CURL stopped working for https after latest woflssl patch (21.02)

@ynezz
This thread and the narrowing down of curl should be noted as causing issues on 21.02 after upgrading.

Did this using new image (sysupgrade).. but same issue with CURL.. so it's the CURL package that stopped working for HTTPS after updating WoflSSL.. that's the only thing UPGRADED before it stopped working.

Here's where you can report this, or find/search for package related bugs.
Create a Git account and post your tech details.

Thanks will do that

@Bill
somebody has already raised already related issue.. and devs have acknowledge it's broken with the latest 21.02 builds due to changes to wolfssl

For those who came across this and having the same issue.. please see the following links:

2 Likes

Hello!

Yes for:

Model	Linksys MR8300 (Dallas)
Architecture	ARMv7 Processor rev 5 (v7l)
Target Platform	ipq40xx/generic
Firmware Version	OpenWrt 21.02.3 r16554-1d4dea6d4f / LuCI openwrt-21.02 branch git-22.245.77575-63bfee6
Kernel Version	5.4.188

The package has stopped working. Tried to downgrade wolf ssl without success. Here my version about packages.

libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
px5g-wolfssl - 4.1
wpad-basic-wolfssl - 2020-06-08-5a8b3662-41
libcurl4 - 7.83.1-2.1

You're Absolutely right ...

----------------------------
WARNING: Running as root without dropping privileges is NOT recommended.
----------------------------
[W] 1665824889.155379 main.c:236 HTTP/3 is not supported by current libcurl
[W] 1665825129.454036 https_client.c:351 66B8: curl request failed with 0: No error
[W] 1665825129.454089 https_client.c:353 66B8: curl error message: Error reading ca cert file p=�� - mbedTLS: (-0x3E00) PK - Read/write of file failed
[W] 1665825129.454127 https_client.c:380 66B8: No response (probably connection has been closed or timed out)

What OpenWRT are you using? If it's 21.02.x then you might need to manually downgrade the version of curl and libcurl4 (see this link: https://github.com/openwrt/packages/issues/19547#issuecomment-1271809668).

Although the fix has been committed already for 21.02 branch, somehow it wasn't included on some of the latest (as of this writing) archi release (ex: mipsel_24kc but is updated packages for curl and libcurl4 was included for mips_24kc) for 21.02.x. See my post here and here.

Firmware Version	OpenWrt 22.03.1 r19777-2853b6d652 / LuCI openwrt-22.03 branch git-22.245.77528-487e58a

Hmmm.. you are already using 22.03 branch which should have working curl and libcurl but I'm not sure about the HTTP/3 support.

Can you check what package versions installed in your router for curl and libcurl?

$ pkg list-installed | grep curl
curl - 7.85.0-5.1
libcurl4 - 7.85.0-5.1
php8-mod-curl - 8.1.11-1

Have you tried updating/upgrading your curl and libcurl4? Checking some of the archi packages for 22.03.1 there should be a 7.85.0-6.1 version. I'm just not sure about your php8-mod-curl.

 opkg list-installed | grep curl
curl - 7.85.0-6.1
libcurl4 - 7.85.0-6.1
php8-mod-curl - 8.1.11-1

I done that but still https-dns-proxy is not working.

anymore commands to run to diagnose the issue?

Why is this marked as solution? I can't get curl working again after installing git in 21.02.

Downgrading won't work either....


$ wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/packages/curl_7.83.1-2.1_x86_64.ipk
wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/packages/libcurl4_7.83.1-2.1_x86_64.ipk
wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/base/libwolfssl5.2.0.99a5b54a_5.2.0-stable-2_x86_64.ipk
opkg install libwolfssl5.2.0.99a5b54a_5.2.0-stable-2_x86_64.ipk
opkg install libcurl4_7.83.1-2.1_x86_64.ipk
opkg install curl_7.83.1-2.1_x86_64.ipk
Installing libwolfssl5.2.0.99a5b54a (5.2.0-stable-2) to root...
Configuring libwolfssl5.2.0.99a5b54a.
Package libcurl4 (7.83.1-2.1) installed in root is up to date.
Package curl (7.83.1-2.1) installed in root is up to date.

$ opkg list-installed | grep curl
curl - 7.83.1-2.1
libcurl4 - 7.83.1-2.1

$ opkg list-installed | grep wolfssl
libustream-wolfssl20201210 - 2022-01-16-868fd881-2
libwolfssl5.2.0.99a5b54a - 5.2.0-stable-2
libwolfssl5.5.1.99a5b54a - 5.5.1-stable-2
px5g-wolfssl - 4.1

$ opkg remove libwolfssl5.5.1.99a5b54a
No packages removed.
Collected errors:
 * print_dependents_warning: Package libwolfssl5.5.1.99a5b54a is depended upon by packages:
 * print_dependents_warning: 	libustream-wolfssl20201210
 * print_dependents_warning: 	px5g-wolfssl
 * print_dependents_warning: 	libcurl4
 * print_dependents_warning: These might cease to work if package libwolfssl5.5.1.99a5b54a is removed.

 * print_dependents_warning: Force removal of this package with --force-depends.
 * print_dependents_warning: Force removal of this package and its dependents
 * print_dependents_warning: with --force-removal-of-dependent-packages.

$ curl -sSL https://google.de
curl: (1) Protocol "https" not supported or disabled in libcurl

So is the only way to update to 22.03?

Sorry about that, but I think I accidentally clicked the button. Anyway...

You installed the 7.83.1-2.1 version which is the one broken because of the wolfssl security update. If you can't see a higher version in the releases for your archi, you need to downgrade to 7.83.1-1 versions for now.

curl - 7.83.1-1
libcurl4 - 7.83.1-1

To do this (excerpt from here: https://github.com/openwrt/packages/issues/19547#issuecomment-1271809668)

Until it's fixed you could use the archive repo:
https://archive.openwrt.org/releases/
https://archive.openwrt.org/releases/21.02.3/packages/x86_64/packages/ e.g.
and download these packages which aren't affected:

curl - 7.83.1-1 (packages)
libcurl4 - 7.83.1-1 (packages)
libwolfssl5.2.0.99a5b54a - 5.2.0-stable-2 (base)

e.g. for 21.02 x86_64 - step by step: (with typo corrections)

wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/packages/curl_7.83.1-1_x86_64.ipk
wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/packages/libcurl4_7.83.1-1_x86_64.ipk
wget -q https://archive.openwrt.org/releases/21.02.3/packages/x86_64/base/libwolfssl5.2.0.99a5b54a_5.2.0-stable-2_x86_64.ipk
opkg install libwolfssl5.2.0.99a5b54a_5.2.0-stable-2_x86_64.ipk
opkg install libcurl4_7.83.1-1_x86_64.ipk
opkg install curl_7.83.1-1_x86_64.ipk

^^^ NOTE: I corrected the above as the instructions in the comment in github is incorrect.
You might need to also do --force-reinstall if it won't downgrade the package.

2 Likes

You might need to raise an issue here: https://github.com/openwrt/packages/issues as i'm not sure about your problem. If you do custom build, this might help: https://github.com/openwrt/packages/issues/19547

Are you using a CA file? If not, it may be related to an issue upstream, I'm going to update the package within a few days.