WRT3200ACM unbound crypto error

Ansuel · July 15, 2019, 12:22am

Hello, i have openssl with unbount and i'm using cloudflare with DNS over TLS

I have a very annoying problem.... And i have this with or without hardware accelleration

This is something that i tought was fixed with a patch but... this still happens now.

error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

This happen randomly and after restart unbound doesn't change anything... With a reboot this gets solved or it does triggered again so to solve this i have to restart the router again and again.

@cotequeiroz since you helped some times ago can you help me with this?
I can do any test you want. This is getting pretty annoying as it's completely random and when happens my entire network goes down

cotequeiroz · July 15, 2019, 9:23pm

Needing to reboot machine would indicate a more probable hw failure. How did you turn off hw-acceleration?

fantom-x · July 15, 2019, 9:26pm

The clock drifted too much?

Ansuel · July 15, 2019, 10:10pm

i recompiled the image and removed any hw-accelleration feature like cryptodev

diizzy · July 15, 2019, 10:16pm

You're not doing anything funny like setting -O3 globally?
I don't think it's a hw issue to be honest. Having date and time drift or be off will most likely upset OpenSSL, consider installing (open)ntpd or such. You could try using nettle instead of OpenSSL to see if it's OpenSSL specific.

anomeome · July 15, 2019, 11:40pm

Would that really matter given the manner in which openssl behaves under the sheets, making the decision how to optimise itself based on the HW on which it is deployed.

Ansuel · July 15, 2019, 11:48pm

so we are 100% sure this is not a bug of openssl or unbound ?

anyway i checked config flag and i have -O2 so....

diizzy · July 16, 2019, 7:02am

-O2 should be fine, if possible try compiling with nettle support instead to rule out OpenSSL wonkyness.