
2022-05-18T16:25:25+02:00
Fre
fails to resolve planet.gnome.org when forwarding and DNSSEC validation is on
When I have Knot Resolver 5.5.0 on Debian Bullseye set to forward requests, Knot Resolver fails to resolve planet.gnome.org with SERVFAIL.
The problem occurs when forwarding to either Quad9 or Cloudflare, with different systems on diffe...
When I have Knot Resolver 5.5.0 on Debian Bullseye set to forward requests, Knot Resolver fails to resolve planet.gnome.org with SERVFAIL.
The problem occurs when forwarding to either Quad9 or Cloudflare, with different systems on different networks (even in different countries). The problem does not happen when I disable forwarding. It also does not happen when I add +cd.
```
frederik@torino:~$ kdig planet.gnome.org
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 51346
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; planet.gnome.org. IN A
;; Received 34 B
;; Time 2022-04-13 17:59:50 CEST
;; From ::1@53(UDP) in 294.8 ms
frederik@torino:~$ kdig +cd planet.gnome.org
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3633
;; Flags: qr rd ra cd; QUERY: 1; ANSWER: 4; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; planet.gnome.org. IN A
;; ANSWER SECTION:
planet.gnome.org. 894 IN CNAME router-default.apps.openshift4.gnome.org.
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.5
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.3
router-default.apps.openshift4.gnome.org. 900 IN A 8.43.85.4
;; Received 127 B
;; Time 2022-04-13 17:59:56 CEST
;; From ::1@53(UDP) in 136.4 ms
```
Log:
```
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] request packet:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7606
;; Flags: rd QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] following rrsets were marked as interesting:
;; selected from ANSWER sections:
; ranked rrset to_wire true, rank 060 (secure auth), cached false, qry_uid 1, revalidations 0
planet.gnome.org. 614 CNAME router-default.apps.openshift4.gnome.org.
; ranked rrset to_wire true, rank 021 (omit auth), cached false, qry_uid 1, revalidations 0
planet.gnome.org. 614 RRSIG CNAME 5 3 900 1651937377 1649345377 40692 gnome.org. LwqhAFM+ukN4HHE6QBHSehacwNgodYZrwGykePnayxgD4WCELd887iW7xnQm+CgebWligBJhFLQB5a0VV13j0UD95ji2q+1QBQbJ/lcxdHoh++i2Bhb0nWHQ148FsoE613oMX5wwWm4fpN0fmRPUugKXD2f5fAGFBD83e82QBZk=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 5, revalidations 0
. 27913 DNSKEY 256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv90YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjGNM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hvx/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAzpFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xRtW4v/3y4/H8=
. 27913 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 5, revalidations 0
. 27913 RRSIG DNSKEY 8 0 172800 1651449600 1649635200 20326 . e/e+lsjJGKLiH638XbnFQrI1EUG8CTYh52loAQkKdzX2YzXpTePNDuvPAF7EreJoBNS9EabkwvLwo2O16kXu5kK7TIznS2IO4krC/7ILGVZAbq9EhdsIBKInkBavnokBC+qRrvE78wvbMcl/pt92j5AuoPMmv5lOdowxW/U1m8/MgLh1wU07tkZ2HRGRP6pGMefWDqzb3AvHnEp5rzMnpcOlrVQLPDutztZ6kpRMhTHnL+QN3BqYYIFFg/IQn+YvVSyHR/6/8UTawV9kLSYkab3Cbhgb6jYbxlOG8LcXvtTGwq/PfOcZjttBSsar3X7RjyGYM2hAfrGkMf7gk4X4KA==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 8, revalidations 0
org. 35188 DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D16E1DE32
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 8, revalidations 0
org. 35188 RRSIG DS 8 1 86400 1650906000 1649779200 47671 . gt0yxpNr3DEe3vdglp5pAUwx7Mudxs+wrfsn/UY0a8Qu0hbwygtyxBDGkAbpxlXH0tLGTdcHfselrNekixdXHAnoSHZKiyZNX5OEp3wShJoqln/+0Qs6VLgHrACcoUFQEZnXGTer2flE3imPYux6LPaY+vv2KVGcgJCxkMWgjY/2uMsc03h2XcDplQr6ESdeA7gnxA9pxvjIvY793GTgnybGVbAtgSQSCxvxTClpZxsltuxF+ZBGTxeveNtgLEinTQpQUNy6aekL+H/PEsk6R7S/y8Cx8j6OIdg1MEpTr0Sz6wVJPsD7RhQpAjTbMx2V+2j4is/5815kC4HVKHtg4g==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 11, revalidations 0
org. 107 DNSKEY 256 3 8 AwEAAa5uc5s6co7l6C0rgiH0om3XgV6pe2aWmtiNL5/gN82xImSB5ovvjRg1TPfcqNq1CCjtafdWTdtrX2f9hzDMJ1vZxzgcyRDYroiC22kaGQHtlLpw73pVHHrTzqjuJ0lPeko0/SDI0iBIqimY2mT3KJTts3gbXywksWjIHcw5FTAV
org. 107 DNSKEY 256 3 8 AwEAAbdHIC3iJRkEm4k0aIcj1Q5JPlyCkazmt0j2wFIXze88D5yTStbMFEjVGhTCNVtKGomSxz89GnnCA+MdkDzlJJofSNigEUoTZp5U6tEgtt61NNrKxz0GnJkW/1yeS5dP27hYCSBp9264feY/7z/wjoZyKfbsoymBrC5EZA6iHxFd
