You are not logged in.

#1 2019-04-25 10:15:37

ricardojpgomes
Member
Registered: 2019-04-08
Posts: 3

SSL_ERROR_SYSCALL in different situations

Hi, I'm having a persistent issue with SSL that I can't find an answer to.

It appears in several situations:

1 - browsing to some websites (GitLab, HumbleBundle) the browser (qtbrowser, firefox) doesn's load some resources, like images or CSS. When I look at the requests they all fail with the error: Failed to load resource: net::ERR_CONNECTION_RESET. In this case the strange thing is that sometimes a few refreshes solves the problems.
2 - Installing ruby gems I get a connection refused error, and to debug this I tried using curl on the mirror and I get the SSL_ERROR_SYSCALL error.
3 - Installing a python module using pip I get the ConnectionResetError

Just as an example:

curl -v https://rubygems.org
*   Trying 2a04:4e42::70...
* TCP_NODELAY set
* Connected to rubygems.org (2a04:4e42::70) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rubygems.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to rubygems.org:443

I've search the forums and found a couple of similar situations (https://bbs.archlinux.org/viewtopic.php?id=226721 and https://bbs.archlinux.org/viewtopic.php?id=226721) but they all are closed saying the issue was fixed in 2017.

Any ideas on what this might be?

Offline

#2 2019-04-27 21:46:42

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 486

Re: SSL_ERROR_SYSCALL in different situations

If your arch installation is fully updated, that leaves only some proxy setup on your network or some nasty stuff done by your ISP.
Could you try with tor-browser to reach those sites, do you have a problem?

Offline

#3 2019-04-27 23:08:31

ricardojpgomes
Member
Registered: 2019-04-08
Posts: 3

Re: SSL_ERROR_SYSCALL in different situations

Thanks

Indeed if I go through tor no issues. Didn't occur to me to try something like that.

I tested both the following one after the other, the first gave me the SSL_ERROR_SYSCALL the second didn't (default tor install).

curl -v https://rubygems.org
curl --socks5-hostname localhost:9050 -v https://rubygems.org

I have no proxy configured, so how do I test that my ISP is messing with SSL calls? Is there a something like tracepath for SSL connections, to see where it gets broken?

Offline

#4 2019-04-27 23:21:18

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 486

Re: SSL_ERROR_SYSCALL in different situations

To completely be on the safe side here, could you please try an openvpn config as well?
There are plenty of free services to go around with, vpngate, vpnbook, etc, just to test things out and be 100% sure that isn't the system itself causing the problem, although the tor test did tell us that.
If the ISP set up something it's definitely a transparent proxy, and since they can't decrypt the traffic without the user knowing it, they probably have in place some workaround (which squid uses as well), like for example checking the domain you are visiting and so on.
I would try as well from another OS / phone, windows, etc, since there is the option that the problem might be related to openssl, but since none of us has it , it leaves us with the ISP having setup something badly big_smile (of course you are sure here that the system is up to date ? - check also your mirrors)

Summary:
1) check with OpenVPN
2) check with another device on the same network
3) I'd try Dnscrypt as well.

Last edited by r0b0t (2019-04-27 23:22:53)

Offline

#5 2019-04-28 00:08:32

ricardojpgomes
Member
Registered: 2019-04-08
Posts: 3

Re: SSL_ERROR_SYSCALL in different situations

Pretty sure arch is up to date, been doing pacman -Syyu once a week. Not sure what you mean about check my mirrors, they are the same as when I installed arch (still an arch noob here).

But there's something going on here.

If I try to go to the gitlab's home page I get a no CSS version (all the css assets get the SSL issue) If I try it on my phone using my wifi I don't even see the page, but when I change to 4G it works.

I'll try openvpn and look into dnscrypt.

What's strange to me is that if there's something mishandling SSL on my ISP then shouldn't it manifest more often? I only got this issue on two websites (gitlab, humble bundle), and getting code modules via pip and ruby gems.

Offline

#6 2019-04-28 00:53:35

r0b0t
Member
From: /tmp
Registered: 2009-05-24
Posts: 486

Re: SSL_ERROR_SYSCALL in different situations

Thats good with the mirrors, if you'r using the default ones and , we can put that aside.

If I try to go to the gitlab's home page I get a no CSS version (all the css assets get the SSL issue) If I try it on my phone using my wifi I don't even see the page, but when I change to 4G it works.

Well, that's very much it, this is the ISP, they usually have systems in place, usually required by law enforcement but this one must be buggy, or they are too savvy.
As for why they do this with those specific sites, well, maybe they are into programmers or people who visit gitlab / github pages, I have no idea.

Dnscrypt : https://wiki.archlinux.org/index.php/Dnscrypt-proxy
The next logical course of action would be to open a ticket with their support and tell them to get their sh*** together and spy properly without giving to many hints tongue

Last edited by r0b0t (2019-04-28 00:54:37)

Offline

Board footer

Powered by FluxBB