ssl_client: TLS error from peer (alert code 80): 80

[ale5000-git]

Hi, I get:

Connecting to ...
ssl_client: TLS error from peer (alert code 80): 80
wget: error getting response: Result too large

or

Connecting to ...
ssl_client: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Result too large

Examples: busybox wget https://pool.apk.aptoide.com/mineboy/com-android-vending-80310011-7996560-34b405828b3fcc35c58123e29a47e56b.apk busybox wget https://files.catbox.moe/hkoctg.apk

[rmyorston]

The same issue is present in upstream BusyBox. It probably isn't as pressing a problem there, though: by default upstream uses OpenSSL to handle TLS connections rather than the built in ssl_client.

[ale5000-git]

On the latest prerelease the error 80 is fixed while the error 40 is still present.

[rmyorston]

Indeed, upstream commit 9bab580cd (tls: include signature_algorithms extension in client hello message) has fixed the 'alert code 80' problem.

[doctorpangloss]

On the latest pre-release I still see error 80:

$ wget https://download.java.net/java/early_access/jdk21/32/GPL/openjdk-21-ea+32_windows-x64_bin.zip
Connecting to download.java.net (23.207.40.84:443)
ssl_client: TLS error from peer (alert code 80): internal error
wget: error getting response

BusyBox v1.37.0-PRE-5151-g72b97c86c (2023-07-17 14:52:38 BST)

[rmyorston]

The problem is in the upstream TLS code. This is less of an issue there as the default build uses OpenSSL. When upstream BusyBox is built to use the non-default internal TLS code it displays the same issues reported here. (See, for example, this bug report.)

busybox-w32 uses the internal TLS code via the ssl_client helper.

My understanding of the TLS code is insufficient to provide a fix.

[rmyorston]

My understanding of the TLS code remains insufficient, especially since I've now determined that the problem seems to be in some x86_64 assembly language code, in which I'm less than fluent.

Even if I don't understand it, I can disable it.

Please try the latest prerelease binary.

[ale5000-git]

The error 80 was fixed only in 32-bit build but now it is also fixed in the 64-bit build. No change for error 40.

[avih]

I can confirm error 40:

$ ./busybox wget https://files.catbox.moe/hkoctg.apk
Connecting to files.catbox.moe (108.181.20.35:443)
ssl_client: TLS error from peer (alert code 40): handshake failure
wget: error getting response

in 64 bit build both using clang and gcc.

Additionally, reverting 7fbfb2050f24a457a909ea6bcec85c49a21db83a doesn't fix it (clang or gcc).

[rmyorston]

I've figured out the problem with files.catbox.moe: its server certificate uses an elliptic curve (P384) which isn't supported by upstream BusyBox.

Upstream's TLS implementation only handles P256 and X25519.

[avih]

Hmmm... that's unfortunate. Thanks for the analysis.

[rmyorston]

Upstream have fixed the assembly language code so I've reverted to using that. It seems to work (for the alert code 80 case).

Try the latest prerelease (PRE-5429 or above).

[ale5000-git]

Upstream have fixed the assembly language code so I've reverted to using that. It seems to work (for the alert code 80 case).

Try the latest prerelease (PRE-5429 or above).

I confirm it works.