org. 107 DNSKEY 257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIyS+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQuQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYteoIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9nXniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5CbXg44OqwhIW8=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 11, revalidations 0
org. 107 RRSIG DNSKEY 8 1 900 1651332155 1649514155 26974 org. dSvEYdnhQOlzIu9rs3M/kjais/ifG51gF4IKE6GEwikhx/tYFrJuUuGzXpqoQcOkdoZXySoUYoMVF3wwUR7aD8EH+D5NQ4CmGLs1lQil6GGE+CKjglZPZrrklIsVhBmD+AZLAC+HIMkOX7vPLrqPz93IqUs+NtIRY15VEvi15JMSydNUIvmxc1HTPaar6r50TxKwfIR92pYDXWqKTe5HQPJ1uj55oyUAwtEISjKM/BdoV5RRjyC+1+i/by9wkGIJLMCkzX/4UnGqBM2jFm66due25GULAMZRYvnhqQvMMc/yyIe3NoeeMh7wqIXqRaHhXNZfjPXNaCOxkPHVeJuYAg==
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 14, revalidations 0
gnome.org. 6809 DS 51496 5 2 F676D322A3E9EE31F1078F38256315214078E46A47064CBDEE76E933739CC8C7
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 14, revalidations 0
gnome.org. 6809 RRSIG DS 8 2 86400 1651332155 1649514155 10449 org. Fj9K58DnO3WxVDtJKEk1csWU9WgXfrtJ9ZYXIOiPG5KdI5o9WIbrW51DqidP6QVVWGpzvVs8knf0h8AjneROMEBjLehQa+9uZ6bQ/x/DEElp2mW53q43b33I6Rt2rjlbazhjFSt+f9BuWPf3wke4IbRK6/pf57TuGgKYBuVwQwo=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 17, revalidations 0
gnome.org. 264 DNSKEY 256 3 5 AwEAAaMI/dz7JwEtjvpr1uCvjs1AvVxiT4dwQGOXzp6r+pQXazhDn6+TlJDh0aEnwFc76ujViKcMruPsS49dtoCAmhBPuI2g+CGyr/PgAfxM4czfak8kKvIdxh1UMQrcIJ/rKJ5eue7fI2BG3plq9oMIPmDEOoPU4ePjIY4M/qrbjcev
gnome.org. 264 DNSKEY 257 3 5 AwEAAbRD7AymDFuKc2iXta7HXZMleMkUMwjOZTsn4f75ZUp0of8TJdlUDtFtqifEBnFcGJU5r+ZVvkBKQ0qDTTjayL54Nz56XGGoIBj6XxbG8Es+VbZCg0RsetDk5EsxLst0egrvOXga27jbsJ+7Me3D5Xp1bkBnQMrXEXQ9C43QfO2KUWJVljo1Bii3fTfnHSLRUsbRn8Puz+orK71qxs3G9mgGR6rmn91brkpfmHKr3S9Rbxq8iDRWDPiCaWkI7qfASdFk4TLV0gSVlA3OxyW9TCkPZStZ5r/WRW2jhUY/kjHERQd4qX5dHAuYrjJSV99P6FfCFXoJ3ty5s3fl1RZaTo8=
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 17, revalidations 0
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 40692 gnome.org. FhZSI3iYe2SLfWAJR7DH4bOTTD4AlkPf9OsFZH6nhBJQEk9H8cRkHUzLUczY41daJwDKxlUnnEkEOa1jS8E8EXm3KSSxkraZv6BLsdhxB6UjbYT6ZrhzbneO1sygYc/6IU70DpryKNa6R9jPLEUEphez9MR6Bf/VREtkYNUnVXU=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 51496 gnome.org. jgJHprIvEOZL5K6sZhGKrjQEsU368ZzMJ/PJhQpeXz47HwfF0AhTycWSwWG8enqpFhl/QY2n2IEnnTtBC3IytvZBd+SfL82lkuGU1eDaSR4pkMiJCTLEitFEMlRj950A2S1RYxVafJAlJR0MrLEcgUYap+V9OVrGjoSnXTIs9XOY0aj0iTNRT5nm1RC533QKCu5PDwQlXbwUWC0LoYM3oHMG5sbliD0Sy2nObYs9cf7BfkLb97iZiJcQKNm5fpDnG4qaLlw0GRrybbHi1QeIJisC4Isg1gdZ2cPDntPVS8T0m6I5Dcsx1IvDubhucJ8U2SMIkSKIZ1Aidl+MslSTLw==
;; selected from AUTHORITY sections:
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
gnome.org. 16 SOA ns-master.gnome.org. hostmaster.gnome.org. 1649348977 600 900 86400 3600
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
gnome.org. 16 RRSIG SOA 5 2 900 1651937377 1649345377 40692 gnome.org. D4nUm9bExjX/lUoG+TgMdYuccR7InE2wSzBLR2a4ocU3IqpNvA7seBmll9x706ImEZ1oxtvXTZbozEG7W1c7KIlo+vvSl4yoQgQl37VncHhfW5U6Q69v9o1XRuledjb7l16OtynblHXQkDmZDrT9vwX0BV6eoZ78QG84lBqpaFk=
; ranked rrset to_wire false, rank 060 (secure auth), cached false, qry_uid 20, revalidations 0
*.openshift.gnome.org. 2716 NSEC *.openshift4.gnome.org. A AAAA RRSIG NSEC
; ranked rrset to_wire false, rank 021 (omit auth), cached false, qry_uid 20, revalidations 0
*.openshift.gnome.org. 2716 RRSIG NSEC 5 3 3600 1651937377 1649345377 40692 gnome.org. j3xWiApwlF6XY64qJnXepFklLWWOHYpQFl1ZBtEhT0THnbMMgwOUmhzvpCbeWJaNRZiqMNGBLo1g+4gaOA3RpzULFjH8GyW0fuzpZ7qwZAgxUsa9/Ii5tj5rtYTv8zZFkqv9xoQVLfwx09r12Sjrpg/aoXnHs0LEbSkCJWC3lAQ=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][policy][07606.00] answer packet:
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 7606
;; Flags: qr rd ra QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.00] 'planet.gnome.org.' type 'A' new uid was assigned .01, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.01] => satisfied by exact CNAME: rank 060, new TTL 614
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 26361
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
planet.gnome.org. A
;; ANSWER SECTION
planet.gnome.org. 614 CNAME router-default.apps.openshift4.gnome.org.
