Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RPZ | url] ssl handshake failed crypto error:1416F086:SSL #193

Closed
ghost opened this issue Mar 14, 2020 · 3 comments
Closed

[RPZ | url] ssl handshake failed crypto error:1416F086:SSL #193

ghost opened this issue Mar 14, 2020 · 3 comments
Assignees

Comments

@ghost
Copy link

ghost commented Mar 14, 2020

Version 1.10.0

Configure line: --target=arm-openwrt-linux --host=arm-openwrt-linux --build=x86_64-pc-linux-gnu --program-prefix= --program-suffix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-dsa --disable-gost --enable-allsymbols --enable-subnet --with-libexpat=/home/beast/beast/workspace/turris-os-packages-dragons-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --with-ssl=/home/beast/beast/workspace/turris-os-packages-dragons-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3_musl_eabi/usr --without-pthreads --enable-tfo-server --enable-tfo-client
Linked libs: pluggable-event internal (it uses select), OpenSSL 1.1.1d 10 Sep 2019
Linked modules: dns64 subnetcache respip validator iterator
TCP Fastopen feature available


rpz:
   url: https://urlhaus.abuse.ch/downloads/rpz/

Seems that the address resolves to ip 199.232.18.49 | 151.101.114.49 (fastly CDN), however for each unbound log exhibits:

error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
notice: ssl handshake failed 199.232.18.49 port 443
notice: ssl handshake failed 151.101.122.49 port 443

Yet, with openssl s_client -connect urlhaus.abuse.ch:443 -status there is no such error ->
ssl.log, neither with gnutls-cli -V -p 443 urlhaus.abuse.ch-> gnu_ssl.log

@ghost
Copy link
Author

ghost commented Mar 16, 2020

curl -o /tmp/test https://urlhaus.abuse.ch/downloads/rpz/
wget -O /tmp/test https://urlhaus.abuse.ch/downloads/rpz/

no error either.

@gthess gthess self-assigned this Mar 18, 2020
@juched78
Copy link

I am also having this issue with the entware build. Any updates on how to work around?

@spirillen
Copy link

I can confirm this in my build ..... <1.10.0>

@gthess gthess closed this as completed in e430e95 Apr 17, 2020
jedisct1 added a commit to jedisct1/unbound that referenced this issue Apr 20, 2020
* nlnet/master:
  - Fix for count of reply states in the mesh.
  Fix that it is --enable-rpath, for NLnetLabs#222.
  - Fix NLnetLabs#222: --with-rpath, fails to rpath python lib.
  - Document SNI support in unbound-anchor.8.in.
  - Update Changelog for PR NLnetLabs#221.
  - Enable SNI by default in unbound-anchor.
  Revert "- Remove SNI support from unbound-anchor; TLS is used only for"
  - Remove SNI support from unbound-anchor; TLS is used only for   encryption and not validation.
  - Add SNI support on more TLS connections (fixes NLnetLabs#193). - Add SNI support to unbound-anchor.
  - Add doxygen documentation for DSCP.
  - Fix for posix shell syntax for trap in run_msg.sh test script.
  - Fix for posix shell syntax for trap in nsd-control-setup.
  - Fix help return code in unbound-control-setup script.
  - Fix NLnetLabs#220: auth-zone section in config may lead to segfault.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants