Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

Mikolaj Kucharski-3
Hi,

I see this problem with curl on two machines and firefox and chromium on
one as that's the only X11 environment which I have.

# curl -vs https://www.mail-archive.com/
*   Trying 72.52.77.8:443...
* Connected to www.mail-archive.com (72.52.77.8) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt
* Closing connection 0


Chormium reports ERR_SSL_PROTOCOL_ERROR
Firefox reports SSL_ERROR_BAD_MAC_READ

With curl I see problem on:

OpenBSD 6.8-beta (GENERIC.MP) #64: Sun Sep  6 18:19:41 MDT 2020
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

OpenBSD 6.7-current (GENERIC.MP) #50: Sun Aug 30 01:01:36 MDT 2020
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

With Firefox and Chromium I see problem on above 6.7-current.

$ pkg_info -qI firefox chromium
firefox-80.0.1
chromium-84.0.4147.135

Anyone else sees the same problem?

When running `openssl s_client -connect www.mail-archive.com:443` it
seems to work, also ftp(1) works.

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

Stuart Henderson
On 2020/09/09 20:31, Mikolaj Kucharski wrote:

> Hi,
>
> I see this problem with curl on two machines and firefox and chromium on
> one as that's the only X11 environment which I have.
>
> # curl -vs https://www.mail-archive.com/
> *   Trying 72.52.77.8:443...
> * Connected to www.mail-archive.com (72.52.77.8) port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> *   CAfile: /etc/ssl/cert.pem
>   CApath: none
> * (304) (OUT), TLS handshake, Client hello (1):
> * (304) (IN), TLS handshake, Server hello (2):
> * (304) (IN), TLS handshake, Unknown (8):
> * (304) (IN), TLS handshake, Certificate (11):
> * (304) (IN), TLS handshake, CERT verify (15):
> * error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt
> * Closing connection 0
>
>
> Chormium reports ERR_SSL_PROTOCOL_ERROR
> Firefox reports SSL_ERROR_BAD_MAC_READ
>
> With curl I see problem on:
>
> OpenBSD 6.8-beta (GENERIC.MP) #64: Sun Sep  6 18:19:41 MDT 2020
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

No problem here, on the same snapshot, with curl, ftp, firefox (I didn't
try chrome).

Reply | Threaded
Open this post in threaded view
|

Re: Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

Mikolaj Kucharski-3
On Wed, Sep 09, 2020 at 09:35:34PM +0100, Stuart Henderson wrote:

> On 2020/09/09 20:31, Mikolaj Kucharski wrote:
> > Hi,
> >
> > I see this problem with curl on two machines and firefox and chromium on
> > one as that's the only X11 environment which I have.
> >
> > # curl -vs https://www.mail-archive.com/
> > *   Trying 72.52.77.8:443...
> > * Connected to www.mail-archive.com (72.52.77.8) port 443 (#0)
> > * ALPN, offering h2
> > * ALPN, offering http/1.1
> > * successfully set certificate verify locations:
> > *   CAfile: /etc/ssl/cert.pem
> >   CApath: none
> > * (304) (OUT), TLS handshake, Client hello (1):
> > * (304) (IN), TLS handshake, Server hello (2):
> > * (304) (IN), TLS handshake, Unknown (8):
> > * (304) (IN), TLS handshake, Certificate (11):
> > * (304) (IN), TLS handshake, CERT verify (15):
> > * error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt
> > * Closing connection 0
> >
> >
> > Chormium reports ERR_SSL_PROTOCOL_ERROR
> > Firefox reports SSL_ERROR_BAD_MAC_READ
> >
> > With curl I see problem on:
> >
> > OpenBSD 6.8-beta (GENERIC.MP) #64: Sun Sep  6 18:19:41 MDT 2020
> >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> No problem here, on the same snapshot, with curl, ftp, firefox (I didn't
> try chrome).
>

I tested my other non-graphical OpenBSD machines, which are
running exactly the same 6.8-beta and curl works fine there.

I couldn't find anything obvious which is different between those
machines which have working curl and those which don't have working
curl. The only thing which is different between them is geographical
location, which in turn means different ISP.

When I reported the problem both machines were connected to the internet
via LTE.

Without reboot, without any upgrade I moved affected machine to
different part of the building where there is another access point
connected to internet through different SIM card (also LTE internet)
and I had the same problem, curl failed.

Both SIM cards are from the same ISP, which is Play (P4 Sp. z o.o.,
AS39603). However both SIM cards are inserted into routers which are
from different vendors (PC Engines vs Huawei). Access points are also
different. So, in other words no common hardware type between those
two parts of the building.

