Re: fetch file from https URL fails with ftp/wget/curl on sparc64

[Markus Lude]

On Sat, Nov 07, 2015 at 04:57:51PM +1100, Joel Sing wrote:
> On Friday 06 November 2015 00:22:10 Markus Lude wrote:
> > >Synopsis:  ssl handshake failure
> > >Category:  library sparc64
> > 
> > >Environment:
> >     System      : OpenBSD 5.8
> >     Details     : OpenBSD 5.8-current (GENERIC) #774: Tue Nov  3 00:43:51 
> > MST
> > 2015 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
> > 
> >     Architecture: OpenBSD.sparc64
> >     Machine     : sparc64
> > 
> > >Description:
> >     initial problem:
> > for port www/youtube-dl "make fetch" failed on sparc64
> > 
> > see thread on ports@
> > "www/youtube-dl fetch fails due to ssl handshake failure"
> > 
> > fuseki:/usr/ports/www/youtube-dl> make fetch
> > ===>  Checking files for youtube-dl-2015.11.01
> > 
> > >> Fetch https://yt-dl.org/downloads/2015.11.01/youtube-dl-2015.11.01.tar.gz
> > 
> > ftp: SSL read error: read failed: error:140940E5:SSL
> > routines:SSL3_READ_BYTES:ssl handshake failure
> 
> I'm unable to reproduce this here:
> 
> $ sysctl kern.version
> kern.version=OpenBSD 5.8-current (GENERIC) #778: Thu Nov  5 11:39:56 MST 2015
>     dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
> 
> $ ftp https://yt-dl.org/downloads/2015.11.01/youtube-dl-2015.11.01.tar.gz     
>                      
> Trying 95.143.172.170...
> Requesting https://yt-dl.org/downloads/2015.11.01/youtube-dl-2015.11.01.tar.gz
> 100% |
> ***************************************************************************************************************************************************************************************************|
>   
> 1737 KB    00:11    
> 1779098 bytes received in 11.21 seconds (155.05 KB/s)
> 
> Does the same thing happen if you try:
> 
> $ openssl s_client -connect yt-dl.org:443 -servername yt-dl.org

after "verify return:0" it hangs for around 13s

fuseki:/tmp> openssl s_client -connect yt-dl.org:443 -servername yt-dl.org
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN 
= COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
1067787898372:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_lib.c:124:
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=yt-dl.org
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGQDCCBSigAwIBAgIRANSxuIp7Z9vIUoqubfUDZhgwDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD
VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg
Q0EwHhcNMTUwMTMwMDAwMDAwWhcNMTgwMjEwMjM1OTU5WjBNMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxFDASBgNVBAsTC1Bvc2l0aXZlU1NMMRIw
EAYDVQQDEwl5dC1kbC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC7FuS9PklPUJNSyiW1V+4dCCTHlNdMt6/kzuZfx7W28fyoRUoJKZUrbdZS+0Je
7E5vpYJOVOuGYoK7abckvy+3Kn3dn7YjfrFSpX+la1UfzHMxM3iRWKemuLzNPj5d
Ix7hUow55gO+NWvOEoBEv7hDRfLRmXL0O+BSw//qpGI8bkNxl/Mt35gVVIHtE9Tz
JRebfh1sHgFd1t+36tC3zbFqkCqr2jbQqdfhTcYSfhHQExyHbdAuB2jPo4AnQ3Cy
ClD4xiwhK+h2Lylmb4t3jzx1jU2h2npc45aoaUGJZ3CcLiGsbK0DYj4UrIkuRaMY
kGTow1cBQVbkdvGRO5872N6Pnpz+BmKH+OeH7ulIJ0xjQyAUbkW/VMo3yp7tWO4x
01HAEeC8rBe70Aj8OCtf5m+f7X3zPxiD09ew02J07YMCakb2XD5RQDnv1rcMc2h+
mhWBfd9GWio2SfLtpnbKrkqkTIlaRgDSmlRTgGp5hIDhFeR/JRJZnqDS84Iyt8Dk
qpEQn4XZO8P7n/6SWOCxz/psezU/TxUf5CldjPdXSJrzWKkn2SiNLNyQZUwAIBi4
NHmQ5Os95wIHi515rWGLWjc9ECAAlpiKrP4RZYYbqkqPrWLHHOBPY3VE27WdaMwW
eGTpN4lPjBqrIBNjTguuNCNKyZG3nmn7ucCK3N+upnBDkQIDAQABo4IB1TCCAdEw
HwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFJtMR6qY
844Comp3hT6l+1T/Jq2DMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQB
sjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20v
Q1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29t
b2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAjBgNV
HREEHDAaggl5dC1kbC5vcmeCDXd3dy55dC1kbC5vcmcwDQYJKoZIhvcNAQELBQAD
ggEBADm/o4TYmcS8GuB3nfUdUgvUBWSg1xNdjsEVIYYnQyNeJ6pBmGUlxsWHmNPI
WJbnYPu+UvaToqZriPj9/IUG8oUPEd7ylKvDAogIXYtVhAPmwoB39hiZuRsW95fu
zAInwM/LYx+y+476Y2aHwx+IB/TDQ0RVrouz6EeM4Zt9q8g0ew/gJqBra6Z5PnHh
eDvnCrHiUuCw1t3JKsJYyR7LpklsPOi/i+Q8Y6ovEGqvIg+FlBbGMQ/wp7S1DuOR
eJ4SbXb2R3BfsD1fnF/VSYoxcDO+rrwMviTvChesZQmAHq89YozZzm/w063mq5LX
pXKtDsw1LUuhmxXqUS/psd0aBZk=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=yt-dl.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 
Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6200 bytes and written 574 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
6664C7BD75E47228B27022B1E37B7D43D1A48F4D4276C6302A9ACD8A4295BE1B35F96BEBCF29E3B93566EEDFE9C754A0
    Start Time: 1446917661
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

> 
> > >How-To-Repeat:
> > more failures to get the file:
> > 
> > fuseki:/tmp> /usr/bin/ftp -V -m -k 0 -C -o youtube-dl-2015.11.01.part
> > https://yt-dl.org/downloads/2015.11.01/ ftp: SSL read error: read failed:
> > error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
> > 
> > fuseki:/tmp> /usr/bin/ftp -4 -m -C -o youtube-dl-2015.11.01.part
> > https://yt-dl.org/downloads/2015.11.01/ Trying 95.143.172.170...
> > Requesting https://yt-dl.org/downloads/2015.11.01/
> > ftp: SSL read error: handshake failed: Connection reset by peer
> > 
> > fuseki:/tmp> /usr/bin/ftp -4 -d -o youtube-dl-2015.11.01.part
> > https://yt-dl.org/downloads/2015.11.01/ host yt-dl.org, port (null), path
> > downloads/2015.11.01/, save as youtube-dl-2015.11.01.part, auth (null).
> > Trying 95.143.172.170...
> > Requesting https://yt-dl.org/downloads/2015.11.01/GET /downloads/2015.11.01/
> > HTTP/1.0 Host: yt-dl.org
> > User-Agent: OpenBSD ftp
> > 
> > 
> > ftp: SSL read error: read failed: error:140940E5:SSL
> > routines:SSL3_READ_BYTES:ssl handshake failure
> > 
> > fuseki:/tmp> wget https://yt-dl.org/downloads/2015.11.01/
> > --2015-11-04 23:59:03--  https://yt-dl.org/downloads/2015.11.01/
> > Resolving yt-dl.org (yt-dl.org)... 2001:1a50:11:0:5f:8f:acaa:177,
> > 95.143.172.170 Connecting to yt-dl.org
> > (yt-dl.org)|2001:1a50:11:0:5f:8f:acaa:177|:443... connected. Unable to
> > establish SSL connection.
> > 
> > fuseki:/tmp> curl https://yt-dl.org/downloads/2015.11.01/
> > curl: (35) Unknown SSL protocol error in connection to yt-dl.org:443
> > 
> > fuseki:/tmp> curl -vvv -4 -D bla https://yt-dl.org/downloads/2015.11.01/
> > *   Trying 95.143.172.170...
> > * Connected to yt-dl.org (95.143.172.170) port 443 (#0)
> > * ALPN, offering http/1.1
> > * Cipher selection:
> > ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully
> > set certificate verify locations:
> > *   CAfile: /etc/ssl/cert.pem
> >   CApath: none
> > * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> > * TLSv1.2 (IN), TLS handshake, Server hello (2):
> > * TLSv1.2 (IN), TLS handshake, Certificate (11):
> > * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> > * TLSv1.2 (IN), TLS handshake, Server finished (14):
> > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> > * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> > * TLSv1.2 (OUT), TLS handshake, Finished (20):
> > * Unknown SSL protocol error in connection to yt-dl.org:443
> > * Closing connection 0
> > curl: (35) Unknown SSL protocol error in connection to yt-dl.org:443
> > 
> > >Fix:
> >     fetching file on i386 and amd64 works
> > 
> > SENDBUG: Run sendbug as root if this is an ACPI report!
> > SENDBUG: dmesg and usbdevs are attached.
> > SENDBUG: Feel free to delete or use the -D flag if they contain sensitive
> > information.
> > 
> > dmesg:
> > OpenBSD 5.8-current (GENERIC) #774: Tue Nov  3 00:43:51 MST 2015
> >     dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
> > real mem = 536870912 (512MB)
> > avail mem = 511459328 (487MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe)
> > cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz
> > cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external
> > (64 b/l) psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0
> > psycho0: bus range 0-1, PCI bus 0
> > psycho0: dvma map c0000000-dfffffff
> > pci0 at psycho0
> > ebus0 at pci0 dev 12 function 0 "Sun RIO EBus" rev 0x01
> > "flashprom" at ebus0 addr 0-fffff not configured
> > clock1 at ebus0 addr 0-1fff: mk48t59
> > ebus1 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
> > "dma" at ebus1 addr 0-ffff ivec 0x2a not configured
> > power0 at ebus1 addr 800-82f ivec 0x20
> > com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
> > com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
> > gem0 at pci0 dev 12 function 1 "Sun ERI Ether" rev 0x01: ivec 0x7c6, address
> > 00:03:ba:18:3a:e9 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media
> > interface, rev. 1: OUI 0x0010dd, model 0x0002 "Sun FireWire" rev 0x01 at
> > pci0 dev 12 function 2 not configured
> > ohci0 at pci0 dev 12 function 3 "Sun USB" rev 0x01: ivec 0x7e4, version 1.0,
> > legacy support alipm0 at pci0 dev 3 function 0 "Acer Labs M7101 Power" rev
> > 0x00: 223KHz clock iic0 at alipm0
> > "max1617" at alipm0 addr 0x18 skipped due to alipm0 bugs
> > "scm001" at alipm0 addr 0x20 skipped due to alipm0 bugs
> > spdmem0 at iic0 addr 0x50: 512MB SDRAM ECC PC133CL2
> > autri0 at pci0 dev 8 function 0 "Acer Labs M5451 Audio" rev 0x01: ivec 0x7e3
> > ac97: codec id 0x41445348 (Analog Devices AD1881A)
> > ac97: codec features headphone, Analog Devices Phat Stereo
> > audio0 at autri0
> > midi0 at autri0: <4DWAVE MIDI UART>
> > pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: DMA,
> > channel 0 configured to native-PCI, channel 1 configured to native-PCI
> > pciide0: using ivec 0x7cc for native-PCI interrupt
> > wd0 at pciide0 channel 0 drive 0: <ST3120213A>
> > wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
> > atapiscsi0 at pciide0 channel 0 drive 1
> > scsibus1 at atapiscsi0: 2 targets
> > cd0 at scsibus1 targ 0 lun 0: <LITEON, CD-ROM LTN486S, Y3S2> ATAPI 5/cdrom
> > removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
> > wd1 at pciide0 channel 1 drive 0: <WDC WD1600AAJB-00J3A0>
> > wd1: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
> > wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> > ppb0 at pci0 dev 5 function 0 "Intel S21152BB" rev 0x00
> > pci1 at ppb0 bus 1
> > rl0 at pci1 dev 2 function 0 "D-Link DFE-530TX+" rev 0x10: ivec 0x7d5,
> > address 00:11:95:21:ec:70 rlphy0 at rl0 phy 0: RTL internal PHY
> > machfb0 at pci0 dev 19 function 0 "ATI Rage XL" rev 0x27
> > machfb0: ATY,RageXL, 800x600
> > wsdisplay0 at machfb0 mux 1: console (std, sun emulation)
> > usb0 at ohci0: USB revision 1.0
> > uhub0 at usb0 "Sun OHCI root hub" rev 1.00/1.00 addr 1
> > uhidev0 at uhub0 port 1 configuration 1 interface 0 "Fujitsu Component Type
> > 6 Keyboard" rev 1.00/1.02 addr 2 uhidev0: iclass 3/1
> > ukbd0 at uhidev0: 8 variable keys, 6 key codes, country code 33
> > wskbd0 at ukbd0: console keyboard, using wsdisplay0
> > uhidev1 at uhub0 port 2 configuration 1 interface 0 "Logitech USB-PS/2
> > Optical Mouse" rev 2.00/20.00 addr 3 uhidev1: iclass 3/1
> > ums0 at uhidev1: 3 buttons, Z dir
> > wsmouse0 at ums0 mux 0
> > vscsi0 at root
> > scsibus2 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus3 at softraid0: 256 targets
> > bootpath: /pci@1f,0/ide@d,0/disk@0,0
> > root on wd0a (a3fcc6617d442473.a) swap on wd0b dump on wd0b
> > 
> > usbdevs:
> > Controller /dev/usb0:
> > addr 1: full speed, self powered, config 1, OHCI root hub(0x0000),
> > Sun(0x108e), rev 1.00 port 1 addr 2: low speed, power 100 mA, config 1,
> > Type 6 Keyboard(0x0005), Fujitsu Component(0x0430), rev 1.02 port 2 addr 3:
> > low speed, power 98 mA, config 1, USB-PS/2 Optical Mouse(0xc03e),
> > Logitech(0x046d), rev 20.00 port 3 powered
> >  port 4 powered