planet.gnome.org. 614 RRSIG CNAME 5 3 900 1651937377 1649345377 40692 gnome.org. LwqhAFM+ukN4HHE6QBHSehacwNgodYZrwGykePnayxgD4WCELd887iW7xnQm+CgebWligBJhFLQB5a0VV13j0UD95ji2q+1QBQbJ/lcxdHoh++i2Bhb0nWHQ148FsoE613oMX5wwWm4fpN0fmRPUugKXD2f5fAGFBD83e82QBZk=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.01] <= cname chain, following
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.02] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .03, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => trying zone: gnome.org., NSEC, hash 0
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => NSEC sname: range search miss (!covers)
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.03] => skipping zone: gnome.org., NSEC, hash 0;new TTL -123456789, ret -2
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.03] plan '.' type 'DNSKEY' uid [07606.04]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.04] '.' type 'DNSKEY' new uid was assigned .05, parent uid .03
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.05] => satisfied by exact RRset: rank 060, new TTL 27913
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.05] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 42892
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
. DNSKEY
;; ANSWER SECTION
. 27913 DNSKEY 256 3 8 AwEAAak/ZU9wDNQD7XTAGTDkn32UR8I6auRDekbGky+yyWKdUHmwAJv90YHCUTib8aVBgNgbxkeeZGRx3W4+XhMZbfUr5fMwmD3u9P2yzJpbRtjGNM/XZvzGs9HHNymz3Bp851anHZfNy6pJud265/XMKzFlAY8sMJjum0hvx/DuCDELLyhsvdfOD9rHM93UXO0bcAjvI8tjZsGI+Pfp9KdxF9vS/sAzpFXKsldix+e6xv8rRS6WPg2LAooxF+eO5DgFSilYmnyCK4VPJ7ntjD/8m0bs128ZT1eY3oXCbojDv59lLAgrdGSbcVxQF2KHoUHDmkOC5BzG/1xRtW4v/3y4/H8=
. 27913 DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
. 27913 RRSIG DNSKEY 8 0 172800 1651449600 1649635200 20326 . e/e+lsjJGKLiH638XbnFQrI1EUG8CTYh52loAQkKdzX2YzXpTePNDuvPAF7EreJoBNS9EabkwvLwo2O16kXu5kK7TIznS2IO4krC/7ILGVZAbq9EhdsIBKInkBavnokBC+qRrvE78wvbMcl/pt92j5AuoPMmv5lOdowxW/U1m8/MgLh1wU07tkZ2HRGRP6pGMefWDqzb3AvHnEp5rzMnpcOlrVQLPDutztZ6kpRMhTHnL+QN3BqYYIFFg/IQn+YvVSyHR/6/8UTawV9kLSYkab3Cbhgb6jYbxlOG8LcXvtTGwq/PfOcZjttBSsar3X7RjyGYM2hAfrGkMf7gk4X4KA==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.05] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.05] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.05] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.03] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .06, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.06] plan 'org.' type 'DS' uid [07606.07]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.07] 'org.' type 'DS' new uid was assigned .08, parent uid .06
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.08] => satisfied by exact RRset: rank 060, new TTL 35188
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.08] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 22326
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
org. DS
;; ANSWER SECTION
org. 35188 DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D16E1DE32
org. 35188 RRSIG DS 8 1 86400 1650906000 1649779200 47671 . gt0yxpNr3DEe3vdglp5pAUwx7Mudxs+wrfsn/UY0a8Qu0hbwygtyxBDGkAbpxlXH0tLGTdcHfselrNekixdXHAnoSHZKiyZNX5OEp3wShJoqln/+0Qs6VLgHrACcoUFQEZnXGTer2flE3imPYux6LPaY+vv2KVGcgJCxkMWgjY/2uMsc03h2XcDplQr6ESdeA7gnxA9pxvjIvY793GTgnybGVbAtgSQSCxvxTClpZxsltuxF+ZBGTxeveNtgLEinTQpQUNy6aekL+H/PEsk6R7S/y8Cx8j6OIdg1MEpTr0Sz6wVJPsD7RhQpAjTbMx2V+2j4is/5815kC4HVKHtg4g==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.08] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= DS: OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= parent: updating DS
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.08] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.06] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .09, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.09] plan 'org.' type 'DNSKEY' uid [07606.10]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.10] 'org.' type 'DNSKEY' new uid was assigned .11, parent uid .09
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.11] => satisfied by exact RRset: rank 060, new TTL 107
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.11] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52529
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
org. DNSKEY
;; ANSWER SECTION
org. 107 DNSKEY 256 3 8 AwEAAa5uc5s6co7l6C0rgiH0om3XgV6pe2aWmtiNL5/gN82xImSB5ovvjRg1TPfcqNq1CCjtafdWTdtrX2f9hzDMJ1vZxzgcyRDYroiC22kaGQHtlLpw73pVHHrTzqjuJ0lPeko0/SDI0iBIqimY2mT3KJTts3gbXywksWjIHcw5FTAV
org. 107 DNSKEY 256 3 8 AwEAAbdHIC3iJRkEm4k0aIcj1Q5JPlyCkazmt0j2wFIXze88D5yTStbMFEjVGhTCNVtKGomSxz89GnnCA+MdkDzlJJofSNigEUoTZp5U6tEgtt61NNrKxz0GnJkW/1yeS5dP27hYCSBp9264feY/7z/wjoZyKfbsoymBrC5EZA6iHxFd
org. 107 DNSKEY 257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIyS+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQuQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYteoIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9nXniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5CbXg44OqwhIW8=
org. 107 RRSIG DNSKEY 8 1 900 1651332155 1649514155 26974 org. dSvEYdnhQOlzIu9rs3M/kjais/ifG51gF4IKE6GEwikhx/tYFrJuUuGzXpqoQcOkdoZXySoUYoMVF3wwUR7aD8EH+D5NQ4CmGLs1lQil6GGE+CKjglZPZrrklIsVhBmD+AZLAC+HIMkOX7vPLrqPz93IqUs+NtIRY15VEvi15JMSydNUIvmxc1HTPaar6r50TxKwfIR92pYDXWqKTe5HQPJ1uj55oyUAwtEISjKM/BdoV5RRjyC+1+i/by9wkGIJLMCkzX/4UnGqBM2jFm66due25GULAMZRYvnhqQvMMc/yyIe3NoeeMh7wqIXqRaHhXNZfjPXNaCOxkPHVeJuYAg==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.11] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.11] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.11] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.09] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .12, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.12] plan 'gnome.org.' type 'DS' uid [07606.13]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.13] 'gnome.org.' type 'DS' new uid was assigned .14, parent uid .12
