We are trying to use the TPM to securely store our private key instead of keeping it on the file system.
Then, during data transfer, we use mutual TLS (mTLS) so both systems authenticate each other using certificates and private keys that are stored inside the TPM.
Both of our systems run stunnel for TLS and use rsync over that TLS channel to send data.
So it’s basically:
rsync (data) → stunnel (TLS + TPM key) → network → stunnel → rsync
While doing this, we are seeing repeated TPM failures
2025.11.09 07:24:49 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
ERROR:tcti:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-tcti/tcti-device.c:198:tcti_device_receive() Failed to get response size fd 13, got errno 12: Cannot allocate memory
ERROR:esys:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-esys/api/Esys_ContextLoad.c:283:Esys_ContextLoad_Finish() Received a non-TPM Error
ERROR:esys:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-esys/api/Esys_ContextLoad.c:93:Esys_ContextLoad() Esys Finish ErrorCode (0x000a000a)
ERROR:esys:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-esys/esys_iutil.c:1250:iesys_check_sequence_async() Esys called in bad sequence.
ERROR:esys:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-esys/api/Esys_SequenceUpdate.c:74:Esys_SequenceUpdate() Error in async function ErrorCode (0x00070007)
2025.11.09 07:24:53 LOG7[0]: TLS alert (write): fatal: decrypt error
ERROR:esys:/usr/src/debug/tpm2-tss/4.1.3/src/tss2-esys/api/Esys_FlushContext.c:66:Esys_FlushContext() Error in async function ErrorCode (0x00070007)
2025.11.09 07:24:53 LOG3[0]: error queue: tls_process_cert_verify@/usr/src/debug/openssl/3.4.1/ssl/statem/statem_lib.c:582: error:0A00007B:lib(20)::reason(123)
2025.11.09 07:24:53 LOG3[0]: error queue: :-1: error:4000000E:lib(128)::reason(14): esapi:Function called in the wrong order
2025.11.09 07:24:53 LOG3[0]: error queue: :-1: error:40000013:lib(128)::reason(19): tcti:IO failure
2025.11.09 07:24:53 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
2025.11.09 07:24:53 LOG7[0]: Service [sibling_system] finished (0 left)
rsync: [sender] safe_read failed to read 1 bytes: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(283) [sender=3.4.1]
After this, the TLS handshake fails
We even tried running a background script that flushes all transient, loaded, and session contexts every 10 milliseconds:
while true; do
tpm2_flushcontext -t
tpm2_flushcontext -s
tpm2_flushcontext -l
sleep 0.01
done
But even with this running, the same error we hitting up
Steps to Reproduce
- Store an ECC key in TPM and make it persistent.
- Configure stunnel to use that TPM key via OpenSSL tpm2 provider.
- Run a single rsync transfer through the stunnel mTLS setup.
- Observe TLS failure and the above TPM/TSS logs.
I’m not sure why this happens
Would appreciate any guidance or fix currently I’m completely stuck here.
@williamcroberts
We are trying to use the TPM to securely store our private key instead of keeping it on the file system.
Then, during data transfer, we use mutual TLS (mTLS) so both systems authenticate each other using certificates and private keys that are stored inside the TPM.
Both of our systems run stunnel for TLS and use rsync over that TLS channel to send data.
So it’s basically:
While doing this, we are seeing repeated TPM failures
After this, the TLS handshake fails
We even tried running a background script that flushes all transient, loaded, and session contexts every 10 milliseconds:
But even with this running, the same error we hitting up
Steps to Reproduce
I’m not sure why this happens
Would appreciate any guidance or fix currently I’m completely stuck here.
@williamcroberts