Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Greg, > > How do I get in contact with somebody who can fix the problem in > > Debian Buser and/ or the official Debian Buster arm32v7 Docker image? > > Looks a bit like > to me. Thanks a lot! Yes, this looks a lot like my problem.

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Greg Wooledge
On Tue, May 05, 2020 at 04:33:35PM +0200, Mark Jonas wrote: > # ls -l /etc/ssl/certs/4a6481c9.0 > ls: cannot access '/etc/ssl/certs/4a6481c9.0': No such file or directory > > What is the difference between the numbered links and the ones with > human readable names? > > I *think* that the

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Reco, > > Yes, I have my own Dockerfile and I can add to it whatever I want. But > > "dpkg-reconfigure ca-certificates" asks a lot of questions. And that > > list from 1 to 128 might eventually change. So I am puzzled how to > > automate that without human intervention. > > dpkg-reconfigure

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Greg, > You... *think* it's there? Why not actually look? > > unicorn:~$ ls -l /etc/ssl/certs/4a6481c9.0 > lrwxrwxrwx 1 root root 27 Jul 14 2018 /etc/ssl/certs/4a6481c9.0 -> > GlobalSign_Root_CA_-_R2.pem > > It takes a few seconds, and then you can remove all doubt. Correct, the file is

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Michael, yes, I also tried "update-ca-certificates" and it doesn't work. # curl https://www.google.com curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Greg Wooledge
> > > 1613 stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No > > > such file or directory) > > > > Presumably ca-certificates postinst script haven't run, because these > > symlinks missing ain't normal. > > Ubuntu 18.04 on my PC gives more or less the same errors but succeeds. >

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Reco
On Tue, May 05, 2020 at 08:44:43AM +0200, Mark Jonas wrote: > Hi Reco, > > > > What now? How do I get this fixed in Debian and/ or the official > > > container image? > > > > I was under the impression that you're creating your own docker > > container anyway. > > Add it to docker build file or

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Andrei POPESCU
On Ma, 05 mai 20, 08:44:43, Mark Jonas wrote: > > I am also very much interested in getting the attention of the right > person to fix the official Debian Docker base image. Do you have an > idea whom I shall contact? You didn't mention where you got your images from, but maybe this is a start:

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Michael Howard
On 05/05/2020 07:44, Mark Jonas wrote: Hi Reco, What now? How do I get this fixed in Debian and/ or the official container image? I was under the impression that you're creating your own docker container anyway. Add it to docker build file or whatever it's called. Yes, I have my own

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Reco, > > What now? How do I get this fixed in Debian and/ or the official > > container image? > > I was under the impression that you're creating your own docker > container anyway. > Add it to docker build file or whatever it's called. Yes, I have my own Dockerfile and I can add to it

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Reco
Hi. On Tue, May 05, 2020 at 08:05:04AM +0200, Mark Jonas wrote: > What now? How do I get this fixed in Debian and/ or the official > container image? I was under the impression that you're creating your own docker container anyway. Add it to docker build file or whatever it's called.

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-05 Thread Mark Jonas
Hi Reco, > > 1613 stat64("/etc/ssl/certs/4a6481c9.0", 0x7ec95160) = -1 ENOENT (No > > such file or directory) > > Presumably ca-certificates postinst script haven't run, because these > symlinks missing ain't normal. Ubuntu 18.04 on my PC gives more or less the same errors but succeeds. So I

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Reco
Hi. On Mon, May 04, 2020 at 08:41:43PM +0200, Mark Jonas wrote: > Hi Reco, > > > > I used the identical image to run the container on an amhf host > > > (Raspberry Pi 3). So there is now no QEMU in the way. > > > > Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10,

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Mark Jonas
Hi Reco, > > I used the identical image to run the container on an amhf host > > (Raspberry Pi 3). So there is now no QEMU in the way. > > Curious. Just tested it with curl at Marvell Armada 385 (runs Debian 10, > armhf), works as supposed to. > I could also test it on Exynos 5422 (also runs

