Potential regression from 8.17.0 onwards regarding `CURLOPT_ERRORBUFFER`

[TibiIius]

I did this

We noticed the following behavior during our test cases using libcurl:

We use libcurl to make a request against a local HTTP server using a self-signed cert.
libcurl does not know about this certificate, so we expect a CURLE_PEER_FAILED_VERIFICATION upon running curl_easy_perform(). This works as intended. However, we also read the contents inside of curl's error buffer and display that as well. Since curl 8.17.0, the most recent error message stored within the buffer is failed to open socket: Address family not supported by protocol instead of SSL certificate problem: self-signed certificate.

We only noticed this behavior on our Linux machines (we also tested macOS and Windows), though I don't know if this is just a side-effect of OS-specifics or configuration.

I am unsure as to whether this is to be expected though, which is why I wrote "potential regression". Feel free to close the issue if this is expected behavior. If so, I'd guess we are meant to just always use curl_easy_strerror(CURL_error_code) instead, or is there something I'm missing here?

Reproducible example:

#include <memory>

extern "C" {
#include <curl/curl.h>
}

namespace playground {
class CurlHelper {
public:
  explicit CurlHelper();

  auto perform(const std::string &url) -> long;

private:
  std::array<char, CURL_ERROR_SIZE> errorBuffer;

  auto checkCurlError(CURLcode res, const std::string &url) -> void;
  auto checkPointer() -> void const;

  std::unique_ptr<CURL, decltype(&curl_easy_cleanup)> curl;
};
} // namespace playground

#include "openssl/crypto.h"
#include "openssl/ssl.h"
#include <iostream>
#include <memory>
#include <sstream>
#include <string>

namespace playground {
CurlHelper::CurlHelper() : curl(curl_easy_init(), curl_easy_cleanup), errorBuffer() {
  if (!curl) {
    throw std::runtime_error("Failed to initialize CURL");
  }

  curl_easy_setopt(this->curl.get(), CURLOPT_ERRORBUFFER, this->errorBuffer.data());
}

auto CurlHelper::checkCurlError(CURLcode res, const std::string &url) -> void {
  if (res != CURLE_OK) {
    std::stringstream ss;
    ss << "CURL error: ";

    if (this->errorBuffer.empty()) {
      ss << curl_easy_strerror(res);
    } else {
      ss << this->errorBuffer.data();
    }

    ss << " for URL: " << url << " (CURLcode: " << res << ")" << std::endl;
    throw std::runtime_error(ss.str());
  }
}

auto CurlHelper::checkPointer() -> void const {
  if (!this->curl) {
    throw std::runtime_error("CURL pointer is null");
  }
}

auto CurlHelper::perform(const std::string &url) -> long {
  this->checkPointer();

  curl_easy_setopt(this->curl.get(), CURLOPT_URL, url.c_str());
  curl_easy_setopt(this->curl.get(), CURLOPT_SSL_VERIFYHOST, true);
  curl_easy_setopt(this->curl.get(), CURLOPT_SSL_VERIFYPEER, true);

  std::cout << "Performing CURL request to URL: " << url << std::endl;

  auto res = curl_easy_perform(this->curl.get());

  this->checkCurlError(res, url);

  long statusCode;
  curl_easy_getinfo(this->curl.get(), CURLINFO_RESPONSE_CODE, &statusCode);
  return statusCode;
}
} // namespace playground

int main(int argc, char** argv) {
  auto helper = std::make_unique<playground::CurlHelper>();

  std::cout << helper->perform("https://localhost:" + std::string(argv[1])) << "\n";

  return 0;
}

Then just make sure to have a webserver running at the address specified.

I expected the following

I expected the most recent error to be related to a self-signed cert error.

curl/libcurl version

WARNING: this libcurl is Debug-enabled, do not use in production

curl 8.18.0 (x86_64-pc-linux-gnu) libcurl/8.18.0 OpenSSL/3.6.1 zlib/1.3.1.2-audit
Release-Date: 2026-01-07
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP TrackMemory UnixSockets

and

WARNING: this libcurl is Debug-enabled, do not use in production

curl 8.17.0 (x86_64-pc-linux-gnu) libcurl/8.17.0 OpenSSL/3.6.1 zlib/1.3.1.2-audit
Release-Date: 2025-11-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS Debug HSTS HTTPS-proxy IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP TrackMemory UnixSockets

operating system

Linux 9a71d92e8ff4 5.15.0-139-generic #149~20.04.1-Ubuntu SMP Wed Apr 16 08:29:56 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

and

macOS 17 (Apple toolchain, apple-clang 16 and 17)

and

Windows Server 2019 (MSVC 193)

[icing]

Thanks for your report. I do not doubt your finding, but I am - so far - unable to reproduce. It would be great if you could reproduce this using the standard curl command, like in:;

> curl -vvvv -w '%{json}\n' --out-null https://invalid-host 

Of course, you would need to resolve invalid-host somehow to the server you want to talk to. This command will produce a very detailed trace on stderr and write out the results to stdout as JSON. In that JSON, you will find the field errormsg with the content of the error buffer.

