CURL stopped working for https after latest woflssl patch (21.02)

Hi there,

It seems curl has stopped working after installing the latest patches of wolfssl. To test I tried and got the following response.

Protocol "https" not supported or disabled in libcurl

Other packages stopped working after like the following:
banIP-0.7.10[12611]: f_down ::: name: doh_4, url:, rule: /^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print "add doh_4 "$1}, rc: 1, log: curl: (1) Protocol "https" not supported or disabled in libcurl

https-dns-proxy-2021-11-22/src/https_client.c:317 E516: CURLOPT_SSLVERSION error 4: Error

I've already seem some people posting on reddit same issue.

It has been tagged as Known Issue and DEVS has fix but it's not yet in the release packages for 21.02
see comment belew: CURL stopped working for https after latest woflssl patch (21.02) - #34 by AcidSlide

1 Like

Same issue if you flash a newer 22.03 image including the updated WolfSSL lib?

Are you saying same issue or are you asking if it has the same issue??

Honestly I'm not sure if it's working in 22.03.. currently using 21.02.3 on my setup

I was assuming latest stable, but the same question applies to 21.02. I compile myself and I stay away from the ABI meltdown that WolfSSL is wherever possible, so I cannot share any personal experiences - not anymore.

Extra complication is that opkg isn't really designed to be a full-fledged package manager.

Did you run a upgrade packages in opkg/luci or did you install a new image with a new WolfSSL included?

Upgrade via opkg

Tell me more about the implications of removing WolfSSL from your system?
I am curious because I am really just run openssh client/server & openssl things (like luci-ssl-nginx). I haven't jumped ship yet and removed anything WolfSSL because I am afraid I will break something. I think the fact that OpenWRT comes with wolfssl & dropbear just confused me and my keys to the point that I just went with openssl and openssh because it just worked and never looked back.
Just curious if you found any issues with removing wolfssl packages?

I can't remove it on mine and use openssl instead unless I change my whole setup (reformat all my routers and re-configure everything). My WiFi setups uses the wolfssl packages.

You'd need to switch to OpenSSL yes, but you need enough storage for that. AFAIK what you'd need is wpad-openssl instead of the wolfssl flavour, and yes LuCI with OpenSSL support, if you'd like. There's very little added value to use OpenSSH though.

The other viable alternative for space constrained systems is mbedTLS, but unfortunately LuCI hostapd does (not yet) support it. There's a PR in the works for it, I believe.

Excuse my french, but WolfSSL has been a crazy clusterfuck from day one. There were no doubt sound reasons to prefer it instead of mbedTLS, but I am not privy to them. I've seen the breakage though that comes from WolfSSL 'not doing' maintenance releases and basically just bumping you to a major release if you need fixes.

1 Like

There is one reason and one reason alone, hostapd needs ether openssl or wolfssl to support WPA3/ SAE; mbedtls support for hostapd is only just being developed (somewhere between proof-of-concept and RFC stage of patches). Compared to openssl, wolfssl is at least a third smaller - but its track record is …below average…, to phrase it mildly.

1 Like

Yes, my bad, mbedTLS support for hostapd is indeed in the works.

Well don’t do that. Unless you want to live on the edge of life. Install a new image instead.

It has been a lot of treads lately in the forum with the same question “I upgraded and now It doesn’t work”, read those if you want background info.

1 Like

I think upgrade is the only way to get the newer, unaffected wolfssl packages, I tried a 22.03.0 image today and it still contained the affected, older packages.

There's still the 22.03 snapshot images while you wait for the 21.02 and 22.03 point releases.

1 Like

the official recommendation in this case is different:

in general you are better with image upgrade though, you are right.

FWIW I run a script in cron / manually that includes dependencies on curl . The script completes as desired yet I did not expect it to after reading the OP's post. Perhaps something else is afoot?

After preforming the upgrade mentioned via our forum: This is my output (included curl for comparisons)

/$  opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.ee39414e - 5.5.1-stable-3
px5g-wolfssl - 5.1
wpad-basic-wolfssl - 2022-01-16-cff80b4f-13.1
/$  opkg list-installed | grep curl
curl - 7.83.1-3
libcurl4 - 7.83.1-3

On 22.03.0
My script worked after upgrading the packages. @AcidSlide

1 Like

The unaffected wolfssl packages are now in 22.03.0 stable.

1 Like

I used attendedsysupgrade (auc) on my routers. That seems to have installed a complete set of compatible packages.

Just to clarify, your scripts stopped working after upgrading the wolfssl packages?

How about 21.02.03?