SSL connection to downloads.openwrt.org not working - Connection was reset by peer

crispi · July 19, 2021, 9:58am

I suspect this is due to application firewall on the Nginx server.
Can resolve downloads.openwrt.org.
Can ping downloads.openwrt.org
Can connect to downloads.openwrt.org:80
Can't pull down Packages.gz over TLS

twiglets# curl -vvvv http://downloads.openwrt.org/releases/19.07.7/targets/ath79/generic/packages/Packages.gz

GET /releases/19.07.7/targets/ath79/generic/packages/Packages.gz HTTP/1.1
Host: downloads.openwrt.org
User-Agent: curl/7.66.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.2
< Date: Mon, 19 Jul 2021 09:58:28 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://downloads.openwrt.org/releases/19.07.7/targets/ath79/generic/packages/Packages.gz
<

301 Moved Permanently

nginx/1.14.2

twiglets# date ; time curl -vvvv https://downloads.openwrt.org/releases/19.07.7/targets/ath79/generic/packages/Packages.gz ; date
Mon Jul 19 19:39:57 AEST 2021

ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer
curl: (35) ssl_handshake returned - mbedTLS: (-0x0050) NET - Connection was reset by peer
curl -vvvv 0.66s user 0.02s system 0% cpu 2:04.35 total
Mon Jul 19 19:42:01 AEST 2021
twiglets# host downloads.openwrt.org
downloads.openwrt.org is an alias for mirror-02.infra.openwrt.org.
mirror-02.infra.openwrt.org has address 168.119.138.211
mirror-02.infra.openwrt.org has IPv6 address 2a01:4f8:251:321::2
twiglets# ping 168.119.138.211
PING 168.119.138.211 (168.119.138.211): 56 data bytes
64 bytes from 168.119.138.211: seq=0 ttl=53 time=303.318 ms
64 bytes from 168.119.138.211: seq=1 ttl=53 time=304.514 ms
^C
--- 168.119.138.211 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 303.318/303.916/304.514 ms

vgaetera · July 19, 2021, 11:13am

Stop MWAN and put down the WAN6 interface if any, then try to reproduce the issue.

crispi · July 19, 2021, 11:23am

There's ip IPv6 (other than the link-local address).
And the fact that HTTP over IPv4 works, but HTTPS over IPv4 doesn't suggests a L7 FW issue.

twiglets# curl -4 -vvvv http://downloads.openwrt.org/
> GET / HTTP/1.1
> Host: downloads.openwrt.org
> User-Agent: curl/7.66.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.2
< Date: Mon, 19 Jul 2021 11:20:38 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location: https://downloads.openwrt.org/
< 

301 Moved Permanently

301 Moved Permanently
nginx/1.14.2


twiglets# curl -4 -vvvv https://downloads.openwrt.org/
^C

I suspect it's because the VPN IP's address is being blocked by digital ocean (but only for TCP:443, not for TCP:80)

vgaetera · July 19, 2021, 12:20pm

curl -L ...

https://man.cx/curl#:~:text=3XX

crispi · July 19, 2021, 12:22pm

it's the VPN bearer. I'm talking with them now. OpenConnect is broken for TLS L7 traffic, OpenVPN over UDP is completely broken and the L2 link won't even establish. OpenVPN over TCP works.