Thanks!

[TibiIius]

Thanks for your report. I do not doubt your finding, but I am - so far - unable to reproduce. It would be great if you could reproduce this using the standard curl command, like in:;

curl -vvvv -w '%{json}\n' --out-null https://invalid-host

Of course, you would need to resolve invalid-host somehow to the server you want to talk to. This command will produce a very detailed trace on stderr and write out the results to stdout as JSON. In that JSON, you will find the field errormsg with the content of the error buffer.

Thanks!

Thanks for the quick reply! I was able to reproduce my issue using curl itself as well. Snippet from the CLI output (I redacted the certs object to not spam too much, the cert used was an auto-generated traefik default cert):

curl: (60) failed to open socket: Address family not supported by protocol
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
{"certs":"--REDACTED--","conn_id":0,"content_type":null,"errormsg":"failed to open socket: Address family not supported by protocol","exitcode":60,"filename_effective":null,"ftp_entry_path":null,"http_code":0,"http_connect":0,"http_version":"0","local_ip":"","local_port":-1,"method":"GET","num_certs":1,"num_connects":1,"num_headers":0,"num_redirects":0,"num_retries":0,"proxy_ssl_verify_result":0,"proxy_used":0,"redirect_url":null,"referer":null,"remote_ip":"","remote_port":-1,"response_code":0,"scheme":"https","size_download":0,"size_header":0,"size_request":0,"size_upload":0,"speed_download":0,"speed_upload":0,"ssl_verify_result":1,"time_appconnect":0.000000,"time_connect":0.007141,"time_namelookup":0.000815,"time_posttransfer":0.000000,"time_pretransfer":0.000000,"time_queue":0.001041,"time_redirect":0.000000,"time_starttransfer":0.000000,"time_total":0.053475,"tls_earlydata":0,"url":"https://localhost:443/","url.fragment":null,"url.host":"localhost","url.options":null,"url.password":null,"url.path":"/","url.port":"443","url.query":null,"url.scheme":"https","url.user":null,"url.zoneid":null,"url_effective":"https://localhost:443/","urle.fragment":null,"urle.host":"localhost","urle.options":null,"urle.password":null,"urle.path":"/","urle.port":"443","urle.query":null,"urle.scheme":"https","urle.user":null,"urle.zoneid":null,"urlnum":0,"xfer_id":0,"curl_version":"libcurl/8.17.0 OpenSSL/3.6.1 zlib/1.3.1.2-audit"}

I also noticed the following near the beginning, when curl resolves the hostname:

11:03:37.200545 [0-0] * Host localhost:443 was resolved.
11:03:37.200661 [0-0] * IPv6: ::1
11:03:37.200722 [0-0] * IPv4: 127.0.0.1
11:03:37.200795 [0-0] * [HTTPS-CONNECT] adding wanted h2
11:03:37.200893 [0-0] * [HTTPS-CONNECT] added
11:03:37.200979 [0-0] * [MULTI] [CONNECT] -> [CONNECTING] (line 2347)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     011:03:37.201524 [0-0] * [HTTPS-CONNECT] connect, init
11:03:37.201627 [0-0] * [HAPPY-EYEBALLS] init ip ballers for transport 3
11:03:37.201763 [0-0] * [HAPPY-EYEBALLS] starting first attempt for ipv6 -> 0
11:03:37.204024 [0-0] * failed to open socket: Address family not supported by protocol
11:03:37.204189 [0-0] * [TCP] cf_socket_open() -> 7, fd=-1
11:03:37.204291 [0-0] * [HAPPY-EYEBALLS] checked connect attempts: 0 ongoing, 0 inconclusive
11:03:37.204452 [0-0] * [HAPPY-EYEBALLS] starting next attempt for ipv4 -> 0
11:03:37.204617 [0-0] *   Trying 127.0.0.1:443...
11:03:37.204724 [0-0] * [TCP] cf_socket_open() -> 0, fd=4
11:03:37.205027 [0-0] * [TCP] local address 127.0.0.1 port 49846...

My primary network interface has IPv6 disabled, so that would explain as to why curl is not able to open a socket using IPv6.

[icing]

Ok, now the question is what your trace shows afterwards for the ipv4 connection attempt. It must go along some path where the peer verification fails, but does not set the error buffer. That's what is interesting me. Thanks.

[TibiIius]

Ok, now the question is what your trace shows afterwards for the ipv4 connection attempt. It must go along some path where the peer verification fails, but does not set the error buffer. That's what is interesting me. Thanks.

