TLS handshake issues with WAN on VLAN with DSA

Dear community

I have an issue with some sites using TLS which I think may be caused by a configuration error on my end in combination with DSA and VLAN on wan.

My provider T-Mobile Thuis in The Netherlands has their wan on vlan 300. The following are the WAN configuration according to the provider.

Mode: Routing
Encapsulation: IPoE
IP mode: ipv4 only
VLAN: Enable 802.1p: 0 802.1q: 300
MTU: 1500
IP Address: DHCP

My router (Redmi Router AX6S - OpenWrt 23.05.0-rc2) uses DSA so I configured internet by the following lines in my network config.

config interface 'wan'                                                                      
        option proto 'dhcp'                                                                 
        option device 'wan.300'                                                             
        option delegate '0'  

All is working well, but I do have some TLS issues. My first assumption was this was caused by an incorrect MTU. This is not the case, the documentation from my provider says the WAN is 1500, and I have MSS clamping enabled, with the router provided by my provider, I do not have this issue.

I tested the MTU with different sizes, and anything above 1472 fails( so I got 1500 mtu, as expected ).

ping 1.1.1.1 -D -s 1472 

Is there some kind of configuration I am missing with OpenWRT DSA. Is there something I need to configure to fix this? The issue exists wireless and on ethernet.

Thank you so much for your help.

Please post a picture of the problem accessing a site with TLS if you can

It is quite difficult to capture, I see that some apps are not able to connect on my Steamdeck. The best logging I can get is from the networkQuality tool of my Macbook. First it runs a couple of times okay, then it fails. But when I access the URI in the webbrowser it goes okay. Maybe it is something that gets overwhelmed sometimes, I cannot get my hand on the issue. When the connection is under load it happens earlier, it looks like.

~ % networkQuality 
Downlink: capacity 0.000 Mbps, responsiveness 0 RPM - Uplink: capacity 0.000 Mbps, responsivDownlink: capacity 0.000 Mbps, responsiveness 1914 RPM - Uplink: capacity 0.000 Mbps, respon==== SUMMARY ====
Uplink capacity: 0.000 bps
Downlink capacity: 0.000 bps
Responsiveness: High (1914 RPM)
Idle Latency: 24.667 milliseconds
Error: Error Domain=NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x11f08a800) s: mensura-edge-relay.cdn-apple.com i: Apple Public Server ECC CA 12 - G1>",
    "<cert(0x11f0bbc00) s: Apple Public Server ECC CA 12 - G1 i: AAA Certificate Services>",
    "<cert(0x11f0bc400) s: AAA Certificate Services i: AAA Certificate Services>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://mensura.cdn-apple.com/api/v1/gm/large, NSErrorFailingURLStringKey=https://mensura.cdn-apple.com/api/v1/gm/large, NSUnderlyingError=0x6000001a2fa0 {Error Domain=kCFErrorDomainCFNetwork Code=-1200 "(null)" UserInfo={_kCFNetworkCFStreamSSLErrorOriginalValue=-9846, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x11f08a800) s: mensura-edge-relay.cdn-apple.com i: Apple Public Server ECC CA 12 - G1>",
    "<cert(0x11f0bbc00) s: Apple Public Server ECC CA 12 - G1 i: AAA Certificate Services>",
    "<cert(0x11f0bc400) s: AAA Certificate Services i: AAA Certificate Services>"
), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600003ebc1e0>, _kCFStreamErrorDomainKey=3, NSErrorPeerAddressKey=<CFData 0x600002cb1cc0 [0x1e1b807f8]>{length = 16, capacity = 16, bytes = 0x100201bb11fd35030000000000000000}, _kCFStreamErrorCodeKey=-9846}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <5D9C83BA-C97F-4D13-BC29-39175ACC1633>.<1>"
), _kCFStreamErrorCodeKey=-9846, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <5D9C83BA-C97F-4D13-BC29-39175ACC1633>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x600003ebc1e0>, NSLocalizedDescription=An SSL error has occurred and a secure connection to the server cannot be made.}

I'm sorry I'm not very helpful

but i see in the code you sent this error

try the link below maybe it works

An SSL error has occurred and a secure connection to the server cannot be made

https://www.google.com/search?client=firefox-b-e&q=An+SSL+error+has+occurred+and+a+secure+connection+to+the+server+cannot+be+made

Thanks for your help and time, unfortunately it doesn't fix the issue. Will try tomorrow with another router just to rule things out.

A vlan in general, and openwrt specifically, should not be the root cause of a tls issue. Handshakes happen at the application layer, above the routing layer (l3) and the router itself shouldn’t cause this type of issue unless maybe it is due to fragmenting or similar as a function of mtu.

1 Like

Thanks for your replies, I have switched now to an Edgerouter X , running stock firmware and the issue is not there. Same MTU, thanks for your help guys. Maybe it is some driver bug, but now I have mitigated the issue, by using the Edgerouter as a gateway, and the Redmi Router AX6S for all other stuff.