armhf: buster: TLS / HTTPS partly broken

To: debian-user@lists.debian.org
Cc: Mark Jonas <toertel@gmail.com>
Subject: armhf: buster: TLS / HTTPS partly broken
From: Mark Jonas <toertel@gmail.com>
Date: Sun, 3 May 2020 14:40:14 +0200
Message-id: <[🔎] CAEE5dN0yFV6hO2ONxD1kiV6tkSbOR91YFjxMxdFaudfKo_KWWw@mail.gmail.com>

Hi,

I am building Docker images for amd64, armhf, and arm64. I have a very
simple container based on debian:buster where curl works fine on amd64
and arm64 but fails on armhf [1]. This makes it very easy to reproduce
the problem.

# curl --version
curl 7.64.0 (arm-unknown-linux-gnueabihf) libcurl/7.64.0
OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2
(+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

# curl https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The error occurs on a real armhf target (Raspberry Pi 3) as well as
with QEMU (tested with
3.1.0-2 and v4.2.0-7).

The error cannot be reproduced with debian:stretch. [2]

The error cannot be reproduced with ubuntu:bionic or ubuntu:focal. [3]

With wget it works fine. None the less, I doubt that curl itself it
the source of the problem. The Logitech Media Server package [4] (not
an official Debian package) shows the problem as well. LMS is written
using Perl (mainly) and does not use curl.

I also gave aria2 a try. It downloads but gives a warning on armhf.

# aria2c https://www.google.com
[..]
05/03 12:32:37 [WARN] aria2c had to connect to the other side using an
unknown TLS protocol. The integrity and confidentiality of the
connection might be compromised.
Peer: www.google.com (216.58.207.164:443)

Does that mean a TLS library does not feature all required protocols on armhf?

Does anybody have an idea what the problem might be? Who can / should
tackle the problem?

I did not report the problem using reportbug because I have no clue
which package is causing the problem.

Greetings,
Mark

[1] https://gitlab.com/toertel/docker-image-tls-https-broken
[2] https://gitlab.com/toertel/docker-image-tls-https-broken/pipelines/141798495
[3] https://gitlab.com/toertel/docker-image-tls-https-broken/pipelines/141820625
[4] http://downloads.slimdevices.com/LogitechMediaServer_v7.9.2/

Reply to:

Follow-Ups:
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Reco <recoverym4n@enotuniq.net>

Prev by Date: Re: Is there a Debian oriented Rasberry Pi list
Next by Date: How to start offlineimap systemd
Previous by thread: Re: Is there a Debian oriented Rasberry Pi list
Next by thread: Re: armhf: buster: TLS / HTTPS partly broken
Index(es):
- Date
- Thread