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.14] => satisfied by exact RRset: rank 060, new TTL 6809
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.14] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 8461
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
gnome.org. DS
;; ANSWER SECTION
gnome.org. 6809 DS 51496 5 2 F676D322A3E9EE31F1078F38256315214078E46A47064CBDEE76E933739CC8C7
gnome.org. 6809 RRSIG DS 8 2 86400 1651332155 1649514155 10449 org. Fj9K58DnO3WxVDtJKEk1csWU9WgXfrtJ9ZYXIOiPG5KdI5o9WIbrW51DqidP6QVVWGpzvVs8knf0h8AjneROMEBjLehQa+9uZ6bQ/x/DEElp2mW53q43b33I6Rt2rjlbazhjFSt+f9BuWPf3wke4IbRK6/pf57TuGgKYBuVwQwo=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.14] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= DS: OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= parent: updating DS
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.14] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.12] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .15, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.15] plan 'gnome.org.' type 'DNSKEY' uid [07606.16]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.16] 'gnome.org.' type 'DNSKEY' new uid was assigned .17, parent uid .15
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.17] => satisfied by exact RRset: rank 060, new TTL 264
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.17] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7489
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
gnome.org. DNSKEY
;; ANSWER SECTION
gnome.org. 264 DNSKEY 256 3 5 AwEAAaMI/dz7JwEtjvpr1uCvjs1AvVxiT4dwQGOXzp6r+pQXazhDn6+TlJDh0aEnwFc76ujViKcMruPsS49dtoCAmhBPuI2g+CGyr/PgAfxM4czfak8kKvIdxh1UMQrcIJ/rKJ5eue7fI2BG3plq9oMIPmDEOoPU4ePjIY4M/qrbjcev
gnome.org. 264 DNSKEY 257 3 5 AwEAAbRD7AymDFuKc2iXta7HXZMleMkUMwjOZTsn4f75ZUp0of8TJdlUDtFtqifEBnFcGJU5r+ZVvkBKQ0qDTTjayL54Nz56XGGoIBj6XxbG8Es+VbZCg0RsetDk5EsxLst0egrvOXga27jbsJ+7Me3D5Xp1bkBnQMrXEXQ9C43QfO2KUWJVljo1Bii3fTfnHSLRUsbRn8Puz+orK71qxs3G9mgGR6rmn91brkpfmHKr3S9Rbxq8iDRWDPiCaWkI7qfASdFk4TLV0gSVlA3OxyW9TCkPZStZ5r/WRW2jhUY/kjHERQd4qX5dHAuYrjJSV99P6FfCFXoJ3ty5s3fl1RZaTo8=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 40692 gnome.org. FhZSI3iYe2SLfWAJR7DH4bOTTD4AlkPf9OsFZH6nhBJQEk9H8cRkHUzLUczY41daJwDKxlUnnEkEOa1jS8E8EXm3KSSxkraZv6BLsdhxB6UjbYT6ZrhzbneO1sygYc/6IU70DpryKNa6R9jPLEUEphez9MR6Bf/VREtkYNUnVXU=
gnome.org. 264 RRSIG DNSKEY 5 2 900 1651937377 1649345377 51496 gnome.org. jgJHprIvEOZL5K6sZhGKrjQEsU368ZzMJ/PJhQpeXz47HwfF0AhTycWSwWG8enqpFhl/QY2n2IEnnTtBC3IytvZBd+SfL82lkuGU1eDaSR4pkMiJCTLEitFEMlRj950A2S1RYxVafJAlJR0MrLEcgUYap+V9OVrGjoSnXTIs9XOY0aj0iTNRT5nm1RC533QKCu5PDwQlXbwUWC0LoYM3oHMG5sbliD0Sy2nObYs9cf7BfkLb97iZiJcQKNm5fpDnG4qaLlw0GRrybbHi1QeIJisC4Isg1gdZ2cPDntPVS8T0m6I5Dcsx1IvDubhucJ8U2SMIkSKIZ1Aidl+MslSTLw==
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.17] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.17] <= parent: updating DNSKEY
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.17] <= answer valid, OK
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.15] 'router-default.apps.openshift4.gnome.org.' type 'A' new uid was assigned .18, parent uid .00
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][plan ][07606.18] plan 'openshift4.gnome.org.' type 'DS' uid [07606.19]
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.19] 'openshift4.gnome.org.' type 'DS' new uid was assigned .20, parent uid .18
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => skipping exact packet: rank 025 (min. 030), new TTL 16
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => trying zone: gnome.org., NSEC, hash 0
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => NSEC sname: covered by: *.openshift.gnome.org. -> *.openshift4.gnome.org., new TTL 2716
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][cache ][07606.20] => NSEC sname: empty non-terminal by the same RR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.20] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27790
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
openshift4.gnome.org. DS
;; AUTHORITY SECTION
gnome.org. 16 SOA ns-master.gnome.org. hostmaster.gnome.org. 1649348977 600 900 86400 3600
gnome.org. 16 RRSIG SOA 5 2 900 1651937377 1649345377 40692 gnome.org. D4nUm9bExjX/lUoG+TgMdYuccR7InE2wSzBLR2a4ocU3IqpNvA7seBmll9x706ImEZ1oxtvXTZbozEG7W1c7KIlo+vvSl4yoQgQl37VncHhfW5U6Q69v9o1XRuledjb7l16OtynblHXQkDmZDrT9vwX0BV6eoZ78QG84lBqpaFk=
*.openshift.gnome.org. 2716 NSEC *.openshift4.gnome.org. A AAAA RRSIG NSEC
*.openshift.gnome.org. 2716 RRSIG NSEC 5 3 3600 1651937377 1649345377 40692 gnome.org. j3xWiApwlF6XY64qJnXepFklLWWOHYpQFl1ZBtEhT0THnbMMgwOUmhzvpCbeWJaNRZiqMNGBLo1g+4gaOA3RpzULFjH8GyW0fuzpZ7qwZAgxUsa9/Ii5tj5rtYTv8zZFkqv9xoQVLfwx09r12Sjrpg/aoXnHs0LEbSkCJWC3lAQ=
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][iterat][07606.20] <= rcode: NOERROR
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][valdtr][07606.20] <= bogus proof of DS non-existence
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][resolv][07606.00] request failed, answering with empty SERVFAIL
Apr 13 07:30:14 torino kresd[1679506]: [reqdbg][resolv][07606.20] finished in state: 8, queries: 6, mempool: 49200 B
```
It seems when it resolves successfully when forwarding is disabled, it caches the result and continues resolving correctly even when you re-enable forwarding. However as soon as I remove the cache, forwarding then fails again.
