Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wolfssl 在某些平台上无法正确校验 SSL 证书 #169

Closed
yuanwb1984 opened this issue Apr 30, 2024 · 10 comments
Closed

wolfssl 在某些平台上无法正确校验 SSL 证书 #169

yuanwb1984 opened this issue Apr 30, 2024 · 10 comments

Comments

@yuanwb1984
Copy link

不知道是哪里的问题,因为同样的配置,在debian12的nanopi上就不报错,且查询正常,但是在openwrt的newifi3上就报错;
trust-dns tls://aa.bb.cc@11.22.33.44#5566
上游是vps上的smartdns开的DoT,
尝试更新证书,安装libwolfssl、ca-certificates没解决,也无法在别的设备上复现,不知道是哪里的问题
2024-04-30 08:30:01 W [Upstream.zig:586 TCP.on_error] connect(tls://aa.bb.cc@11.22.33.44#5566) failed: SSL_ERROR(-155)
2024-04-30 08:30:01 W [Upstream.zig:586 TCP.on_error] ssl error: ASN sig error, confirm failure
@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024

mips 吗?

@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024

下载的哪个 chinadns-ng 版本?

我编译一个 关闭 SSL 证书校验 的版本给你试试?

@yuanwb1984
Copy link
Author

刚试了 tls://one.one.one.one@1.1.1.1,正常工作,
不是 chinadns-ng+wolfssl@mipsel-linux-musl@mips32r2+soft_float@fast+lto 的问题;
不过能直接DoT,好像也没必要用smartdns转发一道了

@yuanwb1984
Copy link
Author

自建smartdns DoT 的证书是acme.sh的,是不是证书不对

@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024

稍等,我改下代码,关闭证书验证。待会你试试

@yuanwb1984
Copy link
Author

1.1.1.1也有报错,大量-313
2024-04-30 08:47:27 W [Upstream.zig:586 TCP.on_error] recv(tls://one.one.one.one@1.1.1.1) failed: SSL_ERROR(-305)
2024-04-30 08:47:27 W [Upstream.zig:586 TCP.on_error] ssl error: verify mac problem
2024-04-30 08:47:27 W [Upstream.zig:586 TCP.on_error] ssl error: verify mac problem
2024-04-30 08:50:29 W [Upstream.zig:586 TCP.on_error] connect(tls://one.one.one.one@1.1.1.1) failed: SSL_ERROR(-313)
2024-04-30 08:50:29 W [Upstream.zig:586 TCP.on_error] ssl error: unknown error number
2024-04-30 08:50:29 W [Upstream.zig:586 TCP.on_error] ssl error: received alert fatal error

@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024

https://github.com/zfl9/files

下载这个,看看?

@yuanwb1984
Copy link
Author

这个不报错了,也能正常查询,

@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024
edited
Loading

估计是 wolfssl 证书校验这块有点问题(奇怪的是,x86(64)、aarch64 没问题),我之前用 qemu 测试 mips 上的 DoT 也会有你这个问题,没想到真机上也有问题,那就默认关闭吧。

@zfl9 zfl9 changed the title openwrt里ssl error: ASN sig error, confirm failure wolfssl 在某些平台上无法正确校验 SSL 证书 Apr 30, 2024
zfl9 added a commit that referenced this issue Apr 30, 2024
@zfl9
--cert-verify: disabled by default #169
acdbf87
@zfl9
Copy link
Owner

zfl9 commented Apr 30, 2024

见最新 2024.04.30 版本,应该没问题了。

@zfl9 zfl9 closed this as completed Apr 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yuanwb1984 @zfl9