Sure. I'll just attach the whole output of the command this time, in case you need something else from it:

$ /home/dev/.conan2/p/b/libcue23037fb3e436/p/bin/curl -vvvv -w '%{json}\n' --out-null https://localhost:443/

13:40:12.627405 [0-x] * !!! WARNING !!!
13:40:12.627553 [0-x] * This is a debug build of libcurl, do not use in production.
13:40:12.627737 [0-x] * [MULTI] [INIT] added to multi, mid=1, running=1, total=2
13:40:12.627925 [0-x] * [MULTI] [INIT] multi_wait(fds=1, timeout=0) tinternal=0
13:40:12.628119 [0-x] * [MULTI] [INIT] -> [SETUP] (line 2420)
13:40:12.628256 [0-x] * [MULTI] [SETUP] -> [CONNECT] (line 2436)
13:40:12.628397 [0-x] * [READ] client_reset, clear readers
13:40:12.628567 [0-0] * [MULTI] [CONNECT] [CPOOL] added connection 0. The cache now contains 1 members
13:40:12.628798 [0-0] * Host localhost:443 was resolved.
13:40:12.628937 [0-0] * IPv6: ::1
13:40:12.629010 [0-0] * IPv4: 127.0.0.1
13:40:12.629102 [0-0] * [HTTPS-CONNECT] adding wanted h2
13:40:12.629226 [0-0] * [HTTPS-CONNECT] added
13:40:12.629322 [0-0] * [MULTI] [CONNECT] -> [CONNECTING] (line 2347)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     013:40:12.629970 [0-0] * [HTTPS-CONNECT] connect, init
13:40:12.630091 [0-0] * [HAPPY-EYEBALLS] init ip ballers for transport 3
13:40:12.630260 [0-0] * [HAPPY-EYEBALLS] starting first attempt for ipv6 -> 0
13:40:12.632846 [0-0] * failed to open socket: Address family not supported by protocol
13:40:12.633047 [0-0] * [TCP] cf_socket_open() -> 7, fd=-1
13:40:12.633172 [0-0] * [HAPPY-EYEBALLS] checked connect attempts: 0 ongoing, 0 inconclusive
13:40:12.633372 [0-0] * [HAPPY-EYEBALLS] starting next attempt for ipv4 -> 0
13:40:12.633564 [0-0] *   Trying 127.0.0.1:443...
13:40:12.633702 [0-0] * [TCP] cf_socket_open() -> 0, fd=4
13:40:12.634030 [0-0] * [TCP] local address 127.0.0.1 port 38510...
13:40:12.634209 [0-0] * [HAPPY-EYEBALLS] checked connect attempts: 1 ongoing, 0 inconclusive
13:40:12.634417 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:40:12.634552 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
13:40:12.634736 [0-0] * [TCP] adjust_pollset, !connected, POLLOUT fd=4
13:40:12.634886 [0-0] * [HAPPY-EYEBALLS] adjust_pollset -> 0, 1 socks
13:40:12.635046 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:40:12.635204 [0-0] * [MULTI] [CONNECTING] multi_wait pollset[fd=4 OUT], timeouts=0
13:40:12.635403 [0-0] * [MULTI] [CONNECTING] multi_wait(fds=2, timeout=1000) tinternal=-1
13:40:12.635612 [0-0] * [TCP] connected on fd=4
13:40:12.635710 [0-0] * [HAPPY-EYEBALLS] connect attempt #1 successful
13:40:12.635855 [0-0] * [TCP] destroy
13:40:12.635962 [0-0] * [TIMER] [HAPPY_EYEBALLS] cleared
13:40:12.636095 [0-0] * [HAPPY-EYEBALLS] Connected to localhost (127.0.0.1) port 443
13:40:12.636242 [0-0] * [SSL] cf_connect()
13:40:12.636329 [0-0] * [SSL] ossl_connect, step1
13:40:12.639101 [0-0] * [SSLS] find peer slot for localhost:443:TLSVER-6-0:CA-/etc/ssl/certs/ca-certificates.crt:CApath-/etc/ssl/certs:IMPL-OpenSSL/3.6.1:G among 25 slots
13:40:12.639424 [0-0] * [SSLS] peer not found for localhost:443:TLSVER-6-0:CA-/etc/ssl/certs/ca-certificates.crt:CApath-/etc/ssl/certs:IMPL-OpenSSL/3.6.1:G
13:40:12.639707 [0-0] * [SSLS] no cached session for localhost:443:TLSVER-6-0:CA-/etc/ssl/certs/ca-certificates.crt:CApath-/etc/ssl/certs:IMPL-OpenSSL/3.6.1:G
13:40:12.639999 [0-0] * ALPN: curl offers http/1.1
13:40:12.640098 [0-0] * [SSL] ossl_connect, step2