kresd.conf:
```
user('knot-resolver','knot-resolver')
net.listen('127.0.0.1', 53, { kind = 'dns', freebind = true })
net.listen('127.0.0.1', 853, { kind = 'tls', freebind = true })
net.listen('::1', 53, { kind = 'dns', freebind = true })
net.listen('::1', 853, { kind = 'tls', freebind = true })
cache.size = 256*MB
modules = {
'policy',
'view',
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'serve_stale < cache',
'workarounds < iterate',
'stats',
'predict'
}
view:addr('127.0.0.1/8', function (req, qry) return policy.PASS end)
view:addr('::1/128', function (req, qry) return policy.PASS end)
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end)
policy.add(policy.suffix(policy.DENY, {todname('use-application-dns.net.')}))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/urlhaus.abuse.ch.rpz',true))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/threatfox.abuse.ch.rpz',true))
policy.add(policy.rpz(policy.DENY, '/var/lib/rpz-downloader/cert.pl.rpz',true))
policy.add(policy.pattern(policy.PASS, todname('uribl.com.')))
policy.add(policy.pattern(policy.PASS, todname('zen.spamhaus.org.')))
policy.add(policy.pattern(policy.PASS, todname('dbl.spamhaus.org.')))
policy.add(policy.all(policy.TLS_FORWARD({
{'2620:fe::fe', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'2620:fe::fe:9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'9.9.9.9', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
{'149.112.112.112', hostname='dns.quad9.net', ca_file='/etc/ssl/certs/ca-certificates.crt' },
})))
predict.config({ window = 20, period = 72 })
```
5.5.1
Vladimír Čunát
vladimir.cunat@nic.cz
Vladimír Čunát
vladimir.cunat@nic.cz
https://gitlab.nic.cz/knot/knot-resolver/-/issues/443
DNSSEC validation failing for NSEC signed zone with deeper wildcard
2022-05-18T16:25:24+02:00
Štěpán Balážik
DNSSEC validation failing for NSEC signed zone with deeper wildcard
When testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc....
When testing on the zones linked below (in local `knotd`), and when asked for `dig @127.0.0.1 -p 53 A shit.wildc.nsec.test.knot-resolver.cz +dnssec` Resolver ends up servfailing because it can't validate proof of non-existence of `wildc.nsec.test.knot-resolver.cz. DS` record:
```
[44720.12][resl] => id: '36540' querying: '127.0.0.1#05353' score: 21 zone cut: 'nsec.test.knot-resolver.cz.' qname: 'wilDC.nSEc.teSt.KnOT-REsolVER.cz.' qtype: 'DS' proto: 'udp'
[44720.12][iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36540
;; Flags: qr aa rd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
wildc.nsec.test.knot-resolver.cz. DS
;; AUTHORITY SECTION
nsec.test.knot-resolver.cz. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111238 21600 3600 604800 86400
*.wild.nsec.test.knot-resolver.cz. 86400 NSEC *.wildc.nsec.test.knot-resolver.cz. A RRSIG NSEC
*.wildc.nsec.test.knot-resolver.cz. 86400 NSEC nsec.test.knot-resolver.cz. CNAME RRSIG NSEC
nsec.test.knot-resolver.cz. 3600 RRSIG SOA 13 4 3600 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. YlGILkcuX6EpClR9YBmNZP/2G6UaCWLFB2LxLMfU40h+qARSMwsaaRrBPt9mO7kMS1e6r/vG9muP/tkgIPmEJA==
*.wild.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. HnNsj0OoA82ltnf+iFEdyvUqpw/3DSkeZCGGKKCbvvP0ENgT6jeRP8euL19WBVvloPTb8LUMQWb9FhgauuRtmg==
*.wildc.nsec.test.knot-resolver.cz. 86400 RRSIG NSEC 13 5 86400 20370101153211 20190118140211 25023 nsec.test.knot-resolver.cz. rbFDZXGXSY1J4wWzeIN+EqnKCjr6ZsA/9lZV/yy5ILzi9K2z4IxIp09uKS2qasK/nVuWAdqonFgLteCLuUew6g==
[44720.12][iter] <= rcode: NOERROR
[44720.12][vldr] <= bad NODATA proof
[44720.12][cach] => stashed nsec.test.knot-resolver.cz. SOA, rank 020, 190 B total, incl. 1 RRSIGs
[44720.12][cach] => stashed packet: rank 025, TTL 1, DS wildc.nsec.test.knot-resolver.cz. (615 B)
[44720.12][resl] finished: 8, queries: 3, mempool: 32800 B
```
When asked for the respective record in the NSEC3 signed zone Resolver validates with no problem.
Bellow I link all three zonefiles as well as the configurations of both `kresd` and `knotd` I used.
[kresd.log](/uploads/5360e41e89323adf2636cc868e0caab2/kresd.log)
[kresd.conf](/uploads/3465c6d90d6681e94e87091af39f6c00/kresd.conf)
[knotd.conf](/uploads/519da89b51c4ff77f97bd9c847274230/knotd.conf)
[test.knot-resolver.cz.zone](/uploads/8d6a2b3497134f9895bd4e4592b027b7/test.knot-resolver.cz.zone)
[nsec.test.knot-resolver.cz.zone](/uploads/afe51a85acb768e0b4552b3fad4d1dbb/nsec.test.knot-resolver.cz.zone)
[nsec3.test.knot-resolver.cz.zone](/uploads/ca69754b0afd55d2362c3da28cf6491d/nsec3.test.knot-resolver.cz.zone)
5.5.1
Vladimír Čunát
vladimir.cunat@nic.cz
Vladimír Čunát
vladimir.cunat@nic.cz
https://gitlab.nic.cz/knot/knot-resolver/-/issues/341
migrate from map_t to trie_t
2022-05-13T15:13:58+02:00
Petr Špaček
migrate from map_t to trie_t
Maps are not 8-bit clean and this leads to subtle and hard to debug bugs.
