Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RPZ | url] ssl handshake failed crypto error:1416F086:SSL #193

Closed
ghost opened this issue Mar 14, 2020 · 3 comments
Closed

[RPZ | url] ssl handshake failed crypto error:1416F086:SSL #193

ghost opened this issue Mar 14, 2020 · 3 comments
Assignees
@gthess

Comments

@ghost
Copy link

ghost commented Mar 14, 2020
edited by ghost
Loading

Version 1.10.0

Configure line: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-dsa --disable-gost --enable-allsymbols --enable-subnet --with-libexpat=/home/beast/beast/workspace/turris-os-packages-dragons-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --with-ssl=/home/beast/beast/workspace/turris-os-packages-dragons-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --without-pthreads --enable-tfo-server --enable-tfo-client
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 subnetcache respip validator iterator
TCP Fastopen feature available

rpz:
   url: https://urlhaus.abuse.ch/downloads/rpz/

Seems that the address resolves to ip 199.232.18.49 | 151.101.114.49 (fastly CDN), however for each unbound log exhibits:

error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
notice: ssl handshake failed 199.232.18.49 port 443
notice: ssl handshake failed 151.101.122.49 port 443

Yet, with openssl s_client -connect urlhaus.abuse.ch:443 -status there is no such error ->
ssl.log, neither with gnutls-cli -V -p 443 urlhaus.abuse.ch-> gnu_ssl.log
@ghost
Copy link
Author

ghost commented Mar 16, 2020
edited by ghost
Loading 

curl -o /tmp/test https://urlhaus.abuse.ch/downloads/rpz/
wget -O /tmp/test https://urlhaus.abuse.ch/downloads/rpz/

no error either.

@gthess gthess self-assigned this Mar 18, 2020
@juched78
Copy link

I am also having this issue with the entware build. Any updates on how to work around?

@spirillen
Copy link

I can confirm this in my build ..... <1.10.0>

@gthess gthess closed this as completed in e430e95 Apr 17, 2020
jedisct1 added a commit to jedisct1/unbound that referenced this issue Apr 20, 2020
@jedisct1
Merge remote-tracking branch 'nlnet/master'
65af625 
* nlnet/master:
  - Fix for count of reply states in the mesh.
  Fix that it is --enable-rpath, for NLnetLabs#222.
  - Fix NLnetLabs#222: --with-rpath, fails to rpath python lib.
  - Document SNI support in unbound-anchor.8.in.
  - Update Changelog for PR NLnetLabs#221.
  - Enable SNI by default in unbound-anchor.
  Revert "- Remove SNI support from unbound-anchor; TLS is used only for"
  - Remove SNI support from unbound-anchor; TLS is used only for   encryption and not validation.
  - Add SNI support on more TLS connections (fixes NLnetLabs#193). - Add SNI support to unbound-anchor.
  - Add doxygen documentation for DSCP.
  - Fix for posix shell syntax for trap in run_msg.sh test script.
  - Fix for posix shell syntax for trap in nsd-control-setup.
  - Fix help return code in unbound-control-setup script.
  - Fix NLnetLabs#220: auth-zone section in config may lead to segfault.
@fhriley fhriley mentioned this issue Jun 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gthess @juched78 @spirillen