Openwrt 21.02 - Curl and Wget fail on some https sites, openssl does not

root@OpenWrt:~# curl https://www.boe.es -v
* SSL_connect failed with error -313: received alert fatal error
curl: (35) SSL_connect failed with error -313: received alert fatal error

root@OpenWrt:/etc/ssl# curl --cacert /etc/ssl/certs/ca-certificates.crt https://www.boe.es -v
* SSL_connect failed with error -313: received alert fatal error
curl: (35) SSL_connect failed with error -313: received alert fatal error
root@OpenWrt:/etc/ssl# curl -k https://www.boe.es -v
* SSL_connect failed with error -313: received alert fatal error
curl: (35) SSL_connect failed with error -313: received alert fatal error


root@OpenWrt:~#  wget https://www.boe.es
Downloading 'https://www.boe.es'
Connecting to 81.89.32.200:443
Connection error: Connection failed

root@OpenWrt:~# openssl s_client -connect boe.es:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
verify return:1
depth=0 C = ES, ST = Madrid, L = Madrid, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
verify return:1
---
Certificate chain
 0 s:C = ES, ST = Madrid, L = Madrid, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es
   i:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
 1 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
 2 s:C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHXTCCBUWgAwIBAgIQPEtQ2N70Uh2V7I2bY6yULzANBgkqhkiG9w0BAQwFADBE
MQswCQYDVQQGEwJOTDEZMBcGA1UEChMQR0VBTlQgVmVyZW5pZ2luZzEaMBgGA1UE
AxMRR0VBTlQgT1YgUlNBIENBIDQwHhcNMjEwNjA0MDAwMDAwWhcNMjIwNjA0MjM1
OTU5WjBqMQswCQYDVQQGEwJFUzEPMA0GA1UECBMGTWFkcmlkMQ8wDQYDVQQHEwZN
YWRyaWQxJDAiBgNVBAoMG0JvbGV0w61uIE9maWNpYWwgZGVsIEVzdGFkbzETMBEG
A1UEAxMKd3d3LmJvZS5lczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJx5XC3jV6x2EXpamd2DT0Ve2hgpIFY9EICg0bprRkKaQlY/wOcnDodhxtu9G1qp
F92n++oaA1CdHj0rwD1wvfo5YHbioqYzU+Xli47nR7MuMCboS1oyw4DkRJu41kF5
hNjSS3dtwFIJxM4M5rh23jPovSoluOMPPMdRDT/PfKwF3++zRey6bnwXspW1k1cw
ZFDihp/baQ2g4l9Bb0n9wvsJmoFWmGcXfeOhiRBApPVWc1a4sY4iBkxQwtkVygfR
9Byv0cJ38/oiwKPZfnwSaQ6m8TlIyeTFLpbukwzawK+/dEY0KI/KdhFOywiXkWWb
GpFDVPusHsbxLIeNcP4tOD8CAwEAAaOCAyMwggMfMB8GA1UdIwQYMBaAFG8dNUkQ
bDL6WaCevIroH5W+cXoMMB0GA1UdDgQWBBR/V48Za8M3y9Eh0QkviktFAlKwjzAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICTzAlMCMGCCsGAQUF
BwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgIwPwYDVR0fBDgw
NjA0oDKgMIYuaHR0cDovL0dFQU5ULmNybC5zZWN0aWdvLmNvbS9HRUFOVE9WUlNB
Q0E0LmNybDB1BggrBgEFBQcBAQRpMGcwOgYIKwYBBQUHMAKGLmh0dHA6Ly9HRUFO
VC5jcnQuc2VjdGlnby5jb20vR0VBTlRPVlJTQUNBNC5jcnQwKQYIKwYBBQUHMAGG
HWh0dHA6Ly9HRUFOVC5vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQWMBSCCnd3dy5i
b2UuZXOCBmJvZS5lczCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHUARqVV63X6
kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF51hzz8wAABAMARjBEAiAuGYex
YfuLpmSt95WqwHhD+WPKCeXhq9O24XHA8WrykAIgGzzkGki9XRlDaCZESct0RH4d
x/ghWpLqE8ZH2yQcgJgAdQBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG
9gAAAXnWHPO1AAAEAwBGMEQCIEmjQQkakdyxNCTxzlTNwA57mdVTcRYlMFxG+8Cl
lqPJAiBAe7UMti3gUd3NRN6HBZQF6/g8uE8NZaF0WQlOgDWHRAB2ACl5vvCeOTkh
8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABedYc844AAAQDAEcwRQIhALlQTiRV
6KufONaUWeZ2+Cwi7yb9RdToKNlYGU0mVcFSAiA9Jop0ATSxzYqL5ezvw5ruRHiQ
3Wzml0vFsc+JUvp1czANBgkqhkiG9w0BAQwFAAOCAgEAVEYq8vvXL0agO0Q1D57f
GakslpI73x3at3qKJauf6eUmH9TULb9PPB/DzjsvRI7NfsJ92sRsPX94w8HIZarf
+4md0fssu3vgbWDHeBVc/qcCLFpps2ciHlDwYCBW6eTUOhFiCGreyom/8PKg6HaE
YNWTtDIRiQCxE/HvL65CiZYLvLRFhoxRPuVt+8zpXVr3krIrzadVMquTnh7eyB2X
AJq+v3i7ROkfeijd+JVp2PtZn5bXaDQCj9sdArBqvBJ7ZAYjHqzxrrRHxwt7oRBE
M3eF9J0wVyTv4UBbBtW2wgR5Va+es5uDLOSyFSB672FGzLO2Lamnz2ycTFP/nq2h
HvVSSRRXxJow7AcOTIL7jFDa5f/EMw0flirDM2Dpm1OcHNeZqmztK+2V6zUAX7tl
ywi8gERkczrRrbR3l05Aq5Eq5TJlCH06ouBiYvQervVkvZjW9rh5fJzE3XFNNNw6
2UD0jNcCIZOPmYau450uxYv9mRpm8lvkW31KOY3yso8YR9W9K7++aFIQXBa+5xvz
z0wwCoqFyJKOZIGAdk0K41V31LXWuhRKnMonuAdV4tb84zn2lHIUpOkkX0wNnj/t
89seCsbYP8CtnraTYaJ3DZxZbaN2sb4LiDe6K63u4RE/u/72sAgVQmxS/G/DPztv
EYU8wwbvyR7FfVlMRjC7UnY=
-----END CERTIFICATE-----
subject=C = ES, ST = Madrid, L = Madrid, O = Bolet\C3\ADn Oficial del Estado, CN = www.boe.es