13:40:12.640922 [0-0] => Send SSL data, 5 bytes (0x5)
0000: .....
13:40:12.641067 [0-0] * TLSv1.3 (OUT), TLS handshake, Client hello (1):
13:40:12.641201 [0-0] => Send SSL data, 1557 bytes (0x615)
0000: .......g[...W......$..K...\..A.... ..` .m..a.#...DhoA8...i...:.A
0040: .gK..o..<.......,.0.........+./...$.(.k.#.'.g.....9.....3.....=.
0080: <.5./..................localhost................................
00c0: ...http/1.1.........1.....6.4...................................
0100: ..................+........-.....3........}.$.P~....6.R,<'.B..ac
0140: ..!;O.b.{\-.G.]..B....#...G.....KH@u......d...{XI.,H...?X.T..v..
0180: ...vh..hC......T.8S..@..tV....X(..A.E......N.q.c....g......Y.L.<
01c0: ...#..:......|j..Y.._.$d.c .s..y.t........r|.;3;.6a...d.~....\..
0200: .a.{..GW..D.4R:G2t..U.-.....$d....Z.|X..>.....8.\9:.....IT.1.P..
0240: ...W...C{..Xt$......$v.g.N.)s.+..e...Z...&E.....U.<~.<F..f.<.Q..
0280: .\.....zm#j...*.UT..J...I.9]s...WjQ....9..Rk....wB....AlJk...e.t
02c0: .$`@#...hx..u5.%..`...<...?.%.T.6:...-.G.."#......e...T).0v.4.TV
0300: ..j$P.B7Te.Z.?wH..w.*...N..<I..o:_+..(.....&<pGB... .,v..4...t..
0340: ....L.....$`..Q.+.}p....D.#....FLl.#Ac?..%.)V.&..x..T3...Y.[]ws.
0380: &.b..6h...AD...Iw".f:YX.;....)K"..B..p&.M*........S.....k..n.d..
03c0: J'.`...D..nU.s.%g../.]..y..=H5+M.X..e.0c*(....Rh%ir.{Aj.X9..{r.o
0400: C...0......0.|.e8.....1.*c.G|...V@..T...i..l.j...8..lg...0h.w._.
0440: .....yT:..%N.................4.Z..k}kq....j..4.X..jC.8pr..,!.C..
0480: ......I..:+U.T....q1E.D.X.zvV.#/p|.\3....H:...U.W.......,.F.[...
04c0: ..?.V...cdq......:.D^g.#..F7.Y.Iq..r.....f..$d..6.~.jA.Z\......N
0500: .g..[a._1'......s.H...N....l..$....d.D..j.(v$....*.(....82...9..
0540: ...!..B......9D.I..e...6y...n.D....u5..SZ...J...%e.@h...y...W&J.
0580: >....H.H...G...j...S."h.}.k..HW.g.....|..7.j.^x{.65....(Y......*
05c0: .L..=.9.o.7..+..v7*4&.A.v.z.r..u-.\...&.D}... ...N..^..rZU.y....
0600: .d>P$}..?............
13:40:12.645255 [0-0] * [TCP] send(len=1562) -> 0, 1562
13:40:12.645398 [0-0] * [SSL] ossl_bio_cf_out_write(len=1562) -> 0, 1562
13:40:12.645611 [0-0] * [TCP] recv(len=5) -> 81, 0
13:40:12.645733 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 81, 0
13:40:12.645904 [0-0] * [SSL] configuring OpenSSL's x509 trust store
13:40:12.646078 [0-0] * SSL Trust Anchors:
13:40:12.661292 [0-0] *   CAfile: /etc/ssl/certs/ca-certificates.crt
13:40:12.661508 [0-0] *   CApath: /etc/ssl/certs
13:40:12.661621 [0-0] * [SSL] SSL_connect() -> err=-1, detail=2
13:40:12.661772 [0-0] * [SSL] SSL_connect() -> want recv
13:40:12.661906 [0-0] * [SSL] cf_connect() -> 0, done=0
13:40:12.662037 [0-0] * [HTTPS-CONNECT] connect -> 0, done=0
13:40:12.662180 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 0, done=0
13:40:12.662365 [0-0] * [SSL] adjust_pollset, POLLIN fd=4
13:40:12.662488 [0-0] * [TCP] adjust_pollset, !active, POLLIN fd=4
13:40:12.662652 [0-0] * [HTTPS-CONNECT] adjust_pollset -> 0, 1 socks
13:40:12.662815 [0-0] * [MULTI] [CONNECTING] multi_wait pollset[fd=4 IN], timeouts=0
13:40:12.662995 [0-0] * [MULTI] [CONNECTING] multi_wait(fds=2, timeout=1000) tinternal=-1
13:40:12.663204 [0-0] * [SSL] cf_connect()
13:40:12.663297 [0-0] * [SSL] ossl_connect, step2
13:40:12.663424 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.663546 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.663696 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
13:40:12.663847 [0-0] * [TCP] recv(len=1210) -> 0, 1210