I've enabled tethering on my mobile, which is using Orange, connected
OpenBSD to it and curl started to work O_o.

--
Regards,
 Mikolaj

Reply | Threaded
Open this post in threaded view
|

Re: Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

Bryan Steele-2
On Wed, Sep 09, 2020 at 09:32:42PM +0000, Mikolaj Kucharski wrote:

> On Wed, Sep 09, 2020 at 09:35:34PM +0100, Stuart Henderson wrote:
> > On 2020/09/09 20:31, Mikolaj Kucharski wrote:
> > > Hi,
> > >
> > > I see this problem with curl on two machines and firefox and chromium on
> > > one as that's the only X11 environment which I have.
> > >
> > > # curl -vs https://www.mail-archive.com/
> > > *   Trying 72.52.77.8:443...
> > > * Connected to www.mail-archive.com (72.52.77.8) port 443 (#0)
> > > * ALPN, offering h2
> > > * ALPN, offering http/1.1
> > > * successfully set certificate verify locations:
> > > *   CAfile: /etc/ssl/cert.pem
> > >   CApath: none
> > > * (304) (OUT), TLS handshake, Client hello (1):
> > > * (304) (IN), TLS handshake, Server hello (2):
> > > * (304) (IN), TLS handshake, Unknown (8):
> > > * (304) (IN), TLS handshake, Certificate (11):
> > > * (304) (IN), TLS handshake, CERT verify (15):
> > > * error:06FFF064:digital envelope routines:CRYPTO_internal:bad decrypt
> > > * Closing connection 0
> > >
> > >
> > > Chormium reports ERR_SSL_PROTOCOL_ERROR
> > > Firefox reports SSL_ERROR_BAD_MAC_READ
> > >
> > > With curl I see problem on:
> > >
> > > OpenBSD 6.8-beta (GENERIC.MP) #64: Sun Sep  6 18:19:41 MDT 2020
> > >     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > No problem here, on the same snapshot, with curl, ftp, firefox (I didn't
> > try chrome).
> >
>
> I tested my other non-graphical OpenBSD machines, which are
> running exactly the same 6.8-beta and curl works fine there.
>
> I couldn't find anything obvious which is different between those
> machines which have working curl and those which don't have working
> curl. The only thing which is different between them is geographical
> location, which in turn means different ISP.
>
> When I reported the problem both machines were connected to the internet
> via LTE.
>
> Without reboot, without any upgrade I moved affected machine to
> different part of the building where there is another access point
> connected to internet through different SIM card (also LTE internet)
> and I had the same problem, curl failed.
>
> Both SIM cards are from the same ISP, which is Play (P4 Sp. z o.o.,
> AS39603). However both SIM cards are inserted into routers which are
> from different vendors (PC Engines vs Huawei). Access points are also
> different. So, in other words no common hardware type between those
> two parts of the building.
>
> I've enabled tethering on my mobile, which is using Orange, connected
> OpenBSD to it and curl started to work O_o.
>
> --
> Regards,
>  Mikolaj

Could the time perhaps be wrong?

Reply | Threaded
Open this post in threaded view
|

Re: Unable to open https://www.mail-archive.com/, SSL issues with firefox, chromium, curl

Mikolaj Kucharski-3
In reply to this post by Mikolaj Kucharski-3
On Wed, Sep 09, 2020 at 09:32:42PM +0000, Mikolaj Kucharski wrote:

> I tested my other non-graphical OpenBSD machines, which are
> running exactly the same 6.8-beta and curl works fine there.
>
> I couldn't find anything obvious which is different between those
> machines which have working curl and those which don't have working
> curl. The only thing which is different between them is geographical
> location, which in turn means different ISP.
>
> When I reported the problem both machines were connected to the internet
> via LTE.
>
> Without reboot, without any upgrade I moved affected machine to
> different part of the building where there is another access point
> connected to internet through different SIM card (also LTE internet)
> and I had the same problem, curl failed.
>
> Both SIM cards are from the same ISP, which is Play (P4 Sp. z o.o.,
> AS39603). However both SIM cards are inserted into routers which are
> from different vendors (PC Engines vs Huawei). Access points are also
> different. So, in other words no common hardware type between those
> two parts of the building.
>
> I've enabled tethering on my mobile, which is using Orange, connected
> OpenBSD to it and curl started to work O_o.

This affects Android and Linux. I've also asked a friend who lives in
different part of the country and has P4 Sp. z o.o. on his mobile
phone. Same problem. Unable to open https://www.mail-archive.com/
website. I don't have access to Windows to confirm behaviour there,
but this looks like a problem on the ISP level.

Anyway, thanks Stuart for confirming.

--
Regards,
 Mikolaj