MR !550 is first is migration and we should migrate rest of the code as well.
Maps are not 8-bit clean and this leads to subtle and hard to debug bugs.
MR !550 is first is migration and we should migrate rest of the code as well.
Oto Šťáva
Oto Šťáva
https://gitlab.nic.cz/knot/knot-resolver/-/issues/741
assertion "session_flags(session)->outgoing && !session_flags(session)->closi...
2022-05-09T19:06:02+02:00
megous
assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed
I use kresd on my home router, and last night it stopped processing queries (seemingly without crashing outright). The log was full of (thousands of repetitions):
```
....
Apr 30 06:39:36 router kresd[367]: [system] assertion "session_f...
I use kresd on my home router, and last night it stopped processing queries (seemingly without crashing outright). The log was full of (thousands of repetitions):
```
....
Apr 30 06:39:36 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
Apr 30 06:39:36 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
Apr 30 06:39:36 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
Apr 30 06:39:36 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
Apr 30 06:39:37 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
Apr 30 06:39:37 router kresd[367]: [system] assertion "session_flags(session)->outgoing && !session_flags(session)->closing" failed in tcp_task_waiting_connection@../daemon/worker.c:1447
....
```
During kresd restart, it crashed on shutdown:
```
Apr 30 06:39:40 router systemd-coredump[3711]: [LNK] Process 367 (kresd) of user 972 dumped core.
Module linux-vdso.so.1 with build-id c84a1af85cfb395c374cd5f645723e53f7f8d62b
Module p11-kit-trust.so with build-id 84da804340e6a810123f87b2b4a9c4bd4d0e8cf0
Module stats.so with build-id 460aaa6ef03adef5a85ed1f2bd000be5363ac1a8
Module hints.so with build-id 90c38cd4a6b5f6a17b1bf77dbbc81683631187ed
Module extended_error.so with build-id c9984a96311c272732feff7a5528d957c8d8b4b1
Module refuse_nord.so with build-id e66c72ba75b14470f13110045595ab1ad3fb533b
Module edns_keepalive.so with build-id 3f3662709a965611174c37e672b7bce66ac98658
Module libstdc++.so.6 with build-id 0efbe365b709015ea481a66fb0f5ad650e617599
Module libgpg-error.so.0 with build-id 1e65d609a859c3c4ba69fe248838202cf00c8bbb
Module libbrotlicommon.so.1 with build-id 3dc157d6417d3602b6d774ae07508e4bbfa8920c
Module libffi.so.8 with build-id 5103e7b5b7addb8026a35a62734fefd1c7ef5c64
Module libelf.so.1 with build-id 7047fb71440373a1456396c581692cda24627825
Module libgcrypt.so.20 with build-id b10fee43a15f81876aeadec4e734decfc4214e4e
Module libcap.so.2 with build-id ba39fbcf17238edd9188c42c664778b3da8d8975
Module liblz4.so.1 with build-id 6d85cb32490fa810dbc0b9cbb0043fc52e6ddba0
Module libzstd.so.1 with build-id df4d0e928163f0b5e1c7c5f78ddb055cbe22b639
Module liblzma.so.5 with build-id d34507011f065d2da4c4cc360615b2cd3ce3d4b2
Module libgmp.so.10 with build-id ede351880698ee91c5e8d457bf078a8887ecc97a
Module libhogweed.so.6 with build-id 2b084732112218e0af7d9b77153758b092cfa54f
Module libnettle.so.8 with build-id c376ee33b84aebefdf23b0dee1f22c8e79f1fd0e
Module libtasn1.so.6 with build-id e64114db392bb17238bd5cb22dfd12e308db52b0
Module libunistring.so.2 with build-id 457d1352b4d0b8d2eaad4b0c9ccea31446a11395
Module libidn2.so.0 with build-id be16fc6cb7814edc928c646a2f11ddfcc0ec1822
Module libbrotlidec.so.1 with build-id a634700f82bb52f4fa5e4a9495b39b890a1b26e6
Module libbrotlienc.so.1 with build-id b20212ed7f9630b545fb132a93579aef1967f308
Module libp11-kit.so.0 with build-id 5c3eefdf311483790b33a8f76dc45a87f6769ecf
Module libz.so.1 with build-id 961b20a79348f990621bd0a145f15c51219eef5d
Module libpthread.so.0 with build-id 2d7e5623023dc082483554f4447388c3a48a244b
Module libdl.so.2 with build-id 3d5771318379b07f0a5dda7613f76422aa7f6022
Module libbpf.so.0 with build-id 6313987843e278092e5f9375e0215c552337c896
Module libm.so.6 with build-id be9757a4dc0f0a727982d77fca226e6e852aa3bb
Module liblmdb.so with build-id ac3b357165ae5eb6c17cdc9de3adf3c5b9f5b3e6
Module libc.so.6 with build-id 2858f54ba7c8eae476c62b8631c4feded56e9064
Module libgcc_s.so.1 with build-id 43de5fed20f08220e018b86c70e0e46e00a46de2
Module libnghttp2.so.14 with build-id dd24ff864cabdc1181dd940f264451de6dd04ece
Module libcap-ng.so.0 with build-id d02eff3ece50ff505401a5ff91046d6cbf499dcb
Module libsystemd.so.0 with build-id 63e76b23478874cf91e5d81741285d93ccbf27cb
Module libgnutls.so.30 with build-id 2fc3c60ebe9b399e5ac84e4496bb75f35443f89e
Module libluajit-5.1.so.2 with build-id c7b4394fcbb3e55dd9dde4164c59020aa962ab33
Module libuv.so.1 with build-id 5786228ca54387aeb7ebb38960f8a75305ee5223
Module libdnssec.so.8 with build-id 4fc7ee9ab8130753ba22e7179cb74357678f8651
Module libzscanner.so.4 with build-id 2a53ca5ee610b0674aeabce12f38a2187703a5d1
Module libknot.so.12 with build-id bba838634737e8b916f4f2067f61f8f29a13c49c
Module libkres.so.9 with build-id 563367b5523d95acc1a70849a58e0a16cb923a3e
Module kresd with build-id 4c099ec64de5aeeb7ef45a5024654b7b042756f4
Stack trace of thread 367:
#0 0x0000ffff9185ac38 n/a (libkres.so.9 + 0x1ac38)
#1 0x0000ffff9185ac40 n/a (libkres.so.9 + 0x1ac40)
#2 0x0000ffff9185b1bc map_clear (libkres.so.9 + 0x1b1bc)
#3 0x0000aaaac39ab2dc n/a (kresd + 0x2b2dc)
#4 0x0000aaaac398aa14 n/a (kresd + 0xaa14)
#5 0x0000ffff9108b8fc __libc_start_call_main (libc.so.6 + 0x2b8fc)
#6 0x0000ffff9108b9d4 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x2b9d4)
#7 0x0000aaaac398c4f0 _start (kresd + 0xc4f0)
ELF object binary architecture: AARCH64
```
(I don't have debug symbols, sorry)
```
# kresd -V status=1
Knot Resolver, version 5.5.0
[2022-03-29T19:29:11+0200] [ALPM] upgraded knot-resolver (5.4.4-1 -> 5.5.0-1)
```
This seems like an exceedingly rare event (one crash in a month since update)
My configuration:
```
net.listen({'127.0.0.1', '192.168.1.1', '10.11.7.1', '10.11.4.1'})
net.listen({'[...redactecd public ipv6 address...]'})
net.outgoing_v6('[...redactecd public ipv6 address...]')
modules = {
'hints > iterate', -- Load /etc/hosts and allow custom root hints
'stats', -- Track internal statistics
'predict', -- Prefetch expiring/frequent records
}
cache.size = cache.fssize() - 10 * MB
log_level('warning')
--log_level('debug')
home_names = policy.todnames({'[... my public tld that I serve via a local secondary NS in case my internet crashes ...].'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), home_names))
policy.add(policy.suffix(policy.STUB('127.0.0.2'), home_names))
policy.add(policy.slice(
policy.slice_randomize_psl(),
policy.TLS_FORWARD({
{'1.1.1.1', hostname='1dot1dot1dot1.cloudflare-dns.com'},
{'1.0.0.1', hostname='1dot1dot1dot1.cloudflare-dns.com'},
{'2606:4700:4700::1111', hostname='1dot1dot1dot1.cloudflare-dns.com'},
{'2606:4700:4700::1001', hostname='1dot1dot1dot1.cloudflare-dns.com'},
}),
policy.TLS_FORWARD({
{'8.8.8.8', hostname='dns.google'},
{'8.8.4.4', hostname='dns.google'},
{'2001:4860:4860::8888', hostname='dns.google'},
{'2001:4860:4860::8844', hostname='dns.google'},
}),
policy.TLS_FORWARD({
{'9.9.9.9', hostname='dns9.quad9.net'},
{'149.112.112.112', hostname='dns9.quad9.net'},
{'2620:fe::fe', hostname='dns9.quad9.net'},
{'2620:fe::9', hostname='dns9.quad9.net'},
})
))
```
About a week before the crash I added TLS_FORWARD policies. Before that I used recursive resolution in kresd. So it might be some issue with the forwarding of queries to those upstream resolvers.
Resolution was not failing completely. I noticed the crash, because HSTS using web pages were returning TLS certificate errors due to addresses being resolved to the IP address of my home router (which is also running something on HTTPS port). That was quite weird.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/406
validate: fails to accept some correct proofs in deeper NSEC zones
2022-05-09T11:46:29+02:00
Vladimír Čunát
vladimir.cunat@nic.cz
validate: fails to accept some correct proofs in deeper NSEC zones
Real-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly...
Real-life example: `_domainkey.bronz.cz` - it's an empty non-terminal covered by
```
*.bronz.cz. 3589 IN NSEC arcz._domainkey.bronz.cz. CNAME RRSIG NSEC
```
Note: aggressive cache does generate the proof correctly, if the record is in cache; it's just validator not accepting it. In real life this issue will probably be rarely causing problems, moreover NODATA isn't often recognizable from SERVFAIL.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/254
RFC 4509: protection from DS digest downgrade
2022-05-08T12:12:41+02:00
Petr Špaček
RFC 4509: protection from DS digest downgrade
Right now we do not respect https://tools.ietf.org/html/rfc4509#section-6
Right now we do not respect https://tools.ietf.org/html/rfc4509#section-6
https://gitlab.nic.cz/knot/knot-resolver/-/issues/319
validator: add TTL checks
2022-05-08T12:09:35+02:00
Vladimír Čunát
vladimir.cunat@nic.cz
validator: add TTL checks
Probably to be within `kr_rrset_validate_with_key()` or inside a sub-call.
- [x] check TTL going over RRSIG expiration;
- [x] check TTL going over the signed TTL.
Possible actions:
1. clamp the TTL
2. refuse such signature -> BOGUS
Probably to be within `kr_rrset_validate_with_key()` or inside a sub-call.
- [x] check TTL going over RRSIG expiration;
- [x] check TTL going over the signed TTL.
Possible actions:
1. clamp the TTL
2. refuse such signature -> BOGUS
4.2.1
Vladimír Čunát
vladimir.cunat@nic.cz
Vladimír Čunát
vladimir.cunat@nic.cz
https://gitlab.nic.cz/knot/knot-resolver/-/issues/317
seccomp support
2022-05-08T11:48:30+02:00
Jan Pavlinec
seccomp support
It would be nice, if we could build knot-resolver with seccomp support which should reduce attack surface by filtering syscalls.
Note: similar approach for hardening was made to dnsmasq by google zero team (but it's not merged into ups...
It would be nice, if we could build knot-resolver with seccomp support which should reduce attack surface by filtering syscalls.
Note: similar approach for hardening was made to dnsmasq by google zero team (but it's not merged into upstream yet)
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
https://github.com/google/security-research-pocs/blob/master/vulnerabilities/dnsmasq/sandbox/dnsmasq-sandbox.patch
https://gitlab.nic.cz/knot/knot-resolver/-/issues/730
Ignoring SYSTEMD_INSTANCE environment variable
2022-05-08T11:13:07+02:00
Lukasz Jarosz
Ignoring SYSTEMD_INSTANCE environment variable
I am using kres inside docker container in which it is installed according to official instructions. In order to avoid issue of stale sockets I decided to force the id with SYSTEMD_INSTANCE environment variable as such in my entrypoint:
...
I am using kres inside docker container in which it is installed according to official instructions. In order to avoid issue of stale sockets I decided to force the id with SYSTEMD_INSTANCE environment variable as such in my entrypoint:
`SYSTEMD_INSTANCE=1 kresd -n -c /etc/knot-resolver/kresd.conf /run/knot-resolver`
Without any success:
> $ docker exec -it kres-test ls /run/knot-resolver/control
>
> 10
Image is based on ubuntu:20.04 if it does matter somehow.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/716
manager: datamodel: unit tests improvements
2022-04-20T14:18:38+02:00
Aleš Mrázek
manager: datamodel: unit tests improvements
Possibilities for improvement
- tests parametrization as mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242078)
- split tests of configuration schemas into two separate tests (for `valid` and `in...
Possibilities for improvement
- tests parametrization as mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242078)
- split tests of configuration schemas into two separate tests (for `valid` and `invalid` config) also mentioned in [!1250](https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1250#note_242079)
https://gitlab.nic.cz/knot/knot-resolver/-/issues/725
manager: SIGINT while shutting down should lead to immediate termination
2022-04-08T16:14:03+02:00
Vaclav Sraier
manager: SIGINT while shutting down should lead to immediate termination
In weird cases such as when you kill all kresd instances by hand while manager is slowly stopping them by itself, the manager can get stuck (in general it happens while waiting for systemd jobs which never finish).
Control+C in these ca...
In weird cases such as when you kill all kresd instances by hand while manager is slowly stopping them by itself, the manager can get stuck (in general it happens while waiting for systemd jobs which never finish).
Control+C in these cases does nothing. It triggers shutdown, but the shutdown waits for the stuck task. Usability would be improved quite a bit if we detected these cases and terminated forcefully.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/29
test: extend with raw packets (+fuzzed) tests
2022-04-08T16:14:03+02:00
Ghost User
test: extend with raw packets (+fuzzed) tests
Depends on #5
To do:
* [ ] Support for raw queries in the .rpl files (http://unbound.net/svn/trunk/testdata/test_packets.1 .. 9)
This could look something like:
```
SCENARIO_BEGIN raw_queries
STEP 0 QUERY
ENTRY_BEGIN
RAW
000...
Depends on #5
To do:
* [ ] Support for raw queries in the .rpl files (http://unbound.net/svn/trunk/testdata/test_packets.1 .. 9)
This could look something like:
```
SCENARIO_BEGIN raw_queries
STEP 0 QUERY
ENTRY_BEGIN
RAW
00000000700240004aa200000204059801010402
ENTRY_END
STEP 1 CHECK_ANSWER
ENTRY_BEGIN
RAW
000080010000000000000000
ENTRY_END
```
If you just add the `RAW` parsing in the https://gitlab.labs.nic.cz/knot/resolver/blob/master/tests/test_integration.py#L44 and https://gitlab.labs.nic.cz/knot/resolver/blob/master/tests/pydnstest/scenario.py#L5 but that's just one way to do it.
2015 Q3
Grigorii Demidov
Grigorii Demidov
https://gitlab.nic.cz/knot/knot-resolver/-/issues/706
docs: annotate data model with docstrings
2022-04-08T16:14:03+02:00
Vaclav Sraier
docs: annotate data model with docstrings
Aleš Mrázek
Aleš Mrázek
https://gitlab.nic.cz/knot/knot-resolver/-/issues/35
daemon: fast retransmit
2022-04-08T16:14:02+02:00
Ghost User
daemon: fast retransmit
When scanning (NS score is unknown), it is likely that a server timeouts.
In this case, a query should go through the provided list and send queries in short intervals.
Once it gets an answer or TIMEOUT, it should stop.
When scanning (NS score is unknown), it is likely that a server timeouts.
In this case, a query should go through the provided list and send queries in short intervals.
Once it gets an answer or TIMEOUT, it should stop.
https://gitlab.nic.cz/knot/knot-resolver/-/issues/45
lib/dnssec: validation is slow
2022-04-08T16:14:02+02:00
Ghost User
lib/dnssec: validation is slow
Resolver uses ±2.2x more CPU time with validation enabled on Alexa data set.
There are several reasons for it:
* libdnssec key setup and conversion from rdata->key is expensive and puts small allocations in hotpath, in resolver this is...
Resolver uses ±2.2x more CPU time with validation enabled on Alexa data set.
There are several reasons for it:
* libdnssec key setup and conversion from rdata->key is expensive and puts small allocations in hotpath, in resolver this is not unfortunately sunk cost
* the same for signing context setup
* signature verification itself is expensive, but that's expected
There are several high-level crypto operations we need:
* `keytag from dnskey rr` (this algo is described in dnssec rfc)
* `dnskey rr has SEP` (implemented)
* `dnskey rr is revoked` (implemented)
* `dnskey rr matches another` (compare algo + pubkey parts)
* `nsec3 hash of name` (not so critical, as most of the answers are positive)
* `hasher init/put/finalize` (for comparing DS/DNSKEY pairing, RRSIGs)
* `verify(digest,signature,pubkey)`
All of these should work on RR, as there is no metadata storage required.
Steps:
* [ ] Formalize described API and create a header
* [ ] Implement it using libdnssec current API
* [ ] Trim/cleanup current dnssec interface with only this API
* [ ] Implement it using mbed