issuer=C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4

---
No client certificate CA names sent
---
SSL handshake has read 5409 bytes and written 626 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 5598071FDD1206F5861C0B2152985E7D5CE66FC56DFEC22F46E91A557C446B28
    Session-ID-ctx: 
    Master-Key: 1B4C5BDF8BD9DF9B95D12C18ED73DFC4CA10C2076E8188DCD5A98EA70B16FE67D78B87EE5F7AE172E41F00D113761490
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 73 1f 53 cc 0a 98 17 9a-d7 a6 37 a5 06 85 48 45   s.S.......7...HE
    0010 - 25 20 4b 6b 8d 7d 97 ae-b2 5a ce 4d 65 99 6f 45   % Kk.}...Z.Me.oE
    0020 - c2 fb 31 fe 24 b9 2b b6-00 57 14 d0 19 cf 9e d7   ..1.$.+..W......
    0030 - bf 98 15 39 1b 59 c8 4f-53 96 e3 a1 57 cf c3 51   ...9.Y.OS...W..Q
    0040 - db 7c 05 7a 91 4e 29 98-4e aa 1c 07 b5 2b a5 84   .|.z.N).N....+..
    0050 - 56 b6 c5 c4 46 82 11 ee-81 29 9e b3 16 c9 a6 86   V...F....)......
    0060 - 80 e1 27 dd f9 42 a3 3f-af 80 1c 1c 5f 4a 54 46   ..'..B.?...._JTF
    0070 - 92 af dd 68 2c dc 18 11-31 4c 92 78 0e 1c 2f a6   ...h,...1L.x../.
    0080 - c2 b2 ed eb 62 95 02 a9-53 b0 76 05 62 b4 d5 05   ....b...S.v.b...
    0090 - dc 8a 63 d6 bb f0 df 35-9c 92 b6 e5 6f 04 40 53   ..c....5....o.@S
    00a0 - c2 e6 66 1d b4 da 33 20-4f de 82 3a 97 92 d8 5d   ..f...3 O..:...]

    Start Time: 1631890194
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
GET / HTTP/1.0
Host:boe.es

HTTP/1.1 200 OK
Date: Fri, 17 Sep 2021 14:48:41 GMT
Server: Apache
x-frame-options: SAMEORIGIN
Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' 'self' ; connect-src 'self' ; img-src 'self' eur-lex.europa.eu data: ; style-src 'unsafe-inline' 'self' *.boe.es ; font-src 'self' ; child-src 'self'  www.youtube.com afirma: ; object-src 'self' ; media-src 'self'
Content-Type: text/html; charset=UTF-8
X-Varnish: 542296087 542868340
Age: 103
Via: 1.1 varnish-v4
Content-Length: 22112
Accept-Ranges: bytes
Connection: close

In OpenWrt 21.02, curl and wget are built with wolfSSL by default.
You can consider rebuilding them with another backend:
https://openwrt.org/docs/guide-developer/single.package

I have never managed to compile a package for Openwrt, anyway there is a bug isn't there?

1 Like

Is there a way to build a single package from source with the imagebuilder?

1 Like

Yep, it looks like a bug worth reporting:
https://openwrt.org/bugs