OpenWrt Numerous Unbound ssl handshake failed crypto errors

a7d3F5eKd88dqJ · December 8, 2023, 10:30pm

Is anyone else seeing these errors on Linksys E8450 with OpenWrt 23.05.2 and Unbound 1.18.0? Packages ca-bundle and ca-certificates already installed.

Seeing the same errors with DNS over TLS (DoT) providers Google and Cloudflare per article https://openwrt.org/docs/guide-user/services/dns/dot_unbound.

/etc/config/unbound (only one zone):

config zone
        option dns_assist 'none'
        option zone_type 'forward_zone'
        list zone_name '.'
        option tls_upstream '1'
        option tls_port '853'
        option fallback '1'
        option enabled '1'
        option tls_index 'family.cloudflare-dns.com'
        list server '1.1.1.3'
        list server '1.0.0.3'

...

Syslog errors:

Thu Dec  7 12:37:25 2023 daemon.info unbound: [5777:0] info: start of service (unbound 1.18.0).
Thu Dec  7 12:40:22 2023 daemon.err unbound: [5777:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:40:22 2023 daemon.notice unbound: [5777:0] notice: ssl handshake failed 192.5.5.241 port 53
Thu Dec  7 12:40:22 2023 daemon.err unbound: [5777:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:40:22 2023 daemon.notice unbound: [5777:0] notice: ssl handshake failed 192.5.5.241 port 53
Thu Dec  7 12:42:15 2023 daemon.err unbound: [5777:1] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:15 2023 daemon.notice unbound: [5777:1] notice: ssl handshake failed 199.9.14.201 port 53
Thu Dec  7 12:42:15 2023 daemon.err unbound: [5777:1] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:15 2023 daemon.notice unbound: [5777:1] notice: ssl handshake failed 199.9.14.201 port 53
Thu Dec  7 12:42:27 2023 daemon.err unbound: [5777:1] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:27 2023 daemon.notice unbound: [5777:1] notice: ssl handshake failed 192.5.5.241 port 53
Thu Dec  7 12:42:27 2023 daemon.err unbound: [5777:1] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:27 2023 daemon.notice unbound: [5777:1] notice: ssl handshake failed 192.5.5.241 port 53
Thu Dec  7 12:42:45 2023 daemon.err unbound: [5777:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:45 2023 daemon.notice unbound: [5777:0] notice: ssl handshake failed 199.9.14.201 port 53
Thu Dec  7 12:42:46 2023 daemon.err unbound: [5777:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Thu Dec  7 12:42:46 2023 daemon.notice unbound: [5777:0] notice: ssl handshake failed 199.9.14.201 port 53

SuperMaks · December 9, 2023, 5:25pm

I have the same issue on Netgear R7800

Sat Dec  9 17:59:30 2023 daemon.err unbound: [11697:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Sat Dec  9 17:59:30 2023 daemon.notice unbound: [11697:0] notice: ssl handshake failed 199.9.14.201 port 53
Sat Dec  9 17:59:30 2023 daemon.err unbound: [11697:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
Sat Dec  9 17:59:30 2023 daemon.notice unbound: [11697:0] notice: ssl handshake failed 199.9.14.201 port 53

server:
    tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-first: yes

    forward-addr: 8.8.8.8@853#dns.google.com
    forward-addr: 8.8.4.4@853#dns.google.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

OpenWrt 23.05.2
Unbound 1.18.0-1

a7d3F5eKd88dqJ · December 10, 2023, 6:46pm

Thanks for replicating, @SuperMaks. Within file /etc/unbound/unbound_srv.conf I added the line below, however, the errors persist.

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

To clarify I have not actually experienced any DNS resolutions issues. These errors just flood syslog and create noise. It's not clear if they're only cosmetic. I found another bug report related to this issue in https://bugs.kali.org/view.php?id=8470, but there was no resolution. Guess we'll have to wait till next unbound release.

I suppose the only workaround is to use another DNS over TLS method such as stubby or DNS over HTTPS with luci-app-https-dns-proxy + dnsmasq. The downside is that the local recursion function is lost (option fallback).

SuperMaks · December 10, 2023, 7:08pm

I think that the issue probably on server side, wrong certificate maybe.. I found e-mail for feedback and I have sent this question to them

goppinath · November 4, 2024, 1:13pm

@SuperMaks I have the same suspicion. Did you discover any solutions or workaround to this issue?

Giamba · April 15, 2025, 5:35pm

On my router, there is no RTC, the system has to get the current date and time from NTP server wich can't be resolse without Unbound running. So the goal is to write directly the IP addresses of these NTP servers, this way OpenWRT can ask the current DateTime, set it, and Undbound can run with the rights certificates.