Network error - SSL handshake failed

[DataBeaver]

SailfishOS VERSION: 3.4

HARDWARE: Jolla Jolla (the original Jolla phone)

Storeman VERSION: 0.3.0

QUESTION

I installed Storeman on my Jolla phone, but it keeps showing a network error notification. Starting it over ssh I get this output:

[D] unknown:0 - Using Wayland-EGL
[W] unknown:0 - Could not find any zN.M subdirs!
[W] unknown:0 - Theme dir "/usr/share/themes/jolla-ambient/meegotouch/z1.0/" does not exist
[W] unknown:0 - Network request error QNetworkReply::NetworkError(SslHandshakeFailedError) - "SSL handshake failed"
[W] unknown:0 - Network request error QNetworkReply::NetworkError(SslHandshakeFailedError) - "SSL handshake failed"

It doesn't tell why the handshake failed though. Sailfish 3.4 is close to two years old, so I guess it's possible the SSL library is too old. However accessing openrepos.net over https with the browser works, so this might also be something else.

STEPS TO REPRODUCE

1. Install the Storeman installer
2. Use the installer to install Storeman
3. Launch Storeman
4. Observe network errors when trying to list or search for packages

[DataBeaver]

This turned out to be due to a change in Let's Encrypt's root CA last year combined with an old Sailfish version which isn't getting updates to its certificates. I got it fixed with these instructions: https://gitlab.com/Olf0/guide-fix-certificate-issues-on-sailfishos/-/tree/master (method A).

[Olf0]

Still many thanks for providing a proper bug report!

As a nice extra, your report confirms that the Storeman-Installer worked fine for you.

Note for others observing similar issues on SailfishOS < 4

Please mind, that in addition to applying my [Guide] Fix certificate issues on SailfishOS, you nowadays also need OpenSSL 1.1 for “the WWW to work” (as it provides TLS 1.2), hence on SailfishOS < 4.0.1 one shall install the last release of Jolla's OpenSSL combi-package (contains OpenSSL 1.0 and 1.1), which is available at OpenRepos.

[00kv]

Doesn't seem to work on 3.4.0.24 (Jolla1). I can connect to openrepos.net with openssl, curl and browser but the app will fail with error. I remember it working ~year ago not sure what changed.

[Olf0]

Checked, and "yes" it also fails on my Jolla1@SFOS2.2.1 with Storeman 0.1.8 emitting "Network error"; it was working well a few months ago, i.e. in early 2024. According to Bohdan it worked fine 20 days ago, i.e. 2024-04-26.

As my time for SailfishOS related things is very scarce, systemd logs (by journalctl), preferably with some filtering (see journalctl options), and current output of Storeman when started at the command line would be helpful to fully comprehend the issue in order to resolve it; some analysis on top of that even more so.
Please do not forget to denote device model, SailfishOS release and Storeman version used for testing.

P.S.: I observe basically the same ("TLS negotiation failed") with an older version of the XMPP-client app Conversations (the last one, which supports Android 4: 2.9.3-fcr) since the end of April 2024 (i.e. it does not connect to any XMPP-server). This may be coincidence but appears to have some aspects in common.

[00kv]

ok i found a solution

cd /etc/pki/tls/certs
rm *.0

some root ca expired and qt fails loading the whole store because of it ?

[00kv]

ps. for android apps the CAs need to be added to /opt/alien/system/etc/security/cacerts/