13:40:12.663976 [0-0] * [SSL] ossl_bio_cf_in_read(len=1210) -> 0, 1210
13:40:12.664147 [0-0] * TLSv1.3 (IN), TLS handshake, Server hello (2):
13:40:12.664296 [0-0] <= Recv SSL data, 1210 bytes (0x4ba)
0000: ......zJ.......u.!.COS.v!...,rh....... .m..a.#...DhoA8...i...:.A
0040: .gK..o.....n.+.....3.d...`....E.#+..CT?o....._i...g...&.....2h..
0080: U.v....HE..rOtN.Q..~G...K..=.p..~...r............0....Z...>.\3n.
00c0: .JD/...o..(u|......N..A..,....K...zu......Y.-..B....S+...3.T~.g[
0100:  W...ts.V.J.../M.e....}...zG.='...E5.N...L.r..............|.U\`0
0140: W.~v;\.B....aUz......Q.K1_.\S...../t.w.g...%.....n.c.r....O[}...
0180: ...I.<..4.....q...lc?$.8.......'.k73.3.K-..[zG.!3.$.q...7.t..J-.
01c0: 4.R...%..PH....}Z^.n.....rT:..c.N.)..4..r.B.4.f..........Au....K
0200: 0.......k'...&...T.D.5..e...r2....9%..?.Q.}.3.(A`......F....H..F
0240: Q.f'........hL~.K..`f..?8l............&d........4iR...K.)...[V..
0280: ..s.|t.W......%V"baBE......G1. .r...4`....,.z.1.P.g...l'T.i|:.$.
02c0: a...G.B#..f.f.&.Dh.|B.J.XA. ......6Z.....S..U..EQzK.y.k.a.T...;.
0300: ....J.e..4..J8.).......R.I........{FS...lGS_y....u..HR.n.%&Hz.hZ
0340: .%IlP.A....e.i..>I.dX&~....tR..F..T.?ZR....A.R.....1g.oJ.\......
0380: ....aL.95..v......P ..TT.i....j$....,.E.....!`.....^Q...r.3..R..
03c0: f@...}..F.Y..>.BW.z.....[..M..j/..M#.:c,.......M.....T.`...A..m.
0400: ....c;..kX.q...$U6w....@....r........I.R.@.1"H..X.(4...O!.;.%...
0440: ..X&......$O....~X\#.......1...~........p6....)........].7./....
0480: c93...O...g...o.I..(q..h.tflM....."....R7.......?.*.N.vV.n
13:40:12.668249 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.668362 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.668504 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
13:40:12.668661 [0-0] * [TCP] recv(len=1) -> 0, 1
13:40:12.668751 [0-0] * [SSL] ossl_bio_cf_in_read(len=1) -> 0, 1
13:40:12.668867 [0-0] * TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
13:40:12.669016 [0-0] <= Recv SSL data, 1 bytes (0x1)
0000: .
13:40:12.669128 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.669222 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.669340 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: ....&
13:40:12.669463 [0-0] * [TCP] recv(len=38) -> 0, 38
13:40:12.669558 [0-0] * [SSL] ossl_bio_cf_in_read(len=38) -> 0, 38
13:40:12.669678 [0-0] <= Recv SSL data, 1 bytes (0x1)
0000: .
13:40:12.669794 [0-0] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
13:40:12.669934 [0-0] <= Recv SSL data, 21 bytes (0x15)
0000: .............http/1.1
13:40:12.670097 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.670190 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.670309 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
13:40:12.670431 [0-0] * [TCP] recv(len=896) -> 0, 896
13:40:12.670529 [0-0] * [SSL] ossl_bio_cf_in_read(len=896) -> 0, 896
13:40:12.670664 [0-0] <= Recv SSL data, 1 bytes (0x1)
0000: .
13:40:12.670769 [0-0] * TLSv1.3 (IN), TLS handshake, Certificate (11):
13:40:12.670899 [0-0] <= Recv SSL data, 879 bytes (0x36f)
0000: ...k...g..b0..^0..F.........qC@!.....a.[D.F0...*.H........0.1.0.
0040: ..U....TRAEFIK DEFAULT CERT0...260216223326Z..270216223326Z0.1.0
0080: ...U....TRAEFIK DEFAULT CERT0.."0...*.H.............0...........
00c0: ...e.T.1~X.?...s..iQ..6%.F!3..{..1.x.....E'H...U..I..zEG<.*.....
0100: Q.y.R.Y...J.y.d....<.9...'......[."...&.^g......a...R.P^l\.).t..
0140: st[.....Y;...qEfH'H.<7..V...T/...R...... .W.xG..A... #....E.....
0180: .....s$q......Rj.Pw@.#d....@.I..Q.V......./p1._;.S..`4\...9.k...
01c0: .....0..0...U...........0...U.%..0...+.......0...U.......0.0\..U
0200: ...U0S.Q90a24f8360257f64f4a1a140e66984fb.03e6cb3551f3b51da0a80ba
0240: 64d5fd6cc.traefik.default0...*.H.............l|.S]Y^7/M.{..%og+L
0280: .xj...#..<O.PD.....5.....\....B...Y...,{...]JX.."...^....qJ.V.._
02c0: .J.?......A...X......1.=e..tm.....w...tF.n.....:....K.....k..).#
0300: zg...;.......)(.....T.#+.?.I,...1.X...!<..D.).....E.R.&..<..5y`.
0340: ..|....P....foS.%*..UXs....#.I-@.2-OCt.2yav....
13:40:12.673061 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.673159 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.673276 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: .....
13:40:12.673406 [0-0] * [TCP] recv(len=281) -> 0, 281
13:40:12.673507 [0-0] * [SSL] ossl_bio_cf_in_read(len=281) -> 0, 281
13:40:12.673632 [0-0] <= Recv SSL data, 1 bytes (0x1)
0000: .
13:40:12.673757 [0-0] * TLSv1.3 (IN), TLS handshake, CERT verify (15):
13:40:12.673882 [0-0] <= Recv SSL data, 264 bytes (0x108)
0000: .........J;..m.b.Zz....l.......5...nt..z}.J.L/..F.W...!$.u.V..j#
0040: ...1.T7..x.....Z.mh.....(JY<..5.I.!).#y..r..(.5.nV.P..9.O).....%
0080: ..m.{(YI.....e...}..1....<H.6.!.h...a.j.b.@..(.S.^f....B.k.% ...
00c0: S........|.7c.w=@.fp.......].y8B...,...6.H3DSy4.C.n.n..P.7HL..J.
0100: ......j.
13:40:12.674674 [0-0] * [TCP] recv(len=5) -> 0, 5
13:40:12.674771 [0-0] * [SSL] ossl_bio_cf_in_read(len=5) -> 0, 5
13:40:12.674893 [0-0] <= Recv SSL data, 5 bytes (0x5)
0000: ....5
13:40:12.675012 [0-0] * [TCP] recv(len=53) -> 0, 53
13:40:12.675105 [0-0] * [SSL] ossl_bio_cf_in_read(len=53) -> 0, 53
13:40:12.675237 [0-0] <= Recv SSL data, 1 bytes (0x1)
0000: .
13:40:12.675354 [0-0] * TLSv1.3 (IN), TLS handshake, Finished (20):
13:40:12.675471 [0-0] <= Recv SSL data, 36 bytes (0x24)
0000: ... ...(oy..m^[....F4.........i..c9H
13:40:12.675713 [0-0] => Send SSL data, 5 bytes (0x5)
0000: .....
13:40:12.675843 [0-0] * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
13:40:12.675990 [0-0] => Send SSL data, 1 bytes (0x1)
0000: .
13:40:12.676133 [0-0] => Send SSL data, 5 bytes (0x5)
0000: ....5
13:40:12.676262 [0-0] => Send SSL data, 1 bytes (0x1)
0000: .
13:40:12.676374 [0-0] * TLSv1.3 (OUT), TLS handshake, Finished (20):
13:40:12.676501 [0-0] => Send SSL data, 36 bytes (0x24)
0000: ... oe.....`.U.@5.x...e....O.M..J...
13:40:12.676731 [0-0] * [TCP] send(len=64) -> 0, 64
13:40:12.676847 [0-0] * [SSL] ossl_bio_cf_out_write(len=64) -> 0, 64
13:40:12.677045 [0-0] * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519MLKEM768 / RSASSA-PSS
13:40:12.677287 [0-0] * ALPN: server accepted http/1.1
13:40:12.677414 [0-0] * [SSL] ossl_connect, step3
13:40:12.677690 [0-0] * Server certificate:
13:40:12.677793 [0-0] *   subject: CN=TRAEFIK DEFAULT CERT
13:40:12.677931 [0-0] *   start date: Feb 16 22:33:26 2026 GMT
13:40:12.678072 [0-0] *   expire date: Feb 16 22:33:26 2027 GMT
13:40:12.678207 [0-0] *   issuer: CN=TRAEFIK DEFAULT CERT
13:40:12.678340 [0-0] *   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
13:40:12.678621 [0-0] *  subjectAltName does not match hostname localhost
13:40:12.678795 [0-0] * SSL: no alternative certificate subject name matches target hostname 'localhost'
13:40:12.679030 [0-0] * [SSLS] find peer slot for localhost:443:TLSVER-6-0:CA-/etc/ssl/certs/ca-certificates.crt:CApath-/etc/ssl/certs:IMPL-OpenSSL/3.6.1:G among 25 slots