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Mark Jonas
Hi Tomas, > > Yes, "curl -k https:/www.google.com" succeeds. > > Then it's quite probable that the problem lies with certificate > resolution. Either it doesn't find a trusted root cert to validate > the server against, or the validation fails. > > You might try curl's -v option (with and without

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread tomas
On Mon, May 04, 2020 at 02:39:09PM +0200, Mark Jonas wrote: > Hi Thomas, > > > > curl https://www.google.com still fails on the armhf host. So QEMU is > > > out of the game. > > > > Someone hinted at ca_certificates. To verify that, you could try with > > the option "-k" for curl. Then the server

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Mark Jonas
Hi Thomas, > > curl https://www.google.com still fails on the armhf host. So QEMU is > > out of the game. > > Someone hinted at ca_certificates. To verify that, you could try with > the option "-k" for curl. Then the server certificate isn't checked. Yes, "curl -k https:/www.google.com"

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Reco
Hi. On Mon, May 04, 2020 at 01:49:34PM +0200, Mark Jonas wrote: > Hi Reco, > > > > > Ok. Can you run tcpdump while you're running curl? > > > > Specifically, > > > > > > > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443 > > > > > > I tried to dump from within the running container

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread tomas
On Mon, May 04, 2020 at 01:49:34PM +0200, Mark Jonas wrote: > Hi Reco, > > > > > Ok. Can you run tcpdump while you're running curl? > > > > Specifically, > > > > > > > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443 > > > > > > I tried to dump from within the running container but failed.

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Mark Jonas
Hi Reco, > > > Ok. Can you run tcpdump while you're running curl? > > > Specifically, > > > > > > tcpdump -s0 -pnni any -w /tmp/curl.pcap tcp port 443 > > > > I tried to dump from within the running container but failed. > > It's way too complicated. Docker is basically a one big NAT, so please >

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Reco
Hi. On Mon, May 04, 2020 at 09:27:14AM +0200, Mark Jonas wrote: > >> >> curl: (60) SSL certificate problem: unable to get local issuer > >> >> certificate > >> >> > >> >> Does that mean a TLS library does not feature all required protocols on > >> >> armhf? > >> > > >> > TLS library

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-04 Thread Mark Jonas
Hi Reco, >> >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> >> >> Does that mean a TLS library does not feature all required protocols on >> >> armhf? >> > >> > TLS library that curl uses (openssl) is perfectly fine, but it cannot >> > validate any certificate

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-03 Thread Reco
On Sun, May 03, 2020 at 07:20:13PM +0200, Mark Jonas wrote: > Hi Reco, > > >> curl: (60) SSL certificate problem: unable to get local issuer certificate > >> > >> Does that mean a TLS library does not feature all required protocols on > >> armhf? > > > > TLS library that curl uses (openssl) is

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-03 Thread Mark Jonas
Hi Reco, >> curl: (60) SSL certificate problem: unable to get local issuer certificate >> >> Does that mean a TLS library does not feature all required protocols on >> armhf? > > TLS library that curl uses (openssl) is perfectly fine, but it cannot > validate any certificate unless you provide

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-03 Thread Reco
Hi. On Sun, May 03, 2020 at 02:40:14PM +0200, Mark Jonas wrote: > curl: (60) SSL certificate problem: unable to get local issuer certificate > > Does that mean a TLS library does not feature all required protocols on armhf? TLS library that curl uses (openssl) is perfectly fine, but it

Re: armhf: buster: TLS / HTTPS partly broken

2020-05-03 Thread Andrei POPESCU
On Du, 03 mai 20, 14:40:14, Mark Jonas wrote: > > Does anybody have an idea what the problem might be? Who can / should > tackle the problem? > > I did not report the problem using reportbug because I have no clue > which package is causing the problem. You could check what curl, aria2 and LMS

armhf: buster: TLS / HTTPS partly broken

2020-05-03 Thread Mark Jonas
Hi, I am building Docker images for amd64, armhf, and arm64. I have a very simple container based on debian:buster where curl works fine on amd64 and arm64 but fails on armhf [1]. This makes it very easy to reproduce the problem. # curl --version curl 7.64.0 (arm-unknown-linux-gnueabihf)