Hi. On Mon, May 04, 2020 at 01:49:34PM +0200, Mark Jonas wrote: > Hi Reco, > > > > > Ok. Can you run tcpdump while you're running curl? > > > > Specifically, > > > > > > > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443 > > > > > > I tried to dump from within the running container but failed. > > > > It's way too complicated. Docker is basically a one big NAT, so please > > run tcpdump on a host instead. > > I used the identical image to run the container on an amhf host > (Raspberry Pi 3). So there is now no QEMU in the way.
Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10, armhf), works as supposed to. I could also test it on Exynos 5422 (also runs Debian 10, armhf), but it'll be the same. > > But this hiccup gave me an idea - maybe libssl on armhf is perfectly > > fine, but it's qemu which fails to emulate certain CPU instruction. > > curl https://www.google.com still fails on the armhf host. So QEMU is > out of the game. Ok. Is it possible to run curl via strace from inside the docker? Something like this would be perfect (-o designates an output file): strace -o /tmp/curl -e trace=file curl https://www.google.com Specifically, it should try to open a symlink to /etc/ssl/certs/GlobalSign_Root_CA_-_R2.pem. Here it's called /etc/ssl/certs/4a6481c9.0, may be machine-specific. > Packet capturing now also worked. For capturing QEMU was the problem. > I also captured aria2c (succeeds with warning) and wget (silently > succeeds). For the archives, curl's pcap looks like this: SYN SYN,ACK TLS client hello TLS server hello, change cipher spec (an upgrade from TLSv1.2 to TLS1.3) Alert (Level: Fatal, Description: Unknown CA) <- curl sends this RST FIN,ACK wget and aria show what they're supposed to (TLS handshake, Application Data ping pong). Reco