13:40:12.679431 [0-0] * [SSLS] peer not found for localhost:443:TLSVER-6-0:CA-/etc/ssl/certs/ca-certificates.crt:CApath-/etc/ssl/certs:IMPL-OpenSSL/3.6.1:G
13:40:12.679778 [0-0] * [SSL] cf_connect() -> 60, done=0
13:40:12.679915 [0-0] * [HTTPS-CONNECT] connect, all attempts failed
13:40:12.680072 [0-0] * [HTTPS-CONNECT] connect -> 60, done=0
13:40:12.680216 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(block=0) -> 60, done=0
13:40:12.680393 [0-0] * [HTTPS-CONNECT] Curl_conn_connect(), filter returned 60
13:40:12.680586 [0-0] * [MULTI] [CONNECTING] multi_done: status: 60 prem: 1 done: 0
  0     0   0     0   0     0     0     0  --:--:-- --:--:-- --:--:--     0
13:40:12.680953 [0-0] * [WRITE] [OUT] done
13:40:12.681054 [0-x] * [MULTI] [CONNECTING] multi_done_locked, in use=0
13:40:12.681233 [0-0] * [MULTI] [CONNECTING] multi_done, terminating conn #0 to localhost:443, forbid=0, close=0, premature=1, conn_multiplex=0
13:40:12.681552 [0-0] * closing connection #0
13:40:12.682299 [0-0] * [MULTI] [CONNECTING] -> [COMPLETED] (line 2703)
13:40:12.682452 [0-0] * [MULTI] [COMPLETED] -> [MSGSENT] (line 2749)
13:40:12.682614 [0-0] * [MULTI] [COMPLETED] removed from multi, mid=1, running=0, total=1
curl: (60) failed to open socket: Address family not supported by protocol
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
{"certs":"Subject:CN = TRAEFIK DEFAULT CERT\nIssuer:CN = TRAEFIK DEFAULT CERT\nVersion:2\nSerial Number:dd71434021fff98bd5ff61e55b44b546\nSignature Algorithm:sha256WithRSAEncryption\nPublic Key Algorithm:rsaEncryption\nX509v3 Key Usage:Digital Signature, Key Encipherment, Data Encipherment, Key Agreement\nX509v3 Extended Key Usage:TLS Web Server Authentication\nX509v3 Basic Constraints:CA:FALSE\nX509v3 Subject Alternative Name:DNS:90a24f8360257f64f4a1a140e66984fb.03e6cb3551f3b51da0a80ba64d5fd6cc.traefik.default\nStart date:Feb 16 22:33:26 2026 GMT\nExpire date:Feb 16 22:33:26 2027 GMT\nRSA Public Key:2048\nrsa(n):C9A3B815FFE2659754CE317E58E33FDCD81773F1F26951850A3625E6462133DFBC7B9BF431C0789B9E0ED8034527480CAAB355E71A49D29B7A45473CC72AC9B1F59BE651E079E852DE59E789CC4AF679EA641AFEF2A73C8B39E12E1B27DDABB7BE12FC5BC6221EBAA626C15E67C9941F1DA2A661D01DD55201505E6C5CD3291274E2DC73745B8CF9A58907593BC1BD987145664827488F3C3796A9560EF617542FB4B31252C092EFA519A820F457E77847049641FC9208202313DB831145FAC8FC86C09113BD849C73247199E38B0DB59D526AE8507740CD2364ADB7ADD1408E49AB0E51CE56ABC69DFBF1DEF42F7031B85F3B95539AB760345C2ECAA939056B\nrsa(e):10001\nSignature:6c:7c:a0:53:5d:59:5e:37:2f:4d:a3:7b:0a:a2:25:6f:67:2b:4c:1f:78:6a:a8:91:c8:23:b9:af:3c:4f:c5:50:44:b7:7f:a5:1e:0b:35:90:95:0c:0c:a6:5c:2e:e9:ec:e5:42:8d:ce:09:59:a5:c6:a3:2c:7b:06:92:a4:5d:4a:58:db:ed:22:d3:05:a3:5e:81:b0:0f:b4:71:4a:ba:56:a0:b1:5f:bc:4a:94:3f:1a:d9:a5:1f:8c:bf:41:da:04:ae:58:ef:16:dc:ce:0d:dc:31:c7:3d:65:cb:f4:74:6d:7f:a7:86:07:98:77:b0:91:8c:74:46:d5:6e:8b:a1:05:ca:1d:3a:b2:a3:03:ee:4b:87:bc:ea:d6:90:6b:d8:97:29:99:23:7a:67:90:b2:ad:3b:e1:97:bf:ae:93:8c:04:29:28:d8:b5:cb:ba:f1:54:1b:23:2b:1c:3f:11:49:2c:d3:e6:f2:31:0e:58:e6:a6:f3:21:3c:aa:a4:44:90:29:dc:9a:11:b9:0f:45:84:52:be:26:b7:f7:3c:ff:e8:35:79:60:dc:b1:97:7c:e7:8b:d1:b1:50:a3:11:f0:df:66:6f:53:2e:25:2a:8b:05:55:58:73:07:fd:b2:b8:23:11:49:2d:40:e8:32:2d:4f:43:74:9f:32:79:61:76:da:b2:\n-----BEGIN CERTIFICATE-----\nMIIDXjCCAkagAwIBAgIRAN1xQ0Ah//mL1f9h5VtEtUYwDQYJKoZIhvcNAQELBQAw\nHzEdMBsGA1UEAxMUVFJBRUZJSyBERUZBVUxUIENFUlQwHhcNMjYwMjE2MjIzMzI2\nWhcNMjcwMjE2MjIzMzI2WjAfMR0wGwYDVQQDExRUUkFFRklLIERFRkFVTFQgQ0VS\nVDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmjuBX/4mWXVM4xfljj\nP9zYF3Px8mlRhQo2JeZGITPfvHub9DHAeJueDtgDRSdIDKqzVecaSdKbekVHPMcq\nybH1m+ZR4HnoUt5Z54nMSvZ56mQa/vKnPIs54S4bJ92rt74S/FvGIh66pibBXmfJ\nlB8doqZh0B3VUgFQXmxc0ykSdOLcc3RbjPmliQdZO8G9mHFFZkgnSI88N5apVg72\nF1QvtLMSUsCS76UZqCD0V+d4RwSWQfySCCAjE9uDEUX6yPyGwJETvYSccyRxmeOL\nDbWdUmroUHdAzSNkrbet0UCOSasOUc5Wq8ad+/He9C9wMbhfO5VTmrdgNFwuyqk5\nBWsCAwEAAaOBlDCBkTAOBgNVHQ8BAf8EBAMCA7gwEwYDVR0lBAwwCgYIKwYBBQUH\nAwEwDAYDVR0TAQH/BAIwADBcBgNVHREEVTBTglE5MGEyNGY4MzYwMjU3ZjY0ZjRh\nMWExNDBlNjY5ODRmYi4wM2U2Y2IzNTUxZjNiNTFkYTBhODBiYTY0ZDVmZDZjYy50\ncmFlZmlrLmRlZmF1bHQwDQYJKoZIhvcNAQELBQADggEBAGx8oFNdWV43L02jewqi\nJW9nK0wfeGqokcgjua88T8VQRLd/pR4LNZCVDAymXC7p7OVCjc4JWaXGoyx7BpKk\nXUpY2+0i0wWjXoGwD7RxSrpWoLFfvEqUPxrZpR+Mv0HaBK5Y7xbczg3cMcc9Zcv0\ndG1/p4YHmHewkYx0RtVui6EFyh06sqMD7kuHvOrWkGvYlymZI3pnkLKtO+GXv66T\njAQpKNi1y7rxVBsjKxw/EUks0+byMQ5Y5qbzITyqpESQKdyaEbkPRYRSvia39zz/\n6DV5YNyxl3zni9GxUKMR8N9mb1MuJSqLBVVYcwf9srgjEUktQOgyLU9DdJ8yeWF2\n2rI=\n-----END CERTIFICATE-----\n","conn_id":0,"content_type":null,"errormsg":"failed to open socket: Address family not supported by protocol","exitcode":60,"filename_effective":null,"ftp_entry_path":null,"http_code":0,"http_connect":0,"http_version":"0","local_ip":"","local_port":-1,"method":"GET","num_certs":1,"num_connects":1,"num_headers":0,"num_redirects":0,"num_retries":0,"proxy_ssl_verify_result":0,"proxy_used":0,"redirect_url":null,"referer":null,"remote_ip":"","remote_port":-1,"response_code":0,"scheme":"https","size_download":0,"size_header":0,"size_request":0,"size_upload":0,"speed_download":0,"speed_upload":0,"ssl_verify_result":1,"time_appconnect":0.000000,"time_connect":0.007355,"time_namelookup":0.000846,"time_posttransfer":0.000000,"time_pretransfer":0.000000,"time_queue":0.001066,"time_redirect":0.000000,"time_starttransfer":0.000000,"time_total":0.052653,"tls_earlydata":0,"url":"https://localhost:443/","url.fragment":null,"url.host":"localhost","url.options":null,"url.password":null,"url.path":"/","url.port":"443","url.query":null,"url.scheme":"https","url.user":null,"url.zoneid":null,"url_effective":"https://localhost:443/","urle.fragment":null,"urle.host":"localhost","urle.options":null,"urle.password":null,"urle.path":"/","urle.port":"443","urle.query":null,"urle.scheme":"https","urle.user":null,"urle.zoneid":null,"urlnum":0,"xfer_id":0,"curl_version":"libcurl/8.17.0 OpenSSL/3.6.1 zlib/1.3.1.2-audit"}

[icing]

With that information I was able to reproduce and make a test case and fix. See #20613.

What was happening is that an easy handle records the "primary" failure, e.g. the first to occur, and does not overwrite the errorbuf with subsequent information. This is fine to see the root cause. Except when doing happy eyeballing when one wants to see the last failure that happened in all attempts (or no failure at all when the connection was established).

[TibiIius]

With that information I was able to reproduce and make a test case and fix. See #20613.

What was happening is that an easy handle records the "primary" failure, e.g. the first to occur, and does not overwrite the errorbuf with subsequent information. This is fine to see the root cause. Except when doing happy eyeballing when one wants to see the last failure that happened in all attempts (or no failure at all when the connection was established).

Alright, that makes sense, thanks a lot for the quick help! :)