Ra2-IFV
commented
3 months ago Did you install ca-bundle or ca-certificates package on your system?
Closed lengfwong closed 3 months ago
Ra2-IFV
commented
3 months ago Did you install ca-bundle or ca-certificates package on your system?
lengfwong
commented
3 months ago Did you install
ca-bundleorca-certificatespackage on your system?
yes, have installed: ca-bundle 20240203-r1 ca-certificates 20240203-r1
Ra2-IFV
commented
3 months ago To be clear first: I'm not a developer, but I faced similar problem before
let start from here: install openssl first, then execute command below
openssl s_client -connect github.com:443
Paste the output here
*I forgot the port number, sorry
Ra2-IFV
commented
3 months ago I guess a proxy software handled your request and responded with self-signed certificate, or it's a MITM attack (not likely but possible)
lengfwong
commented
3 months ago openssl s_client -connect github.com:443
Thanks.
root@OpenWrt:~# curl -V
curl 8.8.0 (x86_64-openwrt-linux-gnu) libcurl/8.8.0 mbedTLS/3.6.0 nghttp2/1.62.1
Release-Date: 2024-05-22
Protocols: file ftp ftps http https ipfs ipns mqtt
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets
root@OpenWrt:~# openssl s_client -connect github.com:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
verify return:1
depth=0 CN = github.com
verify return:1
---
Certificate chain
0 s:CN = github.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
v:NotBefore: Mar 7 00:00:00 2024 GMT; NotAfter: Mar 7 23:59:59 2025 GMT
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5T
ZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4X
DTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHVi
LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkW
mXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGj
ggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4E
FgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0
dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25T
ZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3Rp
Z28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAY4WOvAZAAAEAwBIMEYCIQD7oNz/2oO8VGaW
WrqrsBQBzQH0hRhMLm11oeMpg1fNawIhAKWc0q7Z+mxDVYV/6ov7f/i0H/aAcHSC
Ii/QJcECraOpAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGO
Fjrv+AAABAMARzBFAiEAyupEIVAMk0c8BVVpF0QbisfoEwy5xJQKQOe8EvMU4W8C
IGAIIuzjxBFlHpkqcsa7UZy24y/B6xZnktUw/Ne5q5hCAHcATnWjJ1yaEMM4W2zU
3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGOFjrv9wAABAMASDBGAiEA+8OvQzpgRf31
uLBsCE8ktCUfvsiRT7zWSqeXliA09TUCIQDcB7Xn97aEDMBKXIbdm5KZ9GjvRyoF
9skD5/4GneoMWzAlBgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNv
bTAKBggqhkjOPQQDAgNIADBFAiEAru2McPr0eNwcWNuDEY0a/rGzXRfRrm+6XfZe
SzhYZewCIBq4TUEBCgapv7xvAtRKdVdi/b4m36Uyej1ggyJsiesA
-----END CERTIFICATE-----
subject=CN = github.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3484 bytes and written 380 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: 5822C612DD45511C8215CFD80B5426B1B4A69D964AF1ED94291D912534CA095F
Session-ID-ctx:
Resumption PSK: 759B6A725461BFBA06C4D0942C0CC357E8183E3903EADC59B71D8FF678CD3DF3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 60 d2 2e 92 87 1a f2 a9-d1 04 42 3e 6a d0 79 b0 `.........B>j.y.
0010 - 16 c5 7a 5d 09 2f ab 5f-10 3c a1 e9 6f 19 7e 2e ..z]./._.<..o.~.
Start Time: 1718038441
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: D8725F7CF12224F11F1A873142C287A54554A0A4777BE05B9F9E7B0ED08A6C97
Session-ID-ctx:
Resumption PSK: CBACC026A47EFD01208390A87FD7549ACFFE66A7AAD47C8FE857B949A8E95A2A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - cc 0a 0f c0 b7 53 58 a9-de c8 19 d1 8e ac 99 27 .....SX........'
0010 - 3a a9 fe 74 e7 b7 70 79-8d 71 84 73 01 e3 74 f0 :..t..py.q.s..t.
Start Time: 1718038441
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
closed
gili-gili
commented
3 months ago yeah, I see a successful handshake.
Then how about curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"?
lengfwong
commented
3 months ago yeah, I see a successful handshake. Then how about
curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"?
Same:
root@OpenWrt:~# curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"
* ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failedBTW, previous version curl 8.7.1 is good.
Ra2-IFV
commented
3 months ago Weird, I cannot help.
Ra2-IFV
commented
3 months ago Oh fuck I am having the same error, on other devices curl returns correctly, and on openwrt it just outputs "error" without additional information. Since we already tested the connection with openssl and it works fine, mbedtls is very sus
Ra2-IFV
commented
3 months ago You are using a custom build right? Build Libraries-libcurl with libopenssl and try again
Ra2-IFV
commented
3 months ago I re-built libcurl and curl and its working now. The default configuration for libmbedtls must dropped something important feature so that it failed to read /etc/ssl. Pending investigation.
Ra2-IFV
commented
3 months ago If you are too lazy to build, here are the ipk files
build.zip
opkg remove --autoremove --force-depends libopenssl3 libcurl4 curl
opkg install /path/to/ipkor you can use web interface to upload new packages. Good luck.
lengfwong
commented
3 months ago If you are too lazy to build, here are the ipk files build.zip
opkg remove --autoremove --force-depends libopenssl3 libcurl4 curl opkg install /path/to/ipkor you can use web interface to upload new packages. Good luck.
Thanks. My firmware already contains the libopenssl3_3.0.14-r1, it seems useless. Someone on the Internet said that the Libraries-libusteam-openssl could be used instead of libusteam-mbedtls, I rebuild but no help. Now works well by dropping commit 49fc257 and converting to curl8.7.1.
Ra2-IFV
commented
3 months ago no, the problem is libcurl. it was linked with mbedtls. just reinstall it
krant
commented
3 months ago wget (/bin/uclient-fetch) is broken too:
# wget https://raw.githubusercontent.com
Downloading 'https://raw.githubusercontent.com'
Connecting to 185.199.111.133:443
Redirected to / on github.com
SSL error: SSL - Bad input parameters to function
Connection error: Connection failedWhile this works:
# wget https://github.com
Downloading 'https://github.com'
Connecting to 140.82.121.3:443
Writing to 'index.html'
Download completed (237596 bytes)
PalebloodSky
commented
3 months ago Same issue, running r26637-05aec66d53, which is 6/16/2024 snapshot. It seems to break Adblock and Adblock Fast too.
root@OpenWrt:~# curl --insecure https://cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list/hosts.txt
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failedwget is broken because of SSL:
root@OpenWrt:/tmp# wget https://github.com/user-attachments/files/15829951/build.zip
Downloading 'https://github.com/user-attachments/files/15829951/build.zip'
Connecting to 140.82.114.3:443
Redirected to /github-production-repository-file-5c1aeb/20307838/15829951?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240618%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240618T020718Z&X-Amz-Expires=300&X-Amz-Signature=211f6e2ba01af4826c6f4128ff2e99b84f46dd339eb76c16b4144fde1b6f45d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=20307838&response-content-disposition=attachment%3Bfilename%3Dbuild.zip&response-content-type=application%2Fx-zip-compressed on objects.githubusercontent.com
SSL error: SSL - Bad input parameters to function
Connection error: Connection failedSame curl version as OP but with aarch64:
root@OpenWrt:/tmp# curl -V
curl 8.8.0 (aarch64-openwrt-linux-gnu) libcurl/8.8.0 mbedTLS/3.6.0 nghttp2/1.62.1
Release-Date: 2024-05-22
Protocols: file ftp ftps http https ipfs ipns mqtt
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets
bassopt
commented
3 months ago DynamicDNS is also broken due to this issue.
Same error.
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check faile
Ra2-IFV
commented
3 months ago in short: In Libraries>libcurl, select openssl. mbedtls is broken
bassopt
commented
3 months ago Yes, that works, but it means compiling everytime a a new image is created using image builder, which is annoying.
Ra2-IFV
commented
3 months ago just wait for the fix...
I tried selecting everything in mbedtls menuconfig but it still returned a error, without additional information. It should be a compatibility issue
Ra2-IFV
commented
3 months ago
Maintainer: @krant Environment: x86/64 OpenWrt SNAPSHOT r26581-33db914607 / LuCI Master 24.158.03388~a6f8361 curl: 8.8.0 libmbedtls21: 3.6.0 libustream-mbedtls20201210: 2024.04.19~524a76e5
Description: