curl8.8.0: (35) ssl_handshake returned

[lengfwong]

Maintainer: @krant
Environment: x86/64 OpenWrt SNAPSHOT r26581-33db914607 / LuCI Master 24.158.03388a6f8361
curl: 8.8.0
libmbedtls21: 3.6.0
libustream-mbedtls20201210: 2024.04.19524a76e5

Description:

curl --connect-timeout 5 -m 120 --ipv4 -vkfSLo "./apple-cn.txt" "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

[Ra2-IFV]

Did you install ca-bundle or ca-certificates package on your system?

[lengfwong]

Did you install ca-bundle or ca-certificates package on your system?

yes, have installed:
ca-bundle 20240203-r1
ca-certificates 20240203-r1

[Ra2-IFV]

To be clear first: I'm not a developer, but I faced similar problem before
let start from here: install openssl first, then execute command below
openssl s_client -connect github.com:443
Paste the output here

*I forgot the port number, sorry

[Ra2-IFV]

I guess a proxy software handled your request and responded with self-signed certificate, or it's a MITM attack (not likely but possible)

[lengfwong]

openssl s_client -connect github.com:443

Thanks.

root@OpenWrt:~# curl -V
curl 8.8.0 (x86_64-openwrt-linux-gnu) libcurl/8.8.0 mbedTLS/3.6.0 nghttp2/1.62.1
Release-Date: 2024-05-22
Protocols: file ftp ftps http https ipfs ipns mqtt
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets


root@OpenWrt:~# openssl s_client -connect github.com:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
verify return:1
depth=0 CN = github.com
verify return:1
---
Certificate chain
 0 s:CN = github.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Mar  7 00:00:00 2024 GMT; NotAfter: Mar  7 23:59:59 2025 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEozCCBEmgAwIBAgIQTij3hrZsGjuULNLEDrdCpTAKBggqhkjOPQQDAjCBjzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5T
ZWN0aWdvIEVDQyBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMB4X
DTI0MDMwNzAwMDAwMFoXDTI1MDMwNzIzNTk1OVowFTETMBEGA1UEAxMKZ2l0aHVi
LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARO/Ho9XdkY1qh9mAgjOUkW
mXTb05jgRulKciMVBuKB3ZHexvCdyoiCRHEMBfFXoZhWkQVMogNLo/lW215X3pGj
ggL+MIIC+jAfBgNVHSMEGDAWgBT2hQo7EYbhBH0Oqgss0u7MZHt7rjAdBgNVHQ4E
FgQUO2g/NDr1RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB
/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAw
NAYLKwYBBAGyMQECAgcwJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNv
bS9DUFMwCAYGZ4EMAQIBMIGEBggrBgEFBQcBAQR4MHYwTwYIKwYBBQUHMAKGQ2h0
dHA6Ly9jcnQuc2VjdGlnby5jb20vU2VjdGlnb0VDQ0RvbWFpblZhbGlkYXRpb25T
ZWN1cmVTZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3Rp
Z28uY29tMIIBgAYKKwYBBAHWeQIEAgSCAXAEggFsAWoAdwDPEVbu1S58r/OHW9lp
LpvpGnFnSrAX7KwB0lt3zsw7CAAAAY4WOvAZAAAEAwBIMEYCIQD7oNz/2oO8VGaW
WrqrsBQBzQH0hRhMLm11oeMpg1fNawIhAKWc0q7Z+mxDVYV/6ov7f/i0H/aAcHSC
Ii/QJcECraOpAHYAouMK5EXvva2bfjjtR2d3U9eCW4SU1yteGyzEuVCkR+cAAAGO
Fjrv+AAABAMARzBFAiEAyupEIVAMk0c8BVVpF0QbisfoEwy5xJQKQOe8EvMU4W8C
IGAIIuzjxBFlHpkqcsa7UZy24y/B6xZnktUw/Ne5q5hCAHcATnWjJ1yaEMM4W2zU
3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGOFjrv9wAABAMASDBGAiEA+8OvQzpgRf31
uLBsCE8ktCUfvsiRT7zWSqeXliA09TUCIQDcB7Xn97aEDMBKXIbdm5KZ9GjvRyoF
9skD5/4GneoMWzAlBgNVHREEHjAcggpnaXRodWIuY29tgg53d3cuZ2l0aHViLmNv
bTAKBggqhkjOPQQDAgNIADBFAiEAru2McPr0eNwcWNuDEY0a/rGzXRfRrm+6XfZe
SzhYZewCIBq4TUEBCgapv7xvAtRKdVdi/b4m36Uyej1ggyJsiesA
-----END CERTIFICATE-----
subject=CN = github.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo ECC Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3484 bytes and written 380 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 5822C612DD45511C8215CFD80B5426B1B4A69D964AF1ED94291D912534CA095F
    Session-ID-ctx:
    Resumption PSK: 759B6A725461BFBA06C4D0942C0CC357E8183E3903EADC59B71D8FF678CD3DF3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 60 d2 2e 92 87 1a f2 a9-d1 04 42 3e 6a d0 79 b0   `.........B>j.y.
    0010 - 16 c5 7a 5d 09 2f ab 5f-10 3c a1 e9 6f 19 7e 2e   ..z]./._.<..o.~.

    Start Time: 1718038441
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: D8725F7CF12224F11F1A873142C287A54554A0A4777BE05B9F9E7B0ED08A6C97
    Session-ID-ctx:
    Resumption PSK: CBACC026A47EFD01208390A87FD7549ACFFE66A7AAD47C8FE857B949A8E95A2A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - cc 0a 0f c0 b7 53 58 a9-de c8 19 d1 8e ac 99 27   .....SX........'
    0010 - 3a a9 fe 74 e7 b7 70 79-8d 71 84 73 01 e3 74 f0   :..t..py.q.s..t.

    Start Time: 1718038441
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

[gili-gili]

yeah, I see a successful handshake.
Then how about curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"?

[lengfwong]

yeah, I see a successful handshake. Then how about curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"?

Same:

root@OpenWrt:~# curl --ipv4 -vkSL "https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/apple-cn.txt"
* ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

BTW, previous version curl 8.7.1 is good.

[Ra2-IFV]

Weird, I cannot help.

[Ra2-IFV]

Oh fuck I am having the same error, on other devices curl returns correctly, and on openwrt it just outputs "error" without additional information. Since we already tested the connection with openssl and it works fine, mbedtls is very sus

[Ra2-IFV]

You are using a custom build right? Build Libraries-libcurl with libopenssl and try again

[Ra2-IFV]

I re-built libcurl and curl and its working now. The default configuration for libmbedtls must dropped something important feature so that it failed to read /etc/ssl. Pending investigation.

[Ra2-IFV]

If you are too lazy to build, here are the ipk files
build.zip

opkg remove --autoremove --force-depends libopenssl3 libcurl4 curl
opkg install /path/to/ipk

or you can use web interface to upload new packages. Good luck.

[lengfwong]

If you are too lazy to build, here are the ipk files build.zip

opkg remove --autoremove --force-depends libopenssl3 libcurl4 curl
opkg install /path/to/ipk

or you can use web interface to upload new packages. Good luck.

Thanks.
My firmware already contains the libopenssl3_3.0.14-r1, it seems useless. Someone on the Internet said that the Libraries-libusteam-openssl could be used instead of libusteam-mbedtls, I rebuild but no help.
Now works well by dropping commit 49fc257 and converting to curl8.7.1.

[Ra2-IFV]

no, the problem is libcurl. it was linked with mbedtls. just reinstall it

[krant]

wget (/bin/uclient-fetch) is broken too:

# wget https://raw.githubusercontent.com
Downloading 'https://raw.githubusercontent.com'
Connecting to 185.199.111.133:443
Redirected to / on github.com
SSL error: SSL - Bad input parameters to function
Connection error: Connection failed

While this works:

# wget https://github.com
Downloading 'https://github.com'
Connecting to 140.82.121.3:443
Writing to 'index.html'

Download completed (237596 bytes)

[PalebloodSky]

Same issue, running r26637-05aec66d53, which is 6/16/2024 snapshot. It seems to break Adblock and Adblock Fast too.

root@OpenWrt:~# curl --insecure https://cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list/hosts.txt
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

wget is broken because of SSL:

root@OpenWrt:/tmp# wget https://github.com/user-attachments/files/15829951/build.zip
Downloading 'https://github.com/user-attachments/files/15829951/build.zip'
Connecting to 140.82.114.3:443
Redirected to /github-production-repository-file-5c1aeb/20307838/15829951?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240618%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240618T020718Z&X-Amz-Expires=300&X-Amz-Signature=211f6e2ba01af4826c6f4128ff2e99b84f46dd339eb76c16b4144fde1b6f45d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=20307838&response-content-disposition=attachment%3Bfilename%3Dbuild.zip&response-content-type=application%2Fx-zip-compressed on objects.githubusercontent.com
SSL error: SSL - Bad input parameters to function
Connection error: Connection failed

Same curl version as OP but with aarch64:

root@OpenWrt:/tmp# curl -V
curl 8.8.0 (aarch64-openwrt-linux-gnu) libcurl/8.8.0 mbedTLS/3.6.0 nghttp2/1.62.1
Release-Date: 2024-05-22
Protocols: file ftp ftps http https ipfs ipns mqtt
Features: alt-svc HSTS HTTP2 HTTPS-proxy IPv6 Largefile SSL threadsafe UnixSockets

[bassopt]

DynamicDNS is also broken due to this issue.
Same error.
curl: (35) ssl_handshake returned - mbedTLS: (-0x2700) X509 - Certificate verification failed, e.g. CRL, CA or signature check faile

[Ra2-IFV]

in short: In Libraries>libcurl, select openssl. mbedtls is broken

[bassopt]

Yes, that works, but it means compiling everytime a a new image is created using image builder, which is annoying.

[Ra2-IFV]

just wait for the fix...
I tried selecting everything in mbedtls menuconfig but it still returned a error, without additional information. It should be a compatibility issue

[Ra2-IFV]

Mbed-TLS/mbedtls#9210