[sfctl] TLS error: 'bad handshake: Unexpected EOF' when connecting to cluster

[snobu]

I am not able to connect to any SF cluster using sfctl on macOS 11.4. Googling around i see mentions of sfctl attempting to negotiate TLS 1.0 instead of 1.2, however i can't find a parameter that would allow me to amend the protocol version for the handshake.

Cluster version: 8.0.514.9590 (managed SF cluster)
Cluster version: 8.0.521.9590 (unmanaged SF cluster)
^ These are two independent clusters, with independent pub/priv key pairs as client certs, the right FQDN in the subject and their SHA-1 thumbprint added via the Azure Portal to the cluster.

$ sfctl cluster select --cert sfmanaged.norwayeast.cloudapp.azure.com.pem --key sfmanaged.norwayeast.cloudapp.azure.com-key.pem --endpoint https://sfmanaged.norwayeast.cloudapp.azure.com:19000 --no-verify --debug
Command arguments: ['cluster', 'select', '--cert', 'sfmanaged.norwayeast.cloudapp.azure.com.pem', '--key', 'sfmanaged.norwayeast.cloudapp.azure.com-key.pem', '--endpoint', 'https://sfmanaged.norwayeast.cloudapp.azure.com:19000', '--no-verify', '--debug']
Event: Cli.PreExecute []
Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x10d4a0550>, <function OutputProducer.on_global_arguments at 0x10d5b85e0>, <function CLIQuery.on_global_arguments at 0x10d602820>]
Event: CommandInvoker.OnPreCommandTableCreate []
Event: CommandLoader.OnLoadArguments []
Event: CommandInvoker.OnPostCommandTableCreate []
Event: CommandInvoker.OnCommandTableLoaded []
Event: CommandInvoker.OnPreParseArgs []
Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x10d5b8670>, <function CLIQuery.handle_query_parameter at 0x10d6028b0>]
msrest.universal_http.requests : Configuring retry: max_retries=3, backoff_factor=0.8, max_backoff=90
msrest.service_client : Accept header absent and forced to application/json
msrest.universal_http : Configuring redirects: allow=True, max=30
msrest.universal_http : Configuring request: timeout=100, verify=True, cert=None
msrest.universal_http : Configuring proxies: ''
msrest.universal_http : Evaluate proxies against ENV settings: True
urllib3.connectionpool : Starting new HTTPS connection (1): sfmanaged.norwayeast.cloudapp.azure.com:19000
urllib3.util.retry : Incremented Retry for (url='/'): Retry(total=2, connect=3, read=3, redirect=None, status=None)
urllib3.connectionpool : Retrying (Retry(total=2, connect=3, read=3, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')"))': /

$ pip show sfctl
Name: sfctl
Version: 11.1.0
Summary: Azure Service Fabric command line
Location: /usr/local/lib/python3.8/site-packages

Using sslscan against the cluster endpoint shows 19000/TCP does not speak TLS at all.
So my question becomes, which port should i connect to?
I've also tried 19080 and that gives me:

Starting new HTTPS connection (1): sfunmanaged.norwayeast.cloudapp.azure.com:19080
/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py:842: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn((
urllib3.connectionpool : https://sfunmanaged.norwayeast.cloudapp.azure.com:19080 "GET / HTTP/1.1" 403 0

403 Client Error: Client certificate required for url: https://sfunmanaged.norwayeast.cloudapp.azure.com:19080/

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/knack/cli.py", line 206, in invoke
    cmd_result = self.invocation.execute(args)
  File "/usr/local/lib/python3.8/site-packages/sfctl/entry.py", line 81, in execute
    return super(SFInvoker, self).execute(args)
  File "/usr/local/lib/python3.8/site-packages/knack/invocation.py", line 208, in execute
    cmd_result = parsed_args.func(params)
  File "/usr/local/lib/python3.8/site-packages/knack/commands.py", line 139, in __call__
    return self.handler(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/knack/commands.py", line 246, in _command_handler
    result = op(client, **command_args) if client else op(**command_args)
  File "/usr/local/lib/python3.8/site-packages/sfctl/custom_cluster.py", line 162, in select
    rest_client.send(rest_client.get('/')).raise_for_status()
  File "/usr/local/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Client certificate required for url: https://sfunmanaged.norwayeast.cloudapp.azure.com:19080/

even if i pass --key and --cert to the CLI (or --pem with a pub+priv .pem bundle)

I'm confused, is that a bogus error or is there something wrong with my key material?

[jeffj6123]

Hello, @snobu SFCTL is meant for connecting to the HTTP port of the cluster which is usually 19080 and as far as the key and cert params. those are meant to be file locations for where the key and pem file would be located.