Re: armhf: buster: TLS / HTTPS partly broken

To: Reco <recoverym4n@enotuniq.net>, debian-user@lists.debian.org
Subject: Re: armhf: buster: TLS / HTTPS partly broken
From: Mark Jonas <toertel@gmail.com>
Date: Mon, 4 May 2020 20:41:43 +0200
Message-id: <[🔎] CAEE5dN2bJaCkkxJrcESCx6RMgQq4iGvB0FN9S=kDk+C-99UFYg@mail.gmail.com>
In-reply-to: <[🔎] E1jVa1K-0005W2-02@enotuniq.net>
References: <[🔎] E1jVIq6-0001iW-HI@enotuniq.net> <[🔎] CAEE5dN2UPJVPd=sponpjVPNE-0JVUryR3sp5kAJXEHn33c3RBw@mail.gmail.com> <[🔎] E1jVVxh-00059Q-Lw@enotuniq.net> <[🔎] CAEE5dN14fdrwhgjEVTdM=j-kUyAaMUa3WZYmmgKcoMvRgNwXiQ@mail.gmail.com> <[🔎] E1jVa1K-0005W2-02@enotuniq.net>

Hi Reco,

> > I used the identical image to run the container on an amhf host
> > (Raspberry Pi 3). So there is now no QEMU in the way.
>
> Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10,
> armhf), works as supposed to.
> I could also test it on Exynos 5422 (also runs Debian 10, armhf), but
> it'll be the same.

Do you want to try the Docker image on one of these? Maybe the problem
is not Debian itself but only the official Debian Docker image?

> > curl https://www.google.com still fails on the armhf host. So QEMU is
> > out of the game.
>
> Ok. Is it possible to run curl via strace from inside the docker?
> Something like this would be perfect (-o designates an output file):
>
> strace -o /tmp/curl -e trace=file curl https://www.google.com

Please have a look at the reply I send to Tomas. There is the complete
strace output.

> Specifically, it should try to open a symlink to
> /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem.
> Here it's called /etc/ssl/certs/4a6481c9.0, may be machine-specific.

Yes, it tries to open something like that and fails. But on my PC,
where curl works, the trace shows similar failures.

Raspberry Pi Docker host, armhf Docker container snippet:

1613  openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 4
1613  stat64("/etc/ssl/certs/99bdd351.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
1613  stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No
such file or directory)
1613  +++ exited with 60 +++

PC strace snippet:

5524  openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 4
5524  openat(AT_FDCWD, "/dev/random", O_RDONLY) = 5
5524  openat(AT_FDCWD, "/dev/srandom", O_RDONLY) = -1 ENOENT (No such
file or directory)
5524  openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 6
5524  openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 6
5524  stat("/etc/ssl/certs/99bdd351.0", 0x7ffff60b7060) = -1 ENOENT
(No such file or directory)
5524  openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 6
5524  +++ exited with 0 +++

Greetings,
Mark

Reply to:

Follow-Ups:
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Reco <recoverym4n@enotuniq.net>

References:
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Reco <recoverym4n@enotuniq.net>
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Mark Jonas <toertel@gmail.com>
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Reco <recoverym4n@enotuniq.net>
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Mark Jonas <toertel@gmail.com>
- Re: armhf: buster: TLS / HTTPS partly broken
  - From: Reco <recoverym4n@enotuniq.net>

Prev by Date: Re: armhf: buster: TLS / HTTPS partly broken
Next by Date: Re: Custom application icon do not appear in Gnome and LXQT
Previous by thread: Re: armhf: buster: TLS / HTTPS partly broken
Next by thread: Re: armhf: buster: TLS / HTTPS partly broken
Index(es):
